Despite the substantial increase in remote working since the start of the COVID-19 pandemic, security breaches have stayed about the same for the vast majority of people and businesses, according to security expert Graham Cluley, an award-winning blogger who provided the Tuesday keynote speech at this year’s virtual (ISC)² Security Congress .

Only one in 10 businesses say they have experienced a dramatic increase in attacks, Cluley said, before quickly adding that attacks don’t always result in breaches. As a matter of fact, research shows breaches increased by only one percentage point over the past 12 months, to 16% from 15% in the previous 12-month period, Cluley said.

“Let’s not be too glum,” Cluley said. While he struck a positive note to cap his talk, Cluley was emphatic about the need to take “sensible precautions” against cyber attacks by locking down security controls and educating users about threats.

He noted that many successful attacks these days aren’t perpetrated through sophisticated technical means, but through social engineering and trickery. That’s why phishing, ransomware and business email compromise (often whaling or CEO fraud) are so prevalent.

Serious Consequences

Cluley shared examples of attacks that illustrate how ransomware has evolved from simple ransom demands after locking up systems to far more nefarious schemes with serious consequences. In one case in Germany, a COVID-19 patient died as a result of an attack.

The cybercriminals attacked a hospital thinking they were targeting a university, not a healthcare facility, forcing a transfer of patients to another hospital. One patient died on the journey. And although the attackers subsequently gave the hospital the decryption key, it was too late for the victim, Cluley said.

In another case, a cyber attacker went so far as to impersonate former French minister of defense Jean-Yves Le Drian to extract $80 million. The scam involved video chats with someone wearing a silicone mask of the minister’s face to extract money from victims. The hackers claimed the French government needed the money to free hostages in the Middle East and couldn’t do it through normal public funding means for political reasons.

Business email compromise attacks, Cluley said, have bamboozled companies out of $12 billion in the past five years, according to FBI statistics. Often, attackers trick finance departments and top executives into depositing substantial amounts of money in cybercriminal-held accounts thinking they are paying a legitimate invoice.

“Cybercriminals are more professional than they used to be. This has become a huge industry,” Cluley said, pointing out that cybercriminals can pay other bad actors on the dark web to perpetrate attacks to steal company data. It costs as little as $150 to pay someone to carry out an attack. Some cybercriminals claim they need no more than seven days to guess the credentials to get into a company’s sensitive systems.

Sometimes, Cluley noted, companies make it too easy for attackers through shoddy security practices. For instance, a company may leave email backups in a system that is easily accessible, giving cybercriminals the opportunity to extract information about invoices, projects and people in the company.

No Other Option

Cluley said he discourages paying ransom when companies are attacked. “After all, it does encourage more ransomware attacks.” However, there are cases when organizations feel they have no other option. If the alternative is to fire staff or shut down the business, he said, “it’s not a surprise to me that some companies have paid.”

Perversely, this has given rise to a new type of opportunistic entrepreneur, who will offer a victimized company services to decrypt locked data. However, the entrepreneurs typically charge more than the ransom would have cost and in many cases they retrieve the decryption key by paying the ransom the attackers are demanding and serving as a middle man in the transaction.

To avoid such situations, Cluley urged organizations to tighten up their security controls by following best practices, being sure to patch systems and educating staff. Especially now that so many more people are working from home as a result of the pandemic, these precautions are especially critical.