IMPORTANT Website terms of use and cookie statement
close

Cybersecurity in a year of crisis

An informative article provided by our technical security partner, Mitigo. Mitigo are one of RIBA Business partners, providing services to support practices. Written to help architectural practices and their managers learn more about current cyber crimes and how to try and avoid them.

This year has seen a global pandemic, urgent concerns about climate change, and the uncertainty of Brexit consume much of our lives, TV and the press. Some business leaders may have taken their eye off the growing threat posed to businesses in general – and professional service firms in particular – by the proliferation and increasing sophistication of cybercrime.

The emergence of new and disturbingly effective methods of cyberattack during the last 12 months only serves to demonstrate the ingenuity of the criminal gangs responsible, and why your cyber risk controls in place last year may well no longer be secure. As methods of attack continue to evolve, so must our defences and controls.

A doubling of opportunities for ransomware

One of the most frightening forms of attack, ransomware, can leave firms operationally crippled, bring projects to an abrupt halt, waste billable hours, and seriously damage client and other professional relationships. The average downtime of business disruption following a breach is now running at 19 days.

Previously the malware usually got into your system when someone clicked on a link, letting in the ransomware that automatically found data and files to encrypt. Now, criminals can automatically scan firewalls, looking for ports and vulnerabilities to gain access. And with so many people currently working remotely on poorly configured connections and devices, they are hitting the jackpot.

The way the attack progresses has also changed. Once you’ve been breached, the bad guys no longer just go straight to the encryption stage. They often take their time examining confidential client and proprietary data.

Then they steal the material they think will cause you maximum pain if it’s made public giving them two ransom opportunities. First, they demand payment for the decryption key. Next, they threaten to release publicly, piece by piece, the confidential data they’ve stolen about you, your projects, your relationships and your clients. Unless, of course, you pay up.

The critical thing to understand here is that even if you have perfectly configured backups, they will still not be enough to protect you, your clients and your operations. This is why the amounts demanded as ransom, and the amounts actually being paid out, have increased. Additional protection should be a big consideration.

Multi factor faking

Another thing that’s evolved is how very easily people can sign into and misuse your email account.

A while ago, crooks would usually get hold of your email address and password via phishing attacks or buying your credentials on the dark web. Then they could login, send and receive emails as if they were you, spy on your mail, steal information, divert payments and so on.

Office 365 Multi factor authentication (MFA) was designed to put a stop to this, preventing anyone else from logging into your account unless they had second factor authentication, usually a code sent by text to your mobile phone. But not any more.

2020 has seen new ways of getting around MFA. Notably, fraudsters can now accurately mimic the 365 login page. So you think you’re typing into Office 365, but in fact, it’s a fake cover page that automatically inputs your credentials into the real Office 365 page, except on the fraudster’s computer.

When the text with the code comes through to your mobile, you do the same - why wouldn’t you? And the criminals have successfully logged in as you. Free to do what they want. And when they’ve enabled the optional 60 day validity period, they’ve given themselves 60 days’ access.

The growth of the criminal ecosystem

Of all the many routes there are to cyber attack businesses, the exponential growth of ransomware is arguably the most telling. This is a high stakes game, and given the kind of projects architect practices work on, they are at risk.

Why the rapid growth?

  • It's becoming more easily achievable, can be hugely profitable and the chances of criminals being caught is almost non-existent.
  • Attack tools are now freely available, as are low cost Ransomware as a service (Raas) kits. So aspiring cyber crooks no longer need high levels of technical knowledge to get involved. Affiliate ransomware platforms offering Raas provide easy market entry, and especially with more remote working, ample opportunity for good returns.
  • There has been an increase in ‘big game hunting’ – the process we mentioned earlier - where more thoughtful and focussed attacking gangs closely examine the opportunities that successful breaches provide for financial gain, whether by the theft of money or by high value ransom.
  • Lower ranking criminals add to the risk, using the Raas model to function as ‘lead generators’, earning a cut or commission by passing on the opportunity to the big boys, who will be better able to fully exploit the financial blackmail potential of the breach.

The cost of a breach

Ransom inflation, as we indicated, is compounding the problem. Research suggests that by Autumn 2020, the average ransom being paid was approximately £177,000, rising sharply for larger organisations.

This is no surprise. Downtime following a breach can cripple a practice and cost a fortune. This, together with the exfiltration of high value data (the ‘steal then encrypt’ model), results in criminals having greater negotiating power over their victims. Firms feel under greater pressure to give way to ransom demands to get their operations back up and running, and to prevent their own and their clients’ confidential data from public release (even when system recovery from backups is possible).

From the attacker’s business perspective, the ransomware to payment ‘conversion rate’ has gone up very substantially, including for the smaller Raas players who are also now seeking higher ransom returns.

A market that’s here to stay

Given the amounts of money involved, the sophistication of organised cybercrime gangs shouldn’t come as a shock. This is a thriving market. And like any successful business, these operations now have their own PR machines, with websites and press releases announcing breaches, naming names, and the theft of data – threatening to make it public, if ransoms aren’t paid.

This market, again, like any other, has its own dynamics. And analysis shows that the ‘market share’ of different ransomware players and affiliate programmes has changed throughout the year. Big players like Sodinokibi (aka REvil), Maze and Phobos saw their share of total attacks go down due to the incursion of smaller players and the emergence of new entrants to the market.

This speaks to two somewhat disturbing issues. One that this is an established market that is not going to go away. And two, that the proliferation we spoke of is accelerating.

Keeping your practice safe

The rise in the volume and sophistication of cyber attacks and the accompanying threat to business operations should be of increasing concern to all practices.

Aside from the obvious commercial considerations, the profession also has a duty to put security measures in place to maintain confidentiality and to comply with data security legislation.

Effective cybersecurity is not just a technology issue. Rather, the biggest vulnerability lies in the day-to-day practices of people. So effective configuration of technology must be accompanied by proper training and effective policies and controls.

Practices must also challenge their reliance on third party IT providers to provide security. A big concern is that many firms are still not taking the right steps to test or audit their policies, processes and systems, which should be reviewed regularly, by someone independent.

Successful cyber attacks are now happening with increasing frequency against practices of all sizes. Leaders have a responsibility to satisfy themselves that the right measures are in place and regularly reviewed to protect the firm, their partners and clients. They should not be relying on generalist IT support.

RIBA has partnered with Mitigo to offer technical and cyber security services for our members.

View the full service offer on our technical security page. For more information contact Mitigo on 0161 88 33 507 or email riba@mitigogroup.com

keyboard_arrow_up To top
Cookie statement | Privacy policy | Terms of use
66 Portland Place, London, W1B 1AD | +44(0)20 7307 5355 | support@riba.org | Registered Charity No. 210 566. Incorporated by Royal Charter No. RC000484 | © RIBA 2024