By Mike Jarrett
You walk into your office for work. Up to that point, You walk into your office for work. Up to that point, it’s an average Monday morning.You are met at the door by visibly concerned members of staff.
They say all the computer screens in the office are black and the entire system is down.Even before you can call your IT service provider, a note pops up on all computers with a threat:Pay $5,000,000 within 24 hours to get your system back.After 24 hours all client data will be sold on the dark web.Click here for payment details.Warning! The clock is running!The realisation that this ransomware cyberattack could be catastrophic sends a chill down your spine even as you break a sweat.Are you ready for this?Five million dollars in 24 hours!What do you do?This scenario is increasingly quite likely. Depending on what subsector you do business in, cyberattacks – and especially ransomware “hold ups” – are increasing in volume and expanding in reach and scope.Attacks on prominent companies often make the news. Smaller companies (and even small-town municipal corporations) are also being hit hard. But many choose to keep it quiet lest the security breach undermines customer confidence and/or strains B2B relationships.The problem is, with the advancement of digitalisation and more personal and corporate information being keyed into internet applications and databases, we have become increasingly vulnerable to cyber threats and direct attacks on your information systems.
VulnerableYou may be more vulnerable than you think. There are at least 10 types of cyberattacks to which your operation could be susceptible, including (in alphabetical order):1. Birthday attack2. Cross-site scripting3. Denial of Service (DoS) attack and Distributed Denial of Service (DDoS) attack4. Dive by Download5. Eavesdropping6. Malware7. Man in the Middle (MitM)8. Password cracking9. Phishing 10. Structures Query LanguageHowever, cyberattacks may not be your only concern. Data fraud or theft are also crippling, costly, and becoming increasingly prevalent.
Top 10 global risksThe 50-year-old international non-governmental organisation, World Economic Forum (WEF) recently published its Global Risks Report for 2020. It includes the WEF’s Perception Survey 2019–2020.Survey respondents were asked to assess and grade (on a scale of 1 to 5) the likelihood of individual global risks: with 1 representing a risk that is very unlikely to happen, and 5 a risk that is very likely to occur. The impact of each global risk was also assessed on a scale of 1 to 5, with 1 representing minimal impact and 5 a catastrophic impact.Respondents to the WEF survey felt that of the top ten risks, data fraud or data theft was the sixth most likely to occur. Cyberattacks were ranked seventh, ahead of water crises (in eighth position). Extreme weather was top of the “Likely risk” list, followed by climate action failure (at 2), natural disasters (3) and biodiversity loss (4).Interestingly, in this list of ten risks most likely to occur, the top five spots were all related – directly or indirectly – to fabricated environmental threats and consequences.As regards the 10 risks having the greatest global impacts, respondents included information infrastructure breakdown (ranked sixth) and cyberattacks (ranked eighth).Concerns about cyber security are not new. These concerns were given an elevated level of prominence back in 2004 with the declaration of October as Cybersecurity Awareness Month. That designation was made to support and encourage initiatives for collaboration between government and industry in ensuring safe and secure internet use. In this effort, the National Institute of Standards and Technologya partnered with other US federal agencies to raise awareness about cybersecurity and to provide tools and resources for safe internet usage. However, even after 17 years of observance of Cybersecurity Awareness Month, cyberattacks appear to be on the rise.
Ransomware attacks 2021Figures from reliable sources were not yet available to allow precise quantification of cyberattacks this year. However, news reports of significant incidents were enough to indicate that this is not a diminishing problem. Indeed, quite the opposite.On March 21, 2021, CNA Financial Corp, one of the largest insurance companies in the USA, was locked out of its computer network for two weeks. The company reportedly paid hackers US$40 million after a ransomware attack blocked access to the company’s network. The financial cost was not all. The company reported that data were stolen in the attack.On April 27, 2021, the Washington DC Metropolitan Police Department was hacked. The New York Times reported that hacked data from the Washington, D.C., Police Department started leaking onto the internet on Monday, April 26. This was the third police department in the United States to be hit by cybercriminals in six weeks, The NY Times reported.On May 7, 2021, Colonial Pipeline, the largest fuel pipeline in the USA, carrying gasoline and jet fuel from Houston Texas to markets on the USA’s east coast was attacked. Reports were that this was the result of a single compromised password. One week later, on May 7, the company received a ransom note demanding cryptocurrency. The attacked forced Colonial to shut down the entire gasoline pipeline system for the first time in its 57-year history.On May 31, 2021, JBS S.A., regarded as the world’s largest meat packer, was forced by hackers to shut down processing plants in the USA, Canada and Australia. The company reportedly paid out US$11 million following this ransomware attack. Payment of the ransom was confirmed more than a week later by the company.On June 2, 2021, the Steamship Authority of Massachusetts suffered a malware attack that abruptly halted all ticketing processes, including online and telephone reservations. The Authority announced that ships were running safely, but that passengers could not make or change reservations online or by telephone.
Ransoms increasingNot only are cyberattack incidents increasing, the cost of ransomware attacks is also increasing.In 2020, the average ransomware payment reportedly increased by 170%, from $115,123 in 2019 to $312,493 in 2020, according to a report quoting the cybersecurity firm Palo Alto Networks. Earlier this year, both Quanta, (an Apple supplier), and Acer were reportedly targeted by a ransomware group that demanded $50 million from both companies.Describing the increase in ransoms demanded as “concerning”, a Cybercrime Magazine1 report stated: “This important observation reflects a concerning trend that is certain to continue over the next decade, as ransomware extortionists move on from basic lock-your-computer-until-you-pay attacks – which have been commoditised through the prevalence of ransomware-as-a-service (RaaS) offerings – to multi-pronged attacks in which ransomware is only the beginning of a longer, more expensive conversation.” The report further noted that “... the first major transition towards this new state of operation came last year, when so-called “double extortion” attacks saw ransomware not only encrypting data in situ, but exfiltrating it to the criminals – who blackmail their victims with the threat of having that data made publicly available if they don’t pay up.” It is against this background that on July 2, 2021, the International Association of Ports and Harbours (IAPH)2 published its first Cybersecurity Guidelines for Ports and Port Facilities – Version 1.0 on July 2, 2021.Described by Dr Patrick Verhoeven, Managing Director, Policy and Strategy at IAPH, as “a crucial, neutral document for senior executive decision-makers at ports”, the nine-point guidelines address existing IMO guidance on Maritime Cyber Risk Management and its ability to address cyber risks in ports, developing additional guidance where needed.This document3 [Cybersecurity Guidelines for Ports and Port Facilities – Version 1.0] is a must read for port managers and all stakeholders who do business via the internet.The 84-page document is available free of cost on the IAPH website.
a https://www.nist.gov1 https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-20312 IAPH is a non-profit-making global alliance of 170 ports and 140 port-related organizations covering 90 countries and with consultative NGO status with United Nations agencies, including the International Maritime Organization (IMO)]3 Cybersecurity Guidelines for Ports and Port Facilities - Version 1.0, published July 2, 2021, by IAPH w/ World Ports Sustainability Programme. Download in PDF format at https://www.iaphworldports.org/news/10416.