Ransomware is malicious software that blocks access to parts or the entirety of a computer system until a ransom is paid. This is not a new practice and has actually been around since the 1980s. However, the increase and severity of the attacks increased dramatically in 2021. Banking was especially susceptible and saw a 1318 percent increase year over year. Other particularly vulnerable sectors include government and manufacturing. These three industries are targeted more than others because of the higher potential for a payout.
The more sensitive the information that a particular entity holds, the better chances the hackers stand of actually collecting on a ransom. And when ransoms are paid, it incentivizes criminals to continue using ransomware to extort companies out of their money. The US Treasury estimates that between January and June 2021, over $580 million was paid out to ransomware attacks. This figure is $200 million more than the same time period in 2020.
To help combat this, in October of 2021, the Department of Justice created the National Cryptocurrency Enforcement Team (NCET), which will investigate “crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors.” By specifically targeting money that is being moved around, they can track ransoms paid and the entities that hold those ransoms.
While the Department of Justice is doing what it can to combat cyber attacks, companies must get better at protecting themselves from both internal and external attacks. This has driven a huge increase in zero trust platforms.
Simply put, zero trust means that no one is trusted by default in a given platform. Both those inside and outside of the platform must authenticate themselves before gaining access. By keeping networks segmented, preventing lateral movement without verification, and implementing threat detection, enterprises are able to reduce the damage that can be done by attacks like ransomware.
Gone are the days of VPNs and firewalls. Now, the safest assumption is that nothing is safe, and everything must be verified. Zero trust has to be a system-wide implementation that generally takes several years to fully integrate into a network. The best integrations follow a specific model that is flexible, rather than unilaterally applying a tool.
The Cyber Resilient Organization Study 2021 from IBM is a survey of 3,600 IT and cybersecurity professionals. They found that a full 35 percent had already implemented zero trust methods and technology into their organizations, and 65 percent believed it is a strong system to develop cyber resiliency.
According to Forbes, artificial intelligence (AI) is a catalyst that is driving fundamental change in key industries such as banking, customer service, healthcare, public safety, and education. As this technology develops, experts are finding that it can be an excellent cybersecurity tool.
Large events have always been a target for ransomware attacks, and the Tokyo Olympics in 2021 were no exception. A small computer was covertly implanted into the event to extract sensitive data. However, the Olympics had contracted with Darterace, a British-American cyber-defense company, who used self-learning AI to identify and interrupt the threat. This gave the team of human engineers time to locate where the data leak was coming from without the same pressure as if the leak was active.
AI is becoming ubiquitous. A survey of 850 IT professionals published in 2020 by Statista found that 75 percent of executives had already implemented AI for cybersecurity purposes. It is estimated that AI will grow more than 23 percent per year from 2020 to 2027 to reach a market value of $46.3 billion by 2027.
Search “cybersecurity” on the internet and undoubtedly you’ll see headlines like, “The Cybersecurity Talent Gap is an Industry Crisis” and “The Cybersecurity Skills Shortage is Only Getting Worse.” Not only do I see this in global surveys of IT professionals, but I hear about it constantly from my colleagues in the field.
The cybersecurity profession is tackling this by bolstering both undergraduate and graduate degrees that teach students necessary skills. The University of Washington, for example, offers a master of science in cybersecurity engineering degree with a curriculum focused on the core security principles: protection (harden information infrastructures to resist attacks), detection (hunt down intruders), and correction (respond to attacks to minimize losses).
There are many cybersecurity programs offered online as well. These are tailored toward the working professional. For example, The University of North Dakota offers a fully online master of science in cybersecurity through their renowned College of Engineering and Mines. They educate you to become a digital forensics examiner and protect information as it moves through our increasingly connected world.
Other online cybersecurity programs include:
In 2019, we realized that passwords are really a thing of the past and we ushered in the new era of passwordless authentication. In security, this is called multi-factor authentication (MFA), which replaces traditional typed passwords with other technologies like biometrics. With MFA, you must prove your identity using two or more verification factors that are secured using a cryptographic key pair.
With the increase in a remote workforce in 2020 and 2021, MFA authentication has become critical to ensure that companies maintain cybersecurity. Many companies now require employees to use MFA every time they log in, in addition to a strong password.
The FIDO (“Fast IDentity Online”) Alliance is an open-industry association who aims to develop and promote authentication standards and ultimately reduce the world’s over-reliance on passwords. According to their website, their FIDO2 Certification reflects the “industry’s answer to the global password problem and addresses all of the issues of traditional authentication including security, convenience, privacy, and scalability.”
This year, Microsoft’s Windows Hello and Android apps and websites achieved FIDO2 certification bringing secure passwordless authentication to hundreds of millions of devices around the world.
My first year, the number one cause of data breaches was phishing, according to the 2019 “Data Breach Investigations Report” published by Verizon’s Threat Research Advisory Center. Of all types of attacks used by cybercriminals, phishing has the highest success rate.
So, what is phishing? According to the European Union Agency for Cybersecurity (ENISA), phishing is a digital technique used to persuade you into divulging sensitive information such as your password or banking details. These attacks use a combination of social engineering and deception, often disguising themselves as a trustworthy entity.
There are many types of phishing including email phishing, smishing (SMS phishing), vishing (phone call phishing), and qrishing (QR code phishing).
In the past, it was fairly easy to spot the Nigerian Prince scheme, but in 2019, phishing attacks became more targeted and more sophisticated. Termed “spear phishing,” these attacks target specific people or organizations. The attackers learn what they can about you using open source intelligence (i.e., public information posted on the internet) to personalize the attack, making it much more believable.
This year we also saw the rise in Business Email Compromise (BEC), sometimes also referred to as “whaling.” This is another specific form of phishing where the attacker compromises a legitimate business email account and then conducts unauthorized transfers of funds. In the FBI’s latest Internet Crime Report, BEC costs $1.8 billion annually, with 19,369 reported in 2020 alone.
In addition, 2019 saw a steady growth in mobile phishing attacks. According to the ENISA Threat Landscape Report, phishing attacks on mobile devices using messaging apps (e.g., WhatsApp) and social media apps (e.g., Instagram) have grown by an average of 85 percent year-over-year since 2011.
In 2018, Europe passed the General Data Protection Regulation (GDPR), which was created to protect a person’s right to data privacy, and require companies to give each person’s right to access, control, and delete their own data. Although GDPR technically only applies to those that live in Europe, major technology companies like Microsoft have adopted it as corporate policy, too.
In 2019, we saw California create its own version of GDPR as well. The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020 and requires all for-profit companies who do business in California to meet minimum standards aimed at protecting a person’s right to digital privacy. In contrast to GDPR, CCPA focuses specifically on commercial use of data and requires an “opt-out” policy rather than an “opt-in.”
Looking ahead, Gartner predicts that, “Regulatory and privacy challenges will continue to grow in conjunction with digital business’s insatiable appetite for personal data.”
In fact, in 2021 alone, more than 250 pieces of legislation that significantly deal with cyber security were proposed in 45 states. These legislations focused primarily on requiring cybersecurity training, regulating cybersecurity in insurance, creating task forces to study cybersecurity issues, and creating programs and incentives for completing cybersecurity training.
In their recent publication “Data Age 2025 The Digitization of the World from Edge to Core,” IDC highlights a looming problem: the sheer volume of information. They expect worldwide annual data creation to reach 163 zettabytes (ZB) by 2025—that’s ten times the amount of data produced in 2017.
When you combine the abundance of data with the rate of its production, the breadth of its global distribution across devices and applications, the increased desire to share it among each other, and the dramatic increase in regulatory requirements, information protection has become a Sisyphean feat.
To help us prepare for our “digitally transformed future,” this year IDC released the world’s first data readiness condition index (DATCON). The DATCON index evaluates an industry's preparedness for managing, analyzing, and storing this immense amount of data. They use a scale from one to five, where five represents an industry that is completely optimized and one represents an industry in critical condition.
Widely considered the world’s first-ever cyberweapon, Stuxnet attacked and shut down tiny industrial computers in Iran’s nuclear labs. Specifically, it caused uranium enrichment centrifuges to spin out of control, ultimately destroying them and stalling Iran’s nuclear program.
The Stuxnet case represents a cyberattack on the Internet of Things (IoT). With IoT, we’ve increased the “attack surface area”—that is, we now have more things than ever connected to the internet that can be exploited by cybercriminals.
The “attack surface area” refers to the size and sum of all places where someone might be able to enter into your digital environment. For example, if your home only has one laptop connected to the network, your attack surface area is very small. But, modern homes don’t just have one laptop, they also have connected smartphones, smart TVs, smart refrigerators, and smart thermostats, to name just a few.
As you think about the attack surface area of your home, start to think about that at the scale of a hospital with its computers, phones, infusion pumps, activity trackers, connected inhalers, thermometers, pulse oximeters, and heart rate monitors.
And, these things are not only in our homes and hospitals, but they also form the backbone of our refineries, telecoms, rail systems, electricity grids, water supply systems, and power plants. While this interconnectedness awards rich knowledge and efficiencies, it also leaves us vulnerable to an attack.
To address this risk, 2019 saw the launch of the Operational Technology Cyber Security Alliance (OTCSA), a noncommercial industry organization focused on researching and producing implementation and management guidelines for IoT. In 2021 they have focused on how to use organization technology (OT) to provide even better cybersecurity.
While these modern challenges are formidable, they are also creating a wealth of opportunities for people interested in careers in cybersecurity.
By reading a select number of engineering blogs, university students can gain access to the thoughts of some of the best engineers in the world, and get on the path to becoming one themselves.
Diversity and inclusivity aren’t purely idealistic goals. A growing body of research shows that greater diversity, particularly within executive teams, is closely correlated with greater profitability. Today’s businesses are highly incentivized to identify a diverse pool of top talent, but they’ve still struggled to achieve it. Recent advances in AI could help.
The ability of a computer to learn and problem solve (i.e., machine learning) is what makes AI different from any other major technological advances we’ve seen in the last century. More than simply assisting people with tasks, AI allows the technology to take the reins and improve processes without any help from humans.
Unlike fungible items, which are interchangeable and can be exchanged like-for-like, non-fungible tokens (NFTs) are verifiably unique. Broadly speaking, NFTs take what amounts to a cryptographic signature, ascribe it to a particular digital asset, and then log it on a blockchain’s distributed ledger.
First proposed by computer scientist Nick Szabo in the 1990s and later pioneered by the Ethereum blockchain in 2010, smart contracts are programs that execute themselves when certain predetermined conditions are met.