Consumer businesses are particularly at risk from data security incidents and malicious attacks. We consider the various forms and what your business can do to prepare and reduce risk.
Ransomware
Ransomware is a particular type of security breach where malware (malicious software) is used to encrypt the electronic files of its victims. A ransomware attack will usually be accompanied by a ransom demand, offering a decryption key in exchange for a payment. These attacks have been on the rise in recent years and are expected to continue in 2023.
Ransomware-as-a-service
The ransomware-as-a-service (RaaS) business model allows individuals with little technical knowledge or coding skills to purchase and execute ransomware attacks by leasing malware from developers. The profits are then typically split between the developer and the attacker. It is anticipated that the popularity of RaaS will continue in 2023 due to the continued rise of initial access brokerage and its ease of use.
The potential for an increase in the use of RaaS may also be exacerbated by the looming global economic recession, as financial challenges may lead to a rise in hackers-for-hire willing to launch attacks in exchange for payment.
Double (or triple) extortion
Traditionally, ransomware attacks focused on encrypting a victim's data and threatening to delete it unless a ransom was paid. However, in recent years, there has been a rise in the use of double extortion attacks, which involve not only holding the victim's data for ransom but also threatening to publish it online. This allows attackers to potentially extract two payments from their victims - one for the ransom, and another to prevent the release of sensitive data.
According to research from CipherTrace, double extortion ransomware attacks increased by nearly 500% in 2021. In 2022, double extortion continued to be part of the threat landscape and we expect that many ransomware attacks in 2023 will include the threat of a data leak.
There have also been increasing reports of triple extortion attacks, in which the attackers not only hold the victim's data for ransom, but also target individuals or organisations whose data may have been compromised in the attack. As cybercriminal groups continue to evolve and become more sophisticated, we anticipate that the use of triple extortion as a tactic will increase.
To pay or not to pay?
In recent years, the issue of ransomware has garnered significant attention within the field of cybersecurity due, in part, to the ethical and legal implications of paying ransoms to cybercriminal groups. Many experts assert that such payments not only sustain the cycle of attacks, but also potentially provide funding to nefarious organisations, including those under sanctions or designated as terrorists.
In response to these concerns, there is likely to be increasing scrutiny on responders and investigators in relation to the processes they follow to identify and accurately attribute ransomware actors to ensure they are not on sanctions lists.
Concerns surrounding the payment of ransoms extend beyond the question of sanctioned parties, as there is a general belief that making payments to individuals or groups who have illegally accessed systems is ethically problematic due to their connections to other forms of criminality. As the frequency of ransomware attacks persists, it is expected that the debate over the ethics and legality of paying ransoms will remain a prominent issue in 2023 and may eventually result in legislative or policy actions at national levels.
How can you prepare?
- Raising employee awareness
To effectively prepare for a ransomware attack, it is essential for organisations to prioritise raising employee awareness about the risks of such attacks and how to prevent them. Employees are frequently the primary source of data breaches, and it is therefore imperative to provide them with the knowledge and tools necessary to safeguard against ransomware attacks. This can include providing training on safe browsing and email practices, such as avoiding clicking on links or opening attachments from unknown sources.
It is important to cultivate a culture of cybersecurity within your organisation. This can involve reminding employees to be vigilant about potential threats and encouraging them to report any suspicious activity. By making cybersecurity a priority and empowering employees to take an active role in preventing attacks, organisations can better protect themselves against the threat of ransomware.
- Involvement and leadership of the C-Suite
The involvement and leadership of the C-suite is crucial in effectively preparing for and responding to a ransomware attack. The C-suite should ensure that the necessary resources, both at a technical and personnel level, are available.
- Playbooks and policies
Playbooks should be developed to support an organisation's preparations for and activities during a ransomware attack. The playbook should outline the steps to be taken in the event of an incident and include information such as how to prevent the spread of ransomware, how to recover from backups, and how to communicate with stakeholders.
It is also important for organisations to regularly review and update their cybersecurity policies and procedures.
4. Defense in Depth
An effective way for organisations to protect themselves against ransomware attacks is to implement a defense in depth strategy. Defense in depth is a cybersecurity strategy that involves layering multiple defenses at different points within an organisation's network. This creates a multifaceted defense system that is better equipped to withstand an attack. By implementing various technical and procedural measures, such as firewalls, intrusion prevention systems, and endpoint protection, organisations can create a defense in depth strategy to protect against ransomware attacks and other cyber threats.
Adtech
Adtech or advertisement technology is a term used to describe technologies that connect advertisers with target audiences, through publishers. The technologies can include banner advertising on the advertiser's or publisher's website, paid-for search (where advertisers pay for their details to appear at the top of search results) and online video adverts, amongst other things. In 2023, we are likely to see increased regulatory, privacy activist and litigant scrutiny of adtech as they seek to address their concerns about data privacy.
Transparency and consent
At the heart of many of the challenges to the use of adtech are concerns about the intrusive profiling of website users, without appropriate transparency and gaining valid consent.
In 2021 and 2022, we saw a number of high profile and high value regulatory enforcement actions taken against major players in the adtech industry, as well as action taken against retail and consumer facing website operators that use adtech. Privacy activists ran significant and targeted campaigns against household name website operators and litigants brought private claims for damages relating to the misuse of cookies.
What can you do?
It is important for companies employing adtech to take steps to ensure that they are operating in a transparent and consent-driven manner.
One key action that companies can take is conducting a cookie audit to assess the types of cookies and tracking technologies that are being used on their websites or platforms, and to ensure that they have appropriate consent from users for the use of these technologies. Companies should also develop a process for managing and updating information about the use of cookies, including obtaining and documenting user consent.
Additionally, it is important to review the overall design of the website or platform to ensure that it is compliant with relevant laws and regulations, and to avoid the use of so-called "dark patterns" that may be designed to manipulate users into providing consent without fully understanding the implications.
Finally, it is important to stay up to date on developments in relevant legal frameworks in the different jurisdictions your organisation operates in, as there is a lack of regulatory and enforcement uniformity.
Authors: James Drury-Smith, Mark Hendry and Isaac Chulu Chinn
If you have any questions or would like to discuss any of these topics and what they mean for you and your business, please get in touch with our consumer sector and data protection and cyber security experts.