Data breaches are always costly but have become even more of an issue in recent months as cybercriminals ramped up to take advantage of coronavirus confusion. According to a new study from cloud computing company Iomart, large-scale breaches are growing in intensity and frequency in 2020, with the number of breaches increasing 273% in the first quarter, compared to the same time last year.
There are a couple of reasons driving the uptick in breaches. More and more business — from online banking to ecommerce — is being conducted online. Businesses had to make an abrupt shift from most employees working in an office to working from home. In the rush to continue with business as usual, many had to take some shortcuts with security.
During times of upheaval or change, cybercriminals capitalize on confusion and uncertainty. Experts say different kinds of attacks are on the rise. Companies, both large and small, governments and individuals are all targets. Among the most common types of attacks seeing an uptick are ransomware, destructive attacks and island hopping. Ransomware, in which criminals encrypt files and then demand a ransom to restore access, is up 90%, according to a recent report by VMware. Destructive attacks, in which data or networks are destroyed, is up 102%. Island hopping, in which criminals take over digital transformation efforts of companies, using their networks to attack customers and partners, is up by 33%.
Losses from cyberattacks can be extensive. In June, Japanese automaker Honda said ransomware hit the company's internal servers, including its production systems, forcing it to suspend some of its auto and motorcycle production. Israeli fintech company Sapiens paid a $250,000 ransom in bitcoin after hackers threatened to shut down the company's network. The company believes the attack occurred in March or April when employees started working from home.
Government agencies and local governments are also being hit. The city of Florence, Alabama, paid nearly $300,000 in bitcoin after a cyberattack on its computer network system in June. In California, the city of Torrance was hit by a ransomware attack that disabled its website, email and financial system. The group demanded 100 bitcoin, worth around $700,000.
According to Iomart, a typical data breach for a large company results in data loss of between 10 million and 99 million records and dings a company's value by 7.27%. For small businesses a data breach can be catastrophic.
"Fraud rises in times of crisis, in a bad economy or some kind of event people are concerned about. Fraudsters come out of the woodwork," said Al Pascual, chief operating officer of Breach Clarity, a fraud prevention and detection technology firm that provides consumers and financial institutions with a greater degree of transparency around the risks associated with data breaches.
The confusion around the pandemic and rapidly shifting work and online habits created ideal conditions for cybercriminals who exploit current events. "They are using interest and attention to an issue as a way to get clicks and take advantage of changed behavior," said Nicholas Davis, professor of practice at Thunderbird School of Global Management and visiting professor in cybersecurity at University College London.
The FBI said its Internet Crime Complaint Center has seen "a significant increase in the number of complaints filed," though only a fraction has been directly related to the coronavirus. As of mid-June the center said it recorded 12,377 Covid-related scams.
"As more people work and shop online, they are more likely to be targeted by online scammers," said a spokesperson for the FBI.
Early in the pandemic, there was an uptick in targeted campaigns about understanding Covid-19 and Covid statistics. Now criminals are shifting to focus on stimulus payments, unemployment, PPP loans and benefits. On the day PPP loans first hit bank accounts, the websites of several large banks went down because of the surge in traffic. For smaller banks whose sites didn't go down, there was a catch-22, said Breach Clarity's Pascual.
Criminals "knew day and time" that the deposits would be made and subsequently "overwhelmed financial institutions with account takeover accounts," he said, adding that account takeover attempts increased by 80%. Criminals attempt to take over accounts by trying old usernames and passwords to gain access to accounts and move money.
All industries have been affected, but some have been targeted more than others. According to Iomart's data, the IT sector was the hardest hit in the first quarter of 2020 with the number of breaches more than doubling compared to the same period in 2019, while the manufacturing and health-care sectors were the most impacted. Earlier this month, Russian and Chinese hackers were accused of stealing coronavirus vaccine research in the U.S., Canada and U.K.
Cybercriminal groups aren't necessarily using new tactics, but attacks are becoming more and more sophisticated. Scripts look for insecure databases and can sit undetected in a system for months, learning about how the system works, how and when backups are deleted, and gearing up for attack.
The sudden surge in work-from-home arrangements increased the opportunity for cyberattacks. When the pandemic first hit, companies that went from maybe 10% of the workforce working from home to 90% to 100% found that their systems were not designed to take on the increased load. To get employees up and running, the focus was on availability and getting people the tools and data they needed to work remotely.
"With the mass shift to remote workforces, the corporate perimeter has been broken. This is compounded by the reality that most home networks are insecure, and household smart devices are vectors for attack," said Tom Kellerman, head cybersecurity strategist at VMware Carbon Black, a cybersecurity firm.
This was compounded by ad hoc security controls early on, as companies scrambled to get employees up and running. Now, as the crisis drags on, companies are realizing employees may need to work from home for the foreseeable future. There's a transition from "a solution that was built together with duct tape and string and chewing gum" to more "robust operationalized solutions," said Emily Mossburg, global cyber leader at Deloitte.
As the dust settles, many businesses are now looking at potential extended work-from-home arrangements and finding ways to secure those systems. Bill Strain, security director of Iomart, said some the company is getting more requests to secure worker laptops or other endpoint devices. For large companies with a lot of resources, cybersecurity professionals are in high demand. Smaller companies, on the other hand, are finding it easier to hire services from a cybersecurity company.
Kellermann recommends that companies assess their system's endpoints and find ways to protect endpoint devices through regular updates and other measures. He also suggests implementing "digital distancing" measures, such as having work-from-home employees use two routers, separating home and work network traffic.
While the increase in cyberattacks is alarming, it has put a spotlight on this growing issue. "From our perspective, it's good and bad. There's a massive uptick in awareness in security, and a massive uptick in awareness," said Strain.