Malware

SPOTLIGHT ON SECURITY

Ransomware’s Aftermath Can Be More Costly Than Ransom

Downtime caused by a ransomware attack can cost a company more than paying a ransom to recover data encrypted by the malware, according to a report released last week byIntermedia.

Nearly three-quarters (72 percent) of companies infected with ransomware could not access their data for at least two days because of the incident, and 32 percent couldn’t access their data for five days or more, according to the report, which was based on a survey of some 300 IT consultants.

“If you’ve got a large number of users and downtime runs into multiple days, then the cost of that downtime adds up pretty quickly to the kind of ransom amounts that cybercriminals are demanding potentially,” said Richard Walters, senior vice president of security products at Intermedia.

Those losses occur even if a company has taken precautions to back up its data. “You have to contain the infected systems, then wipe them completely and then restore them,” he told TechNewsWorld. “That process in more than half these cases took longer than two days.”

Paying Ransom

Companies faced with the decision between paying a ransom or restoring their systems from backups could find that it would cost them less to pay the ransom.

If they do pay the ransom, it’s likely that the cyberextortionists will descramble the data for the victim.

“If you pay the ransom, there’s a one in five chance you won’t get your data back,” Walters said. “There are much worse odds.”

Cyberextortionists are starting to target bigger companies with their attacks, the Intermedia survey found.

Nearly 60 percent of businesses hit by ransomware had 100 employees or more, the report noted, and 25 percent had more than 1,000 workers.

Ransomware has become a growth industry, the report added. More than two out of five (42 percent) consultants polled for the survey said they had customers who had been infected with ransomware. Nearly half (48 percent) said they’d received ransomware-related support inquiries, and 59 percent expected attacks to increase this year.

Better Credit Card

With the rollout in October of payment cards with more robust security, online merchants began to brace themselves for an avalanche of more card-not-present fraud. One industry’s fears, though, can be another company’s opportunity.

“What we know is that every country that’s migrated to EMV has significantly reduced the amount of fraud for card-present transactions,” said Martin Ferenczi, president for North America atOberthur Technologies.

EMV is a layer of security added to a payment card that makes it much more difficult to counterfeit and use without proper authentication.

“Immediately, the fraud moves to card-not-present transactions. Those transactions are used on the Internet and for phone orders,” Ferenczi told TechNewsWorld.

“We need to find an easy solution to reduce that fraud,” he added.

Cycling CVVs

Oberthur’s solution is a payment card with a constantly changing CVV code — the three-digit code found on the back of payment cards.

Each Oberthur card contains a microprocessor that continuously creates new CVV codes for the card. The CVV number generator is synchronized with the card issuer’s servers at the time the card is activated so it knows what number will be generated at any point.

Adding a processor to a card means it has to have some kind of power. The battery for CVV generator will last about three years, Ferenczi estimated.

The cards cost more to produce, too. “It will depend on volume, but it will be six or seven times the cost of a conventional card,” he said.

Consumers will be willing to pay for a card that’s more secure, Ferenczi maintained. A survey released by Oberthur last week showed that 60 percent of consumers would be willing to pay for such a card. [*Correction – March 28, 2016]

However, they may not need to do so.

“Our models also show that the return on investment for a financial institution is pretty good despite the higher cost per card,” he said.

Cloud Security Still Untrusted

Despite the widespread adoption of cloud computing, security remains a chief concern.

The latest evidence of that is a recent survey byEvolve IP of IT pros and execs in more than 1,000 companies. More than half (55 percent) of the respondents said their top concern or barrier to moving to the cloud was security. That remained essentially unchanged from Evolve surveys in 2013 and 2014.

Another study released last week byXO Communications revealed similar concerns about cloud security. More than half the survey sample (56 percent), which was made up of employees at organizations planning to connect their WANs to a public cloud, said they feared security gaps at that connection could compromise their data in the cloud.

Visibility and management of the connection between a company’s WAN and a public cloud was a growing challenge for organizations, according to the survey, which was conducted for XO byIDC. Fewer than two out of five (38 percent) companies told IDC surveyors that they had excellent or very good visibility into their WAN-public cloud connections.

Shadow IT

The Evolve report also found indications that shadow IT is alive and well in many organizations. Only about half the respondents said IT was involved in another department’s decision-making process to use the cloud.

“People in different functional areas of an organization need to get things done and because of the ubiquity of cloud offerings, they feel they can get things done themselves,” said Guy Fardone, COO at Evolve IP.

“They’re less apt to rely on their IT staffs because they want it done now, and they don’t want to run it by anybody else,” he told TechNewsWorld.

“There’s a trend there and it can be scary for security,” Fardone added.

Breach Diary

  • March 14. St. Joseph Health in California settles class-action lawsuit brought on behalf of some 31,000 patients whose personal information was exposed on the Internet. US$7.5 million was awarded to patients, and $7.5 million will be used to pay attorneys fees and costs. Another $3 million will be used to compensate patients for identity theft losses.
  • March 14. Premier Healthcare of Indiana announces a stolen laptop computer containing personal information of more than 200,000 patients was returned to the healthcare provider via U.S. mail. Forensic analysis indicates the unit has not been powered on since it was reported stolen on Dec. 31.
  • March 14. American Express warns an undisclosed number of customers that their card member information may have been exposed by a data breach at one of its merchants.
  • March 15. Township High School District 113 in Illinois announces in has launched an investigation into complaints by an undisclosed number of employees that personal information on file with the district was used to file fraudulent 2015 income tax returns.
  • March 15. LAZ Parking announces tax information of nearly 14,000 is at risk after the data was sent to an unauthorized party as a result of a phishing scam.
  • March 16. Palo Alto Networks’ Unit 42 reports it has discovered a malware family that can infect nonjailbroken iPhones when they’re connected to PCs. The malware appears to affect only users on mainland China.
  • March 17. The Lakes Region Scholarship Foundation in New Hampshire alerts nearly 2,000 former high school students that their personal information is at risk after an employee duped by a computer support scam gave an unauthorized party access to the organization’s computer system.
  • March 17. Feinstein Institute for Medical Research in New York agrees to pay federal government $3.9 million to settle a HIPAA violation case involving a stolen laptop containing electronic protected health information for some 13,000 patients and research participants.
  • March 18. Springfield City Utilities in Missouri alerts some 1,000 employees their personal information is at risk due to a phishing scam.

Upcoming Security Events

  • March 29. Microsoft Virtual Security Summit. Noon to 3 p.m. ET. Online event. Free with registration.
  • March 29-30. SecureWorld Boston. Hynes Convention Center, Exhibit Hall D. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • March 30. Get a Grip! Taking Control of Today’s Identity and Access Management Realities. 2 p.m. ET. Webinar by BrightTalk. Free with registration.
  • March 31-April 1. B-Sides Austin. Wingate Round Rock, 1209 N. IH 35 North (Exit 253 at Highway 79), Round Rock, Texas. Free.
  • March 31. Decoding the Encryption Dilemma: A Conversation on Backdoors, Going Dark, and Cybersecurity. 9-10:30 a.m. ET. Information Technology and Innovation Foundation, 1101 K St. NW, Suite 610, Washington, D.C. Free with registration.
  • March 31. Mapping Attack Infrastructure: Leave Your Foe With Nowhere to Hide. 1 p.m. ET. Webinar by SANS. Free with registration.
  • March 31-April 1. B-Sides Austin. Wingate Round Rock, 1209 N. IH 35 North (Exit 253 at Highway 79), Round Rock, Texas. Free.
  • April 5. User and Entity Behavior Analytics Using the Sqrrl Behavior Graph. 2 p.m. ET. Webinar by Sqrrl. Free with registration.
  • April 6. Atlanta Cyber Security Summit. The Ritz-Carlton Buckhead, 3434 Peachtree Rd., Atlanta. Registration: $250.
  • April 8-10. inNOVAtion! Hackathon. Northern Virginia Community College, 2645 College Drive, Woodbridge, Virginia. Free with registration.
  • April 9. B-Sides Oklahoma. Hard Rock Cafe Casino, 777 West Cherokee St., Catoosa, Oklahoma. Free.
  • April 12. 3 Key Considerations for Securing Your Data in the Cloud. 1 p.m. ET. BrightTalk webinar. Free with registration.
  • April 13. A Better Way to Securely Share Enterprise Apps Without Losing Performance. 11 a.m. ET. BrightTalk webinar. Free with registration.
  • April 15-16. B-Sides Canberra. ANU Union Conference Centre, Canberra, Australia. Fee: AU$50.
  • April 16. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
  • April 16. B-Sides Tampa. Stetson College of Law, Tampa Center, 1700 N. Tampa St., Tampa, Florida. Free.
  • April 16. B-Sides NOLA. Hilton Garden Inn, New Orleans Convention Center, 1001 S. Peters St., New Orleans. Fee: $15.
  • April 20-21. SecureWorld Philadelphia. Sheraton Valley Forge Hotel, 480 N. Guelph Road, King of Prussia, Pennsylvania. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • April 20-22. CSA Summit 2016. Lichtstr. 43i, first floor, Cologne, Germany. Registration: 500 euros.
  • April 26. 3 Key Considerations for Securing Your Data in the Cloud. 1 p.m. ET. Webinar sponsored by BrightTalk. Free with registration.
  • May 4. SecureWorld Kansas City. Overland Park Convention Center, 6000 College Blvd., Overland Park, Kansas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • May 11. SecureWorld Houston. Norris Conference Centre, 816 Town and Country Blvd., Houston, Texas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • May 18-19. DCOI|INSS USA-Israel Cyber Security Summit. The Marvin Center, 800 21st St. NW, Washington, D.C. Hosted by George Washington University. Free.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.

*ECT News Network editor’s note – March 28, 2016: Our original published version of this story incorrectly stated that 80 percent of customers surveyed said they would be willing to pay more for dynamic security code protection.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

2 Comments

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels