How to reduce cyberattack and ransomware risk

We should train ourselves to recognize suspicious emails and links, even if they appear to come from a familiar, trusted name

  
Image used for illustrative purpose. A participant uses a laptop computer as he takes part in the Seccon 2016 final competition on January 28, 2017 in Tokyo, Japan.

Image used for illustrative purpose. A participant uses a laptop computer as he takes part in the Seccon 2016 final competition on January 28, 2017 in Tokyo, Japan.

Getty Images
 

In the space of a few recent weeks, “cyberattacks” and “ransomware” became household words, as well as matters of “red line,” “act of war,” and “loss of life” that needed to be discussed by the leaders of Russia and the US in their Geneva summit. What happened? Two spectacular incidents led to constant and startled media coverage, further fueled by alarming discourse by US officials.

First, last month, Americans living on most of the east coast had to queue for hours to get gasoline for their cars because the Colonial Pipeline Company was hit by a cyberattack that seriously disrupted its highly automatized distribution system. And, just a couple of weeks ago, the JBS meat processing company was attacked by ransomware (a computer virus paralyzing an entire system, along with a ransom demand for the “antivirus” key) and ended up paying $11 million to get its system working again.

If that were not worrisome enough, US Secretary of Energy Jennifer Granholm told CNN that the American energy network is not fully protected; the US Department of Justice declared that high-impact ransomware attacks will now be considered terrorism; and the director of the FBI likened the level and impact of such ransomware to 9/11.

Why the alarming pronouncements? Because, in 2020, a major cyberattack, later linked to a group believed to be backed by the Russian government, hit thousands of organizations globally, including a dozen US federal government agencies and hundreds of companies. Tons of sensitive data were stolen.

Why this sudden escalation? Actually, this has been coming. Many of us will remember how talk of “antivirus” software used to be a constant among computer users, until they became an almost invisible part of our equipment and networks. But even those who use computers and forget about malware today are probably familiar with “phishing” — how we get tricked by an email pretending to come from a known source but carrying a malevolent attachment that asks for valuable information such as passwords. Indeed, millions of people each year get tricked into clicking on a link or an attachment (a “Trojan”), with terrible consequences.

There are many different types of cyberattack, but the most recent and disastrous one is ransomware, where companies and institutions of all kinds — and sometimes individuals as well — get attacked and ransomed.

How big is the problem? In 2019, more than $11.5 billion was paid in ransoms and, in the first half of 2020, the average sum demanded was $178,000. Even more disturbing is the fact that 40 percent of the victims who have paid the ransom never got their data back, and 73 percent of those who paid were targeted again later.

The problem is also spreading: 51 percent of businesses that were recently surveyed reported being hit with ransomware in the first half of 2020. In 2021, a company is expected to be hit every 11 seconds.

Last but not least, many of these attacks are supported by various state security agencies. Hence the talk of “war” (by computer viruses), “red lines” (crippled economic sectors such as energy) and “loss of life” (attacks leading to explosions, intended or not, incapacitated hospitals, etc.).

Should we, in our part of the world, worry at the individual, institutional and state levels? We should not just worry; we should take steps to protect ourselves from cyberattacks and ransomware. Here’s how.

At the individual level, in addition to keeping our antivirus software up to date, we should train ourselves (or get trained) to recognize suspicious emails and links, even if they appear to come from a familiar, trusted name. If an email seemingly from my brother asks me to send my credit card number, I should be suspicious. Likewise, be wary if an email from a friend, colleague or important person asks me to open an attachment or click on a link with a strange explanation. In such cases, examining the full email address of the source will reveal that, while it carries a familiar name, it is not from that person’s usual email address but rather from a very strange one.

Similarly, one should be very suspicious of websites that offer free downloads of games, movies, discount coupons, etc., or congratulate us for winning prizes and ask us to claim them by clicking on some links.

Institutionally, IT staff of companies, agencies, universities and the like should conduct regular security awareness training, such as on how to recognize malicious emails, files and links; how to back up data regularly, preferably on the cloud; and what to do if attacked (the computer freezes or misbehaves). IT departments should also protect computers and accounts against hacks and attacks by installing and updating tools such as antivirus software and firewalls.

Cyberattacks are increasing in both number and scale of impact. Newsweek’s cover story this week is titled “The rising risk of a cyber Pearl Harbor.” We all need to do our utmost to prevent such wars, big or small.

  • Nidhal Guessoum is a professor at the American University of Sharjah, UAE. Twitter: @NidhalGuessoum
Disclaimer: Views expressed by writers in this section are their own and do not necessarily reflect Arab News' point-of-view

Copyright: Arab News © 2021 All rights reserved. Provided by SyndiGate Media Inc. (Syndigate.info).

Disclaimer: The content of this article is syndicated or provided to this website from an external third party provider. We are not responsible for, and do not control, such external websites, entities, applications or media publishers. The body of the text is provided on an “as is” and “as available” basis and has not been edited in any way. Neither we nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this article. Read our full disclaimer policy here.

More From Risk