It was an alarming breach by itself when hackers last week posted the Social Security numbers, grades, and other personal information of tens of thousands of Las Vegas public-school students. But for cybersecurity leaders far beyond academic circles, there’s an even more troubling takeaway: hackers are using the disruptive pandemic to “innovate.”
Normally hackers will threaten to shut down an organization’s digital systems unless the organization pays a ransom. But in the successful Las Vegas hack and a couple of recent smaller attempts elsewhere, the thieves took the unusual step of publishing personal details when the ransom wasn’t paid. New as well is how cyber thieves are shifting to small outfits such as schools and health organizations, which they had rarely touched. “You’d think that there would be lines that would not be crossed,” says Aileen Alexander, managing partner in Korn Ferry's Technology Officers practice and coleader of the firm’s Global Cybersecurity practice. “Guess not.”
The pandemic, of course, has created a slew of challenges on the cybersecurity front. With enormous staffs now working remotely, there are far more access points into an organization’s internal network—which in turn means more opportunities for hackers to breach the system. Cyberattacks across industries have been on the rise since March as hackers look to exploit the increased use of video conferencing and personal computers to gain access to confidential information.
Flat-out stealing and publishing data, as was done in the Las Vegas case, versus threatening to break into a system to shut down service, adds another layer of complexity to the typical cybersecurity leader’s challenge, says Jamey Cummings, a Korn Ferry senior client partner and coleader of the firm’s Global Cybersecurity practice.
The ransom paid to hackers—or adversaries, as they are called in the cybersecurity industry—is also on the rise. While individual ransom attempts vary wildly, Coveware, a ransom negotiating firm, reported an increase in average ransom payments for all industries, up 60% to $178,254, in its second quarter ending in June. The firm says hackers almost always deliver a decryption tool to the hostage companies or organizations once the ransom was paid. The United States government does not encourage organizations to pay a ransom, but many organizations do.
At the same time, hackers are increasingly looking at smaller or midsize organizations to assault, including schools and healthcare organizations. Many don’t have the resources to hire full-time cybersecurity leaders, train their stakeholders on how to avoid common threats, or continuously update their systems to counter threats. In some instances, ransom attacks this fall have forced school districts to delay reopening.
The adversaries have always been creative, but they haven’t traditionally gone after smaller organizations, Cummings says. “Some organizations that didn’t have religion about the issue have it more so than they had before.” Indeed, while the broad jobs market is not great, companies are still actively searching for and bringing on cybersecurity leaders, Alexander says.
Leaders short on resources can turn to third parties to manage their cybersecurity and they can also bring in consultants to assess their current situation. At the same time, some organizations are turning to their peers for guidance on the best ways to combat digital adversaries. Alexander recommends that leaders seek out an information and sharing and analysis center, or ISAC, to share tools and advice to stay abreast of the latest threats and events. There are more than 20 ISACs in the US broken down by industry, such as healthcare, transportation, and real estate.