The Severity of Cyber Contagion

Research suggests that up to 90% of Small and Medium sized companies in France, Spain, Germany and Italy are hit by a cyber-attack at least once a year. The impacts and consequences are dependent on the type of attack; however, Business Email Compromise and Ransomware attacks are thought to make up a large proportion of the threat and certainly are among the most effective.

In the majority of cases, the attacks, and any resultant data breaches, are not reported to authorities, customers, suppliers or shareholders. Admitting a breach is embarrassing and the fear of losing a valued customer or share value is seen as an unacceptable risk, so the attack remains concealed. Consequently, this also implies that ransoms may actually be paid in an attempt to ‘hush up’ the incident, meaning that an affected company will be acting completely furtively in a drastic manner for what it believes to be the best reasons: but instead, may be actively giving in to Threat Actors while keeping suppressed the true extent and scale of the threat.

The problem is that if the Threat Actor has breached a supplier or customer, they are likely to have valuable information that they can use to spread the attack. With a Business Email Compromise attack, the Threat Actor has access to the email system and is thus able to intercept email traffic between the company that was breached and, for example, a customer. They will often monitor email between the accounting departments for months and watch for patterns. When, for instance, they know that a large payment needs to be made and the head of “accounts payable” is on holiday, they will strike and forge new invoices which result in payments being sent to the Threat Actor’s bank account. This kind of attack is effective because it takes advantage of the trust between two companies that has built up over months or years. Moreover, getting one’s money back from either the bank, or an insurance firm, is difficult because the victim firm chose to make the payment, despite it being a con…

In a similar way, ransomware attacks can spread from one company to another based on the inherent trust built up over time. Threat Actors craft communications from a ransomware breached company to a partner company. There is already a trusted relationship which the attackers use to their advantage, the attackers will have extracted information from the breached company and will use it to “spread” to the target company (via email phishing or malware transfer).

We can clearly see that partner companies who work together, fall into a more trusting relationship. International Cyber criminals are known to employ a diverse range of personnel and specialist skillsets, including behavioural psychology. These criminals devise attack methods that rely on an understanding of human behaviour because these methods are the most effective methods for spreading contagion.

Additionally, when companies get hit by a cyber-attack, they are often breached again. Repeat attacks have become common in recent years although the true number of organisations that have suffered multiple attacks is unclear, as most of them do not publicize incidents. Organisations are likely to fall victim to a similar attack in the months following the initial incident.

One of the key reasons why breached organisations fall victim to additional attacks is that hacking groups are eager to finish the work they started, even if they have been discovered in the network. Attackers rarely randomly target organisations; once the reconnaissance has been conducted on a target, the attackers will want to complete their attack. However, the second attack is not necessarily going to have anything to do with the original hackers — it could be a separate attack by a different hacking group eager to take advantage of what they perceive to be a weak target. Although organisations rarely publicize that they have been breached, Threat Actors communicate on closed channels or the deep and dark web. Hence, they know the low hanging fruits without the mainstream media reporting these.

Consequently, when companies get attacked, the rate and nature of responsiveness is important. Notifying third parties and partners about the attack is critical to curb contagion because threat actors often move from one target to the other based on the information extracted from the first attack. Also, when an organisation is breached, they usually initiate incident response from their internal IT team or external IT support.

In some cases, organisations go through incident response phase and disaster recovery and are given recommendations that will mitigate the likelihood of a second breach, but it has almost become a common practice to ignore the recommendations based on “it won’t happen again” or funding issues. Failure to address the issues first-hand will likely result to infection, and then re-infection.

All companies are at risk of cyberattack; however, companies who work in close partnerships in supply chain manufacturing are often most at risk of a severe cyber contagion. Delivery deadlines need to be met, product decisions and payments need to be made quickly and the added pressure can result in corners being cut. The inevitable consequence is that the partners rely on their trusted relationship and leave themselves open to attack.

All of these problems are exacerbated when cultural sensitivities, and fears, prevent companies from being willing to air their problems, and admit to their failings, in public (and arguably even in private) in order to push the very necessary conversation about cyber-security to the fore. Indeed, the culture of almost pathological secrecy about breaches damages mitigation efforts in two key ways. If they were made more public, and more people understood how and why they occurred, more could be done from a preventative position in the first place and the stigma would be lessened – and breached companies could alert their partners to the subsequent increased risk of contagion and help them to mitigate the potential impact.

The current climate of denial and obfuscation is fuelling the likelihood of severe cyber contagion between partner organisations and goes beyond simply being human error. It is a cultural malaise which serves only to benefit the Threat Actors, who know that any target they may strike will be isolated by choice and without the support network that would come from a community that understood the breadth and depth of the threat and was cumulatively better prepared. It is no wonder that the severity of contagion is rising, when mutual support networks are forsaken for a head-in-the-sand approach that ultimately serves no-one.