No Easy Answers to Ransomware Riddle

Imagine you’re a director of a real estate company tasked with hiring a new chief executive. “Understands best practices in information security” might not be on your list of must-have qualifications. But maybe it should be.

The Securities and Exchange Commission this week announced that it settled charges against First American Financial Corporation stemming from a cybersecurity vulnerability that allegedly left more than 800 million sensitive images unsecured. First American didn’t even get hacked. It was bad enough, in the SEC’s eyes, that the company’s internal controls didn’t prompt employees to inform the C-suite.

Welcome to corporate management in the age of ransomware. This year, attacks on the Colonial Pipeline and plants owned by meat supplier JBS have drawn attention to the mounting threats posed by data hostage-takers. Companies disclosing that they’ve been targeted by recent ransomware attacks and may suffer adverse operational and financial impacts also include Allied Healthcare Products (sub. req.) and carpet manufacturer Dixie Group (sub. req.)

Cybersecurity specialists say online criminals are just getting warmed up, with targets such as water and power infrastructure ripe for attack. The fact that the most nefarious networks of e-criminals are operating in Russia and former Soviet republics makes going after them directly extraordinarily difficult.

According to security firm Recorded Future, a successful ransomware attack occurred about every eight minutes in 2020. Another analysis found that victims paid some $350 million in cryptocurrency ransom last year to perpetrators holding their data hostage. That represented a year-over-year increase of more than 300%. Worse, a recent Cybereason survey of more than 1,200 security professionals worldwide found that about 80% of businesses that paid ransom demands experienced a second attack, of which 46% believed the subsequent ransomware to be caused by the same hackers.

The spike in online thievery has left President Biden and his administration sounding the alarm on cybersecurity, urging businesses to fortify their defenses. The federal government has taken concrete steps to beef up security, including writing legislation that would pour $500 million into cybersecurity on the state and local levels. Biden also signed an executive order in May requiring companies that sell software to the government to disclose breaches of their systems.

Meanwhile, the SEC can use its authority to motivate corporate laggards to bring their cybersecurity defenses up to par. Sanctioning companies like First American for insufficient controls suggests the agency isn’t playing around. But while that strategy may work on public companies, the SEC lacks authority over private businesses. Unfortunately, that group owns most of the country’s infrastructure assets.

The Justice Department’s announcement that it recovered a sizable chunk of the Colonial Pipeline ransom did offer one intriguing possibility for deterring hackers: hitting them in the e-wallet. The FBI seized control of an online account holding nearly 65 Bitcoins, valued at approximately $2.3 million. Given that hackers prefer to deal in cryptocurrency, a reliable approach to disrupting those payment flows could deal a serious blow to the online extortion racket.

Latest Articles

Accounting Errors Dim Holiday Outlook for Macy’s, Other Companies

From jolly television personality Al Roker cruising around New York City during the retailer’s annual Thanksgiving Day Parade to the Christmas classic Miracle on 34th Street, few b...

Read More

Crypto Lobby Boosts GOP Effort to Secure Sole Control of SEC

With the waning days of the current congress upon them, Senate Democrats appear to be fighting an uphill battle to secure the renomination of Caroline A. Crenshaw as a commissioner...

Read More

Trump Makes Conventional Pick to Helm SEC in Crypto Champion Atkins

President-elect Donald J. Trump has picked a familiar face to lead the Securities and Exchange Commission, tabbing 66-year-old Paul Atkins to return to the agency where he served a...

Read More