CISO Report. Photo: Cybercrime Magazine.

CISO Report: Ransomware Business Is Booming

Employee education is a key cybersecurity agenda

David Braue

Melbourne, Australia – Dec. 10, 2021

The CISO Report is sponsored by KnowBe4.

Ransomware has exploded into the corporate consciousness, becoming by far the number-one enemy of CISOs — and Teresa Zielinski knows exactly why.

“Unfortunately,” she told Cybercrime Magazine, “extortion works. And when you combine cybercrime with extortion, that really works — and you have ransomware as a business.”

For companies that have already spent billions on cybersecurity — and are expected to shell out $1.75 trillion more between now and 2025 – many are humbled by the idea that a multi-billion-dollar Fortune 500 company could be brought to its knees by someone sitting at a computer on the other side of the world.

Yet it has been happening, over and over again — particularly in the utilities sector, where Verizon, for one, recorded 546 cybersecurity incidents during 2020, including 355 in which the disclosure of data was confirmed.

While social engineering attacks accounted for 86 percent of breaches in the sector over the course of 2020, fully 44 percent of the remaining attacks were attributed to ransomware — approximately 33 separate ransomware incidents affecting mining, quarrying, oil and gas extraction, and utilities.

Given the generally large size of natural resources and utilities firms, as well as their essential position at the head of many other industries’ supply chains, even one breach can have a catastrophic ripple effect — as the world saw when the ransomware attack on Colonial Pipeline triggered real-world fuel shortages earlier this year.

As a person whose entire job depends on preventing such a compromise, Zielinski — senior vice president, global CISO and head of product security with GE Gas Power — has come to register such attacks with something that has matured from concern to a more pragmatic acceptance.

Ransomware is the number one threat “for the simple reason that it’s working,” she explained. “We can’t prevent everything — so are we going to be resilient and reduce that risk when the attack happens? That’s really key.”

And as ransomware gangs experiment with double, triple, and even quadruple-extortion attacks — which have transformed ransomware from a point-in-time business interruption into a concerted criminal campaign that has become the worst nightmare for CISOs at ransomware-hit utilities like Australia’s CS Energy — Zielinski knows this particular business risk isn’t going anywhere.

“We’re not seeing the last of it,” she said. “I think it’s going to continue to increase until we can really get our arms around our resiliency, and [figure out] how to put those controls in place related to ransomware.”

Reading from the same playbook

Actually putting those controls in place, however, is an ongoing process — particularly given the residual effects of business cultures where CISOs are, incredibly, a relatively recent phenomenon in many companies and many executives still perceive cybersecurity as being something that the IT department is supposed to take care of.

That has been changing, however, given the ever-bigger numbers coming out of cybersecurity research firms — which have been a wake-up call for executives long accustomed to thinking in dollar terms.

Some of the predictions — such as Cybersecurity Ventures’ that cybercrime damage will reach $10.5 trillion annually by 2025 — are so large that many executives may write them off as scaremongering.

Yet they are anything but, said Zielinski. “I don’t think they’re overinflated,” she said. “If anything, they’re probably underrepresented. It’s hard to measure all of the impacts we have right now” as a result of cybersecurity exposure.

Now that the business impact of ransomware and other malware is being more broadly appreciated, however, Zielinski believes boards and C-suites are rapidly waking up to the challenges they pose.

“We’re talking about the right things,” she notes, although “it could have been brought in a little sooner from a discussion standpoint.”

Having recently announced plans to spin off its energy, healthcare, and aviation businesses into separate publicly traded companies by 2024, GE will need to be considering cybersecurity implications at the highest levels — particularly in the energy business, where increasingly-problematic vulnerabilities in legacy industrial control systems (ICS) will be exacerbated by the natural disruption of a major restructuring.

“It’s hard,” she says, “because you have to look at what you can prevent or exclude from getting on the network in the first place, versus how you balance supporting the business. And it’s not an easy answer.”

Given the inevitable focus on digital enablement and transformation — and the increased risk exposure posed by the inevitable dive into cloud platforms — utility CISOs need to plan for securing massive investment in connected devices, sensors, control equipment, and other Internet of Things (IoT) equipment that is expected to push 50 billion to 80 billion devices into the market in coming years.

This surge will push the world to store 200 zettabytes of data by 2025, inevitably drawing the attention of cybercriminals and expanding the attack surface that CISOs will be expected to protect.

“The more you process online, the more connected devices, the higher the risk and the impact,” Zielinski explained. “We know all the devices and everything we do doesn’t always come with security built right in — so there are a lot of changes that we have to enable in the industry to really help our business strategically move forward.”

Working efficiently and effectively with the company executive will be crucial in guiding this transition — and lending meaningful weight to the process of cyber risk management.

“We need to work with all of our business leaders to [ensure] we’re working in the right environment with the right guidelines,” she said, “so we’re all in sync on the risk.”

“It’s all about education in my mind.”

The people factor

Education, in fact, remains a key tool in Zielinski’s arsenal of cybersecurity defenses — and sometimes, she said, the way cyber leaders engage with employees can make all the difference.

A new cybersecurity training campaign, for example, is called “People: Our Strongest Link” — an inversion of the conventional cybersecurity-industry mantra that humans are the weakest link in enterprise security.

“I don’t think of it like that,” Zielinski said, “because I feel like that’s when you’re reprimanding folks. It’s all about the culture of training and awareness, getting better, and having somebody raise their hand and ask a question and not feel like they’re going to get reprimanded.”

“The more we do that, the more we all improve and get better — and that’s what awareness is really all about.”

With 10,000 employees in the GE Gas Power business and over 200,000 across the whole conglomerate, taking a positive approach to employee training “makes all the difference in the world,” Zielinski said.

Yet this positivity needs to extend up and down as far as possible. “Ask yourself, are your leaders talking about [training]?” she explained, likening cyber to existing practices around industrial safety, “or is it just the cyber team? Do your business leaders talk about cyber? Are they aware? Do they promote it?”

Ultimately, increasing awareness of cyber threats is pushing energy, utility, and similar companies towards a more comprehensive cybersecurity defense whether they like it or not.

Growing pressure from standards bodies, regulatory authorities, and national governments is reinforcing the narrative that the current cycle of ransomware infections, business interruption and, potentially, the payment of ransoms, simply isn’t tenable for the long term.

This realization, Zielinski believes, will shape the CISO agenda over the next few years as executives realize that simply throwing more money at cybersecurity won’t fix it alone.

“It’s not just what we’re spending, but how we’re spending it,” Zielinski said. “We have to have the skill sets and the people on board to spend, and make sure we’re keeping pace with the technology advances.”

“We still have a ways to go to really help reduce that risk,” she said. “I daren’t say get ahead of it, but to help really stay at pace with all the risks that we’re seeing in the industry.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.