Cybercrime is about money. Given the extraordinary ransomware demands we’ve seen—including $70 million in bitcoin to decrypt Kaseya—that should sound obvious.
But it’s an important reminder about what’s motivating the majority of today’s hacks. From JBS Foods to Colonial Pipeline to now Kaseya, cybercriminals aren’t in it for the notoriety. They’re not hacktivists pushing an agenda. With the exception of geo-political cyberwarfare and espionage, hacking groups tend to be in it to make a buck. As REvil put it in the Kaysea ransomware note, “Its just a business [sic].”
And, too often, the cost of doing ‘business’ favor hackers. Hackers breached Colonial Pipeline through a virtual private network account that was no longer actively in use and not protected by multi-factor authentication (MFA).
Though the cybersecurity industry is still piecing together what happened with the Kaseya attack, there are some indications that the company didn’t uphold some basic cybersecurity standards. Bloomberg reports that some problems included “the use of weak encryption and passwords” and “stored customer passwords in clear [unencrypted] text…on third-party platforms.”
Reducing cybercrimes of opportunity
In too many instances, cybercriminals will exploit crimes of opportunity. Lacking MFA or relying on passwords lowers the effort they need to take to walk away with a big pay-out.
Understanding cybercrime as a ‘business’ and increasing the work cybercriminals would need to in order to be effective can go a long way in preventing ransomware and other breaches from occurring:
- In the wake of the Kaseya attack, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) advised organizations to enforce “MFA on every single account that is under control of the organization.”
- Identity is the bedrock of all security: it’s the first line of defense against ransomware and other online crimes. If hackers can’t get past identify safeguards, then they literally can’t go anywhere. Businesses need to verify users are who they claim to be and control what they’re able to do with that access.
- It’s also worth considering how zero trust can help limit any default assumptions about the trustworthiness of any device, user, or application.
- Rather than rely on passwords—which are outdated, insecure, and expensive—we should finally find ways to go passwordless.
To be sure, these aren’t silver bullets—there’s no magic wand we can wave to ensure cybersecurity. But we can make small, incremental changes that wind up being greater than the sum of their parts.
By bending the risk/reward curve even a little, we can change the cost of doing business back in our favor.