In the first part of this piece we introduced the idea that it's not so much the strength of the cyberattack that determines its impact — it's the preparedness of the business that's targeted. For this reason, a single attack can have vastly different effects depending on different levels of enterprise security.
In the last article we presented three businesses with different approaches to network security. The first, Business 1, decided it doesn't present a likely target for hackers and therefore hasn't put any money or resources toward protection. Business 2 has good security for its in-house computers but is lacking a mobile strategy for its BYOD devices. Business 3 is the only one with a comprehensive security plan that accounts for mobility and advanced identity verification needs. Now to recap, in this scenario there's a brutal cyberattack going around. It typically begins with a phishing scheme before turning into a ransomware attack. Let's see how each of the three businesses outlined above respond when hit by this intrusion.
Business 1: It should come as no surprise that Business 1 is utterly unprepared for the attack when it happens. The malware comes in the form of a phishing email sent to Edgar, the office secretary. Since he hasn't been trained on email security best practices — and since the business doesn't have any form of enterprise security in place — he opens the email attachment and unwittingly installs the malware onto his computer.
From there, due to the lack of any network safeguards, the virus quickly infects every computer in the business' system. Administrators are confronted with a message informing them that the entire contents of the enterprise network have been taken hostage, and that to get them back requires paying a ransom in bitcoin. Without any defensive strategy in place, the business scrambles to meet the hackers' demands. Yet despite eventually paying the ransom, their data is never restored. Like 60 percent of organizations hit by data loss, Business 1 is forced to shut down after the incident.
Business 2: Unlike Business 1, the leadership of Business 2 knows what a realistic threat cybercrime poses — and has planned accordingly. One day, a phishing email from the same malicious source heads to Business 2's email network, but the secure email solution the organization has in place prevents the attack from intruding via this method. The hackers, however, are persistent, and they look for another way in.
The next thing they try to do is to steal a staff member's authentication information and get into the system that way. The criminals succeed in getting the login details, but when they enter them they find they're confronted by a second, identity-based security platform that they can't bypass. They've almost given up hope on attacking Business 2 when suddenly they have an idea: mobile devices. Perhaps Business 2 has employees who log in to the network via their personal connected devices. As it happens, Business 2 does have BYOD employees, like more than 60 percent of companies out there. Only problem is, it doesn't have mobile security.
The attackers exploit this vulnerability by launching a targeted social media phishing attack (an increasingly common tactic of advanced persistent threats) on the BYOD employees. Through this method, the hackers are able to overtake Business 2's system and hold it for ransom. Unlike Business 1, Business 2 elects not to pay the ransom, instead relying on its data backups. Still, the news of the attack spreads, and, like Business 1, Business 2 shuts its doors soon after the intrusion.
Business 3: The folks at Business 3 have gone to great lengths to protect their organization's security. They've looked at every possible way a hacker could exploit the system and patched up those vulnerabilities with robust security measures. Thanks to advanced authentication solutions, the identity of everyone attempting to access the business network is thoroughly vetted before access is granted. Like Business 2, Business 3 has also been making inroads in BYOD. However, as soon as Business 3 launched its BYOD policy, it also rolled out a mobile security platform ensuring that mobile identities and transactions were never compromised.
Emboldened by the success of their BYOD attack on Business 2, the hackers try something similar on Business 3. But thanks to the mobile security of their organization, the BYOD workers at 3 have desktop malware protection on their devices that stops the attackers in their tracks. Next, the cybercriminals attempt to worm their way in through a vulnerable app that a worker might have, but the application protection on staff mobile devices prevents this from happening too. Eventually, the hackers give up on Business 3.
The lesson here: There's no such thing as being halfway prepared for a cyberattack. As a business, you either have the tools to combat cybercrime or you don't — there's no middle ground. That's a lesson Business 2 learned the hard way. Despite making a real effort to guard its network, the fact that it had left mobile devices vulnerable meant it fell victim to attack — and ended up no better than Business 1.