Consider, for a moment, how many emails you send and receive every day. Now, take a moment and think about the content that you’re sending through your email messages. Have you sent or received anything that would cause harm if it were made public or got into the wrong hands? Chances are that you don’t think twice about incoming or outgoing emails because you have a trusted anti-virus software program installed on your computer. As HBO recently found out, minimal cybersecurity isn’t enough, and email hacking can be a costly venture.
Despite the advancements in cybersecurity, hackers are becoming more sophisticated in their approaches to profiting from weak security measures. The recent HBO breach calls into question the security of third-party vendors, which could lead to cyberattacks. Hackers are also looking for the most vulnerable industries and have recently targeted intellectual property like books, movies and other forms of entertainment. The HBO ransom scandal gives us a lot more to think about.
Background of the HBO Ransomware Hack
A hacker who disguised himself as “Mr. Smith” stole content from HBO and threatened to release much larger quantities of information if the company didn’t respond to the hacker’s demand for a large sum of money.
Mr. Smith posted five scripts from the popular show Game of Thrones, along with a month’s worth of emails from an HBO vice president and some other private information on August 7, 2017. The hacker demanded $6 million to prevent a larger, more damaging release of information. Apparently, Mr. Smith felt that $6 million was enough money to compensate for the time that his (or her) crew of hackers had spent on invading HBO’s electronic systems.
Persistent and Sophisticated Attacks Led to the Breach
Mr. Smith and crew launched a series of repeated, small attacks over an extended period of time to gain access to the intellectual property of HBO. Chronic persistence of phishing and malware attacks compromised many individual identities. Once hackers found an opening into HBO’s system, they were able to inject malware into them. Over time, the malware gave the hackers additional access to more of the individuals’ and the system’s passwords. The more information hackers have, the easier it is for them to gain access to lateral systems on the network.
Where Was the Weak Link in HBO Security?
Shortly after the demand for ransom, HBO launched an investigation. They have a couple of preliminary theories and are continuing to investigate the exact causes of the breach.
It’s quite possible that the hacker gained entrance to HBO’s system through a less-secure, third-party vendor. One of HBO’s vendors may have made an error in securing their systems or the third party’s system just wasn’t secure enough in the first place. Perhaps HBO could have been more proactive, considering other major companies that have had cyber breaches due to third-party vendors — companies like Verizon, Trump Hotels, Hard Rock and Scottrade.
Another theory is that HBO needs to invest more time and money in beefing up their cybersecurity efforts to stay ahead of the hackers.
Lessons from HBO Ransomware Attack
The primary lesson that all companies have to learn from the HBO attack is that they must take hackers seriously. There are many other lessons that we can learn, including how companies can enhance cyber protection, reduce risks of third-party vendors, how they can respond in the event of an attack, and how to deal directly with ransomware attackers.
Most cyber experts agree that passwords alone are not enough to prevent cyberattacks. Multi-factor authentication is the next best step.
Developments in machine learning programs are not foolproof, but they serve as an additional layer of cyber protection. Machine learning software programs adapt and evolve as information enters and leaves a system, and they help to stop attacks before they occur.
Nearly all companies should have IT departments that stay abreast of the latest security measures. IT should have systems and protocols in place for patching systems and applications, and reinforcing the system infrastructure. Companies need to be thinking about tightening up access to information, limiting it only to the employees who really need it. They also need to validate identities and encrypt sensitive communications and critical business systems.
Managers should be asking their IT experts about modernizing their systems to take advantage of monitoring and alerting systems that compensate for unwelcome hack attacks.
Currently, there is no bulletproof way to prevent cyberattacks, so companies are prudent to understand ransomware attacks and to develop a plan for negotiating with hackers.
Dealing with Cyber Extortion
The only thing worse than being a victim of a cyberattack is allowing it to catch you by surprise and not having a plan for dealing with cyber extortion. Today’s executives and board directors need to educate themselves about how to deal with hackers and whether engaging in negotiations may prove to be more harmful than beneficial. To date, HBO hasn’t made a decision about paying ransom.
Time is of the essence during a ransomware attack, and boards and managers will need to make quick decisions about paying ransom to prevent potential harm or loss. Making these decisions means that leadership will need to understand how hackers value their efforts to gauge how much they may be able to negotiate downward. They’ll also have to weigh whether the release of the information is more valuable than any amount of ransom.
All of this rests on the notion that the ransom hacker is merely after financial gain and doesn’t have any ulterior motives.
An article in Wired magazine highlights three important rules to follow during cyber extortion negotiations:
- Respect that the attacker knows more information than you do
- Coordinate with the entire team, including IT, intelligence, investigators, legal advisors, public relations and insurers
- Adjust by attempting to assess the terms, reduce the ransom, and avoid the risk of the attacker releasing everything due to a “no deal”
Additional Things to Consider from the HBO Hack Attack
Perhaps one of the biggest lessons that we learn from the HBO attack is that intellectual property is becoming a risky business. One of the ways the authors, musicians and filmmakers make their money is by advertising a product well ahead of its release to invite interest, ignite anticipation and drive profits. Once intellectual property has been released before its prime, the damage is already done, which makes creative works ready targets for ransom.
The increased risk for creatives means that it’s prime time for companies to invest more of their profits in multiple layers of cybersecurity to protect their works. How much? Companies would be wise to match their investment in cybersecurity dollars to the value of what they’re trying to protect.
What’s an Alternative to Email?
Instead of using email, businesses should start considering alternative means of communication that save what needs to be saved, delete what needs to be deleted and also contains top security features to ensure the protection of sensitive information. By using Diligent’s Messenger application, you can secure communication for your executive team and board members.
The Messenger app is designed to let board directors and executives set controls for deleting and retaining messages and also restricts the ability to copy messages, ensuring that things will not be sent to the wrong person. Messages that are sent in error can also be retracted, ensuring the protection of that sensitive message. The Messenger app is intuitive, easy to set up and easy to use, much like texting on an iPhone or Android device. Your admin can control who gets to be users and lets them send messages to an individual, or to everyone in a group.
Diligent is also the only board portal provider to receive the ISO 27001 security certification and Diligent is backed with over nine years’ worth of clean audits, backing the security of the application. The app allows for secure and encrypted communication and document sharing between board members, which can ensure breaches, such as the latest HBO hacking or the Donald Trump Jr. scandal do not happen. The robust security features protect against phishing, password hacks and other security breaches.