Technology Column | Data Security
to be job applications. Even in those days, much of the ransomware was developed in Russia, by Russian organized criminals and aimed at Russian victims in nearby countries. Everything began to change in the early 2010s with the emergence of cryptocurrencies. This opened the doors for quick, convenient, and in some cases, untraceable methods of payments — all outside the structure of traditional finance. The real inflection point for growth was the CryptoLocker attack in 2013, according to cybersecurity firm CrowdStrike. It not only used Bitcoin transactions, but also stronger encryption. Even if CryptoLocker was removed, affected files remained encrypted in a way that was considered unfeasible to break. But while CryptoLocker was a “spray and pray” attack aimed at securing low sums of around $300 from individual victims, the ransomware industry began to shift its attention to larger organizations including small businesses. It just made economic sense. On average, companies can afford to pay more than individuals. WHAT’S AN ORGANIZATION TO DO?
While prescriptive recommendations on how retailers can protect themselves would require more than a few subsequent articles, Matt Beale was quick to offer a few tips. As the cybersecurity partner at W. Capra, he’s no stranger to this topic. Consider email security. Nearly every email system supports putting headers on messages sent from outside the company, and that can help employees identify if they’re receiving a spoofing message from someone pretending to be a colleague or boss. Beale also recommended deploying internal phishing exercises. For example, a company might direct their IT teams to use phishing products and see who falls for them. Those employees can then be targeted for retraining. 60
CSTORE DECISIONS •
August 2021
However, Beale is quick to caution that sometimes senior leadership may be ones who need additional training or curtailed access. “Leaders often think they need more access than the average individual, but they actually need less,” explained Beale. “If you’re a malicious actor targeting a specific password, you’re going for the most senior people in the organization. Sometimes they’re not as protective as the up-and-comers are.” THE TROLL PLAYBOOK
Nearly 10 years ago, I received a frantic call from a family member. A firm called Prenda Law had sent an aggressive letter demanding an out-of-court settlement for supposedly downloading copyrighted pornography. This was of course nonsense since they never downloaded anything. I told them it was a scam. Fortunately, the entire debacle resulted in prison for the law firm’s founder, John Steele, in 2017. But many other victims did send checks. From 2010 to 2013, Prenda Law netted more than $6 million from these tactics. Meanwhile, industry experts note that malicious actors are now using the fear of ransomware to deploy similar tactics. This only serves to reinforce the importance of making data security a top organizational priority. Even with fake threats, the emotional and financial costs can be just as bad.
cstoredecisions.com
