Washington’s State Department of Licensing has just reported a cyber-incident that might have compromised the sensitive personal information of over 250,000 licensed professionals in the state. This is but the latest in a string of regular cyberattacks on government agencies.
Cybersecurity is no longer an afterthought; it has become relevant to our personal and professional lives. It is now an issue of national security and governments are increasingly recognizing the need for better technology as a bulwark against the threat.
For regulators, the risk may not rise to the level of national security, but many are realizing the need to update outmoded technology to improve operations and provide greater security. As they do so, regulators need to pay attention to the trends and appreciate the need for protection, but this can be daunting.
Cyberattacks are here to stay
Media reports, research from insurance companies, and government statistics all tell us cyber-intrusion, which has increased globally over the last few years, has increased dramatically since the onset of the COVID-19 pandemic.
Much of the recent increase in cyber-intrusion was propelled by opportunistic cybercriminals seeking to exploit vulnerabilities presented by a hasty transition to remote work among many companies and, indeed, government organizations. However, while it is tempting to link the increase in cyberattacks to the pandemic alone, there are other factors at play, including:
- The rise of cryptocurrencies.
- Multi-jurisdictional challenges for law enforcement.
- The use of ‘ransomware as a service’ (RaaS).
- IT budget constraints.
While experts debate the how, why, and who of cybercrime, they tend to agree on one thing: regardless of the pandemic, the risk of cyber-intrusion is here to stay and all organizations – including and especially regulators – must learn to respond and adapt.
Ransomware and RaaS
Ransomware groups and RaaS should be of particular interest and concern to regulators of any size, especially as they continue to refine their tactics. This subscription-based approach hands would-be cybercriminals pre-developed ransomware tools to execute attacks, opening the world of cybercrime to more than just hackers. For example, groups like REvil and Darkside rent out their tools and even provide support to those carrying out attacks, sometimes for as low as $40 per month.
The culmination of all these factors suggests regulators should pay more attention to cybersecurity. According to Verizon’s 2021 DBIR, the number of incidents experienced by small or medium organizations (with fewer than 1,000 employees) nearly equaled those of larger organizations, whereas in 2020 they accounted for less than half.
The low-hanging fruit is proving too desirable to cybercriminals. Even when monetary rewards are small, the risk to the attacker is very low. Small, seemingly less significant organizations may become targets because of their vulnerabilities, but these cyberattacks tend to be less sophisticated. That’s good news, because when attacks are not technically sophisticated, there are some basic tactics regulators can employ to protect themselves, which our recent whitepaper on cybersecurity covers in depth.
Cyberattacks make headlines
When cyberattacks occur, they make headlines. Fresh examples are abundant: in 2021 alone, both Toronto and New York’s subway systems fell victim to ransomware attacks. Oil and gas players like Colonial Pipeline faced large-scale breaches. Schools and major health care services in Canada and Ireland have been hit. And even some regulators made the news, including one of Canada’s largest, the College of Nurses of Ontario (CNO), which faced a major cyberattack in August 2020. These news stories are only the tip of the iceberg, representing the most widely reported cases.
Insurance reports tell a similar story
Insurance companies are a helpful source of statistical information relating to cyber-intrusion since they generate precious data from the calls they receive and the research they execute.
According to Accenture’s Cyber Incident Response Update, cyber-intrusion incidents increased 125% in the first half of 2021 alone. The top three countries targeted were the United States, U.K., and Australia. Although the bulk of the increase was seen in the consumer goods and services industry, news stories tell us a wide variety of organizations regularly face cyberattacks.
Government’s keen interest in cybercrime
As high-value targets, governments are a useful source of information and advice.
The Federal Bureau of Investigation reported a 62% increase in ransomware incidents in the first half of 2021 with over $16.8 million in resulting losses. This was reported in its Alert (AA21-243A), which also warned organizations that illicit cyberactivity tends to increase over holidays.
The U.S. Department of Justice declared 2020 the worst year ever for cyberattacks and established a ransomware taskforce to assess the problem. And both the Canadian and U.S. federal governments have recently issued open letters to all organizations operating within their countries due to the rise of cyber-intrusion. Both governments are urging all businesses to take necessary action while providing some helpful hints on how to do so.
Get informed, not frightened
All this information is intended to inform, not scare. Since cybersecurity seems like a dark, mysterious, and confusing world to many, there is a tendency to run and hide or else ignore the problem altogether. However, avoidance is no longer a practical approach. Being informed helps us plan and prepare, and preparation is the best weapon against cybercrime.
Regulators need to be prepared because they are valuable targets simply because of the amount of sensitive, personal data they hold, including social security numbers, insurance information, and health information of many licensees, complainants, and regulatory staff.
To help regulators navigate their own cybersecurity journeys, we’ve prepared a new whitepaper that tackles the issue in depth and provides valuable takeaways on how to bolster your cybersecurity preparedness. Read it today to get started on your cybersecurity strategy.
Jordan Milian writes about regulation, licensing, and technology at Thentia.
