CYBER security and ransoms are hot topics for global businesses and for one Australian and his team, it’s a job of increasing complexity and rising frequency.
Alastair MacGibbon, chief strategy officer at CyberCX, said in a panel discussion at the recent 2024 AADA Convention and Expo, that he has spent his life dealing with criminals organising cyber attacks that led to lockdowns of corporate computer systems or demanding ransoms – or both.Mr MacGibbon was speaking at the convention in the shadow of the global cyber ransom attack on US DMS company CDK and the CrowdStrike outage that, while a technical software failing rather than a deliberate attempt to extort money, had a huge impact on computer systems around the world.
“I sit with a lot of executives and boards as they go through some very serious crimes, often for the first time,” he told attendees at the convention.
“I’ve sadly spent most of my life dealing with those types of people, and (it is) to help you through that.”
Mr MacGibbon said being caught in a ransom situation “was not the end of everything.”
“Our job is to help you make less silly decisions,” he said.
“There is no right or wrong decision, by the way, there’s no golden bridge out when a criminal is impacting you and your business.
“You will make mistakes in the process, and we’ll help you once you’ve made those mistakes, to start making better decisions, to get yourself through it.
“We’ve worked on probably most of the matters you see in the press. It’s often my team.
“And the reality is the vast bulk of those CEOs are still in their position. Most of their boards are still there. Their share prices returned, their businesses still function.
“It is not the end, but it is always better to prevent crime. Much like a slip-slop-slap it is better to prevent skin cancer than have them cut out. We’re the people that cut them out.”
Mr MacGibbon said that although ransom demanded by cyber fraudsters gets most of the media attention, using someone else’s invoice to pretend to be a supplier has become one of the fastest growing crimes and it is devastating to small businesses.
He said in this scenario, the business may have a relationship with a service provider – anyone that business is paying, such as a plumber, electrician, an OEM or someone else – and the bank data details of that relationship are already in the system.
“So when you get a message from someone, a supplier, that says, ‘Hey, my bank details have changed’, the human process here is: ‘Don’t do it, call them’.
“Not on the phone number that’s on the invoice, just as a quick tip, because criminals will probably put their own phone number on there and answer it as the supplier name, because they’re not stupid.
“Remember the amount of money they can make and they will go to that type of trouble to actually either have a call centre answer as if it was the name on the supplier’s notes.
“So what do you do? You contact your supplier on the number that you have on the previous invoices, or the numbers that are inside your CRM, and you call them and say: ‘Hey, have you changed your banking details?’ and nine times out of 10, the answer is no, we haven’t.”
Mr MacGibbon said the effect of this type of scam was devastating.
“You will not get your money back. By the time you realise you have not paid the actual invoice – and let me just be really clear here, they are likely to be in one of the computer systems – so they know that there were 14 cars that need to be paid for.
“They know that there was electrical work being done, and they will use the actual invoice template so it looks really real.
“But humans can defeat this through process. This is just a rules-based way of solving the technical problem, and you’ll drive it to zero.”
Ian Dejong, principal strategist at Adobe, helps businesses store and manage different forms of data at Adobe.
He said the basics of cyber ransom was criminals getting access to secure valuable information and holding a ransom for its safe return, or for it not to be exposed.
“The negative impact of it being exposed includes loss of revenue for yourself, impact to your brand reputation, but also putting your customers at risk; privacy risk, identity fraud, and so on,” he told the convention guests.
“There’s a lot of key negative outcomes from that, and there’s a couple of points to add. There are unknown cyber criminals but there’s also the known individuals that may work in your organisation that actually have access to the data.
“So it’s important to have the right access controls and usage controls around that information. If an employee leaves the business or even changes roles, the access and usage controls need to be changed immediately.
“If we think about those unknown criminals, the way in which they can access the data can vary quite a lot.
“We see around 83 per cent of data breaches caused by the human factor. That means poor passwords or the fact that passwords are all you have, as opposed to leveraging what’s called MFA, or multi factor authentication.
“There’s a lot to be said around building a culture that’s both privacy centric but also cyber security aware, and with that becomes education enablement.
“So as an example, at Adobe, we have mandatory enablement that happens periodically. It’s not a one-time set and forget, and that’s really beneficial, because it reminds us, it refreshes us, but also keeps us up to date with all the tactics happening out there.
“So I think education is a really, really important factor. And lastly, think of ‘slip, slop, slap’ or as the ACCC promotes it with computer crime, ‘stop, think, protect.’
“Stop: If something, an email, an SMS, a phone call, is eliciting an emotional response, that’s exactly what social engineering is. It’s preying on our psychology.
“So stop if you feel you know an urgent response.
‘Think’ is, do I need to make this payment right now? Do I need to change the bank details or whatever the case may be?
“Then ‘protect’; so call up the bank, call up your partners, raise it as an issue. So I think there’s a few things there we can think about.”
The more devastating cyber crime is ransomware. CAR Group’s executive general manager of security, Stuart Noom, said it is typically delivered to a business computer system and the computer will lock and freeze.
“It’s then the business realises that it is in a world of trouble,” he said.
“Then you have a couple options. You have to restore from backup. And if you don’t have backup to the critical data, grab a set of rosary beads and start praying.
“Otherwise you could start negotiating with the ransom attackers, and we typically will have to make payment or meet the ransom.
“And if you don’t make that, then they’ll publish your data and make it public. Or if you do make payment, then you’ll get access to your data, hopefully, and then you’ll be back in business.”
CyberCXs Mr MacGibbon said his business responds to between 300 and 500 incidents a year “from sometimes quite small matters to obviously some of the biggest matters you’ll see in the press, although not all of those are ransomware.
“The ransomware threats are largely Eastern European based criminal groups supported by the Russian government, housed, often by the Russian government and allowing them to operate so long as they’re not carrying out these crimes against Russia and its allies. They are also the data theft extortion groups.
“What we’ve seen is what started as one of these super-fast growing crimes, maybe five to seven years ago which morphed quite significantly in the last few years to data theft and extortion.
“In order to carry out a ransomware incident, if you’re talking about big corporate lockups, you have to have access to a system.
“Criminals soon learnt that they can lock up computer systems and at the same time, steal information.
“What we have found is that the data they stole is not returned. I’ve seen videos where criminals will take hard disks and put it in microwave machines and turn on the microwave and get a sledgehammer and hammer the disks, showing you that they’ve deleted your data.
“The reality is, criminals cannot be trusted, which wouldn’t surprise many of you I’m sure.
“So even if you pay for your data to be returned, it won’t be. If you pay for your computer to be unlocked, it likely will.”
Mr MacGibbon said the key lessons are to have backups and make sure those backups are stored in a manner that is not easily accessible by the criminals. “We have also seen the criminals destroying backups before they then lock computer systems,” he said.
“So you have to check the integrity of your backups on a regular basis, and you need to, every once in a while, keep a slightly older version completely disconnected from your systems.”
By Neil Dowling