24 Aug A Virtual Hostage Situation. The Reality of Cyber Crime.
Just 30 years ago the thought of someone from the other side of the world, or even the other side of the country being able to hold an entire company hostage from the comfort of their living room was unthinkable. Today this is nothing less than a scary reality. Cybercrime is dangerously real and can reach anyone, so what should you do if you ever become the target of malicious cybercrime activity?
The modus operandi of cybercrime is targeting financial gain via various attack vectors. Attack vectors are the methods that malicious cyber actors use to breach or infiltrate your network. Attack vectors take on many different forms, ranging from malware and ransomware to man-in-the-middle attacks, compromised credentials, and phishing. Some attack vectors target weaknesses in your security infrastructure whilst others target weaknesses in the humans that have access to your network.
Once your personal device, systems or networks have been compromised, these criminals often have the power to delete years of work with a single keystroke or share sensitive information across the world using the internet and/or dark web. This gives them extreme bargaining power over any company or organization, regardless of its size or stature.
So, if your cyber security fails what should you do? Pay their ransom? Call the authorities? Or call their bluff?
The official advice by policy experts from the Cyber Security Cooperative Research Centre is to immediately contact the authorities. This advice is partially powered by the $1 trillion cost cybercrime has on the global economy, with Australia becoming an increasingly frequent target.
Is it legal to pay ransoms? And should you pay?
The official advice is not to pay ransoms. Given you seldom know who is holding you ransom, you cannot be sure what your money is going towards. Therefore, the legality of paying ransoms is situated in a somewhat grey area but is often categorized in the same bracket as potentially funding criminal and/or terrorist organisations.
However, there are varying opinions when it comes to making payment of ransomware requests illegal as not doing so can also introduce the potential of greater burdens on the victims of these events.
For this reason, there is no law that specifically states that ransomware cannot be paid. A company can also use duress as a defence if payment has been made and legal issues arise as a result. This is, if they reasonably believed that a threat would be carried out as a result of not paying a ransom demand.
Regardless of which side of the fence you currently sit on, all would agree the first port of call when dealing with any type of cyber-attack should be to contact local authorities and cyber security experts.
So what’s the best way to protect yourself?
There is no one single solution that will work for everyone. As with any cyber security program, best practice is to have a multi-layered cyber security program in place. A business can have the best systems and/or infrastructure in place, but if personnel aren’t properly trained to identify malicious activity, you remain vulnerable and vice versa.
Therefore, at E2E Security we recommend employing a two-pronged approach to improve cyber and network security via digital risk protection as well as creating a ‘human firewall’ by up-skilling personnel.
However, it is no longer a case of set and forget, you need to be regularly testing your cyber security program. Unfortunately, any unnoticed vulnerability can result in an attack. It is essential to understand that even unlocking the smallest of doors into your systems can allow hackers to understand how your systems are structured.
Often, cybercriminals start by unlocking a small door undetectably, before trying every other door behind the first. Eventually, they will get through a second bigger door, and if given enough time to operate undetected, they will hold the keys to highly sensitive information.
The contents of this article do not constitute legal advice and are not intended to be a substitute for legal advice and should not be relied upon as such. You should seek legal advice or other professional advice in relation to any matters you or your organisation may have.