imagine your computer system is taken hostage by criminals who demand that you pay them a ransom to get your device back. Now this kind of ransomware attack is on the rise and no business big or small is immune. So what are the five things you need to know to protect yourself against ransomware? I'm sonar Ramesh from the man my team and I'll be getting some answers from David, co chief executive of the cybersecurity agency of Singapore and
Jon Scheyer, Senior security advisor at sofas. That's a security software and hardware company. So my first question to both of you is just explain to us what exactly is ransomware. We're familiar with cyber attacks that are phishing attacks that try to get your password and then try to gain access to your computer systems. And this would then either result in them stealing information or perhaps tricking you into transfer of monies or your bank account, et cetera, which
will result in financial loss. So those are the traditional types of cyber incidents which we are familiar with ransomware is a different kind of cyber attack. What happens is that they come into your computer system and then they launch a specific type of malicious software which locks up your entire computer system so that you can't access it. They then
tell you that we have locked up your computer. If you want access to this computer please pay us a certain amount of money, which is the ransom hands the term ransomware. So it's ransom malware. Initially when the criminals started to do this they did it at a small scale. They targeted individuals, small and medium enterprises and the amount of ransom that they charge was at a very small level. So the victim would typically pay the ransom because it was an inconvenience etcetera.
But it was a lucrative business because the Attackers, the criminals were able to do this repeatedly across the board many times so many small attacks, but each one a few $100 adding up to be lucrative small business. From the criminal perspective the criminals have now evolved and they have become more organized and they have formed into
very large gangs. So the gangs are sophisticated and they are increasingly targeting larger companies not just small and medium enterprises, large enterprises listed companies etcetera. In these cases they recognize that the sophistication that's required has to go up because large companies don't just have
one or two computers but they have entire networks. So their tax systems now need to be able to overcome the defenses of the large company and to be able to lock up the entire network once they have done this as a whole element of negotiation. Once I've locked up your networks I'll charge you a much larger amount
and then there's an element of negotiation. So the entire system is like a criminal business and it's now evolved where they have their own R. And D. Teams, they have their own negotiation teams, they have got teams that deal with the technical aspects, teams that deal with the financial aspects and teams that deal with the human aspects of negotiation for example. So it's almost like a shadow business. It's organized in gangs and they operate internationally.
Traditionally ransomware. It's a piece of malicious software that will encrypt the files on your systems and the criminals will ask for a ransom. So that sum of money to buy back the decryption key to decrypt your
files, some of the
ransomware criminals have also shifted and we've seen this in the past couple of years to also stealing data so they will steal that data and they will threaten to publish that data publicly if you don't pay up. And we've even seen lately some groups that are actually foregoing the encryption bit and just doing the data stealing because in their minds
the extortion
part is still part of that data stealing. If you've got some data that's intellectual property or is going to compromise your customers privacy. Some companies are opting to pay for preventing the release of that data.
So it's an evolution of traditional data breaches.
It does start that way the for ransomware has really diversified and specialized, you've got different groups doing different kinds of things and we've got some groups that are called initial access brokers, they're sole job really is to just find victims gain access to those victims gain persistence meaning they gain a point of presence within those networks and then they resell that access to
other criminals and often those criminals or ransomware criminals. But if you look at the way that the initial access brokers work, they exploit vulnerabilities. So if you're not patching your systems, then they'll use that as a way into your networks or they'll just rely on good old fishing, grabbing your credentials or sending in malicious attachments that will provide them a foot in the door and once they've got that foot in the door, then they can either go forward and perpetrate any crime
they want. But more often than not, they'll resell that to another group of criminals which will then go on for the next step of the attack.
Why is ransomware a growing problem? Not just here in Singapore but also around the world. We've seen the number of cases in Singapore go up from about more than 50% in the last one year up to 137 cases reported to us last year. And these are only the reported cases. I'm sure there are many other cases which haven't been reported to the authorities. We see the trends going up in terms of the scale and the intensity ransomware used
to affect individuals, small and medium enterprises. Now we see it intensifying the criminals are going after big companies and including essential services. One example was earlier this year, the government of Costa rica was hit by a ransomware attack. And this affected essential services in Costa rica, Their medical services, tax services, customs, the government actually declared a state of emergency.
So these have real world implications, not just small companies, but actually large companies and even countries as a whole. So this is of growing concern, ransomware also is by nature a cross border issue. The criminals are typically coming from outside the country from anywhere in the world. Actually, secondly, they exploit the jurisdictional differences boundaries to avoid the prosecution or legal consequences of their actions.
And thirdly, as I said, they're going after bigger and bigger companies that can result in real world impact to citizens, individuals, people. This being the case, it is essential for us to respond to this. And as we respond to this, it can't just be a domestic issue but has to be an international response. So we're talking about a cross border problem that also requires cross border solutions tell us who's most at risk here.
Well, the fact is that 100% of companies are potential victims I'm often asked is, you know, how bad can it get? Well, I think it's already as bad as it can be because every single business out there is a potential target of ransomware criminals. The idea that there are bigger fish out there are too small to be a target. It's just false. There are many, many different ways to monetize a victim.
It doesn't have to be ransom where there are other crimes out there, simply stealing data and reselling the contents of that data to other criminals? Additional phishing campaigns against them and their partners? There's just too many ways to monetize this data
so you're never too small or too big to be a victim of cyberattacks. And one form of cyberattack that's on the rise in Singapore and around the world is ransomware. Now, that's when criminals launch malware that locks up your computer and then demand a ransom from the victor and before you can get your computer system back. These attacks have also evolved and in some attacks, the criminals steal data as well. It looks like these cyber bad
guys are just constantly upping their game. How can businesses, particularly small and medium sized ones, step up defenses against such threats in the last two years have been hugely challenging for small and medium enterprises. Firstly, we had covid, then we had to respond to that many small and medium enterprises took the opportunity over force to adopt
digital solutions. So we were forced to adopt digitalization. This has resulted in some benefits for us, but at the same time the very act of going more digital exposes us to greater cyber risks. So it's a double edged sword. On the one hand, you have the opportunity that digitalization brings us more customers ability to do things at scale faster, more convenient. But on the other hand, digitalization opens us to greater cyber risks. So we need to understand this.
What are the challenges that small and medium enterprises face? First of all is the issue of resource, don't have enough people don't have enough money, we don't have an I T department. So this is a real big resource, but I also want to address perhaps a misconception that cyber is not just a technical issue. Yes, at the base level there are technical issues, but I would like to urge us to understand from the small and medium enterprises, I want to say that cyber actually is a business
risk issue. If you understand that your business depends on digitalization, your business depends on your computer databases, etcetera. Then actually as a business leader, you need to be aware of the risks that you're taking with respect to cyber and you need to be able to do deal with this just like any other business risk. It is something that the business leader needs to think about needs to consider and their trade offs, do you do
this or you do that? On the one hand, it's more convenient, but on the other hand, you're taking on more risks. Ultimately it is a business decision that may impact your bottom line and you as a business leader need to be aware of this and making those kinds of decisions.
The first way we do this is by building resilience into our infrastructure, into our
systems. The thing to
note about ransomware specifically and and really just cyber attacks in general is it starts as a trickle and then becomes a torrent. So as we're talking about these little things like a phishing attack where the document provides them a little bit of an access into the network. Once they're in the network, they have to then do a little bit of discovery and reconnaissance to understand what kind of network there in where the high value assets are, they have to move around laterally. They have
to escalate privileges. So all these little things are signals that are potentially discoverable and can give people an opportunity to detect and then stop the criminals. So building resilience into the system where we monitor the networks continuously and then are able to spot those signals when they happen and investigate those signals is part of it. And then the other part of it, we have to stop paying these criminals. The volume of money that is going into
criminals pockets a self fulfilling prophecy, right? The more we pay the guys, the more they're going to improve their ability to operate, the more they're going to be able to recruit affiliates, the more they're going to be able to just go about their business
with this ever evolving range of online threats. What sort of help is available for businesses smes need to recognize that they can and they are being targeted. Some smes take the view that I'm too small, no one will come after us. The reality is that we are exposed to cyber criminals from all over the world. They're opportunistic so when they find a potential victim they find a target. They're not specifically targeting you but they
just find somebody and just hit it. And the nature of the digital spaces that they can fire many bullets as it were at a relatively low cost. So you need to plan for this, you need to be prepared for this, understand the resource constraints that smes face. So in that respect what government has done is that we have launched many programs which could help smes many of them are actually free. For example CSC has launched the S. G cyber safe program in 2021. This provides free to kids which you
can download from us. Get access from us for free. These are designed for the leaders. The bosses in the smes, they're designed for all the employees as well as for their I. T. Departments so you've got different two kids which are designed for the different parts of the organization.
So there are some which are designed just for the bosses to understand some for the I. T. Department so that they can implement the solutions and then others are for awareness for all the employees because actually all of us are at the front lines of this challenge that we're facing and all employees need to do the basic things cyber actually is a team effort. We need everyone in the organization not just the I. T. Department, the bosses, all the employees to be aware of the
part that they play and play their part. Well. In March of 2022 C. S. A. Has also launched two new initiatives. These are the cyber essentials and the cyber trust Mark, one of the big challenges that we glean when we talked to all our stakeholders is that cyber
is just too complicated. There's so many things to do, what am I supposed to do And then when I speak to the vendors, they're always telling me their solution will solve all the so as an sme it is a huge challenge to try to make sense of the space, know exactly what you need to do and what you can do cyber essentials is a move in that direction where we simplify it and say that look if you're an S M E, these are the basic things that need to be done and if you do this, you give you a relative
level of cyber hygiene which will put your enterprise in a better state. And in addition to that, we have also reached out to different companies to make sure that their products aligned to this and that us sme then you have a choice of which products you can buy, which will meet
the cyber essentials. Mark. We hope that in due course you can put this a bit like a simpler version of I. S. O. Mark on your company and then you can tell your customers that your company has reached this level of basic cyber hygiene, which is recognized by the cyber essentials Mark. Beyond the cyber essentials Mark, there's also the cyber trust Mark. This is meant for larger enterprises, those which more resources where you can aim for a higher level of excellence in cybersecurity.
So help is available for smes, but it's also about a mindset change, isn't it? David, The nature of cyber is perhaps unfamiliar to many of us. Many of us instinctively know how to deal with physical security dangers. We know that when we leave our homes, we lock the door, we close the windows. If we drive, we'll lock our cars. You are careful not to leave your wallet, your handful in your purse lying around. You know how to take care of this. If you're walking late at night, you'll be a bit
more careful if it's unsafe part of the place. Where do we get all of these instincts? We got this as we were growing up, our parents taught us. But when it comes to cyber, we don't have these instincts. Our parents didn't teach us anything. If anything, we're teaching our parents what to do to be safe on cyberspace. So as it were, we haven't had a chance to hone these instincts of what needs to be done? What is natural, How do we be more cautious? We're using
digital devices, but we haven't got those instincts yet. I'm not a digital native. I speak the language. Perhaps I speak the language and an accent. My Children are digital natives. They will grow up having much more instincts of what is safe. What is natural and how to look out for science, which perhaps things don't add up. So because we don't have these instincts, we need to build them up. We need to train our employee.
We need to train ourselves when we are on e commerce sites, how to be more careful how to watch for signs of fishing, how to look for telltale signs that this perhaps may not be a legitimate website or this is asking for things which you shouldn't be putting out on the net. How would a typical cyber attack take place? It typically begins with a phishing email so someone that's still the vast majority of the start of cyber attacks so they send out emails that entice the employee or the individual
to click on. It Sometimes could be a free offer. Sometimes it could be a warning. Your bank account is not working. You need to click on this in order to reactivate it. So it prays on human psychology, our greed or our fears and then entices you to then click on this when your guard is let down, then you do this and then you make a mistake, even when that happens, one shouldn't panic. It doesn't happen instantaneously.
You may result in the attacker gaining access to your device, but even then you can call the bank, you can call the company involved, the credit card company to then cease operations increasingly that is something that we've been educating the public to do. But then if you're not aware that this has happened, then in the company, for example, an employee makes a mistake, what then happens? The attacker comes in, he then gains access to one computer. That's not good enough because yes,
you've taken over one computer. But actually his goal is to take over the entire company's network. So he actually needs to employ some sophisticated technical means to then gain access to the one computer and then from there move sideways into the network. So if the company has well designed system, if the company has a well designed security, then he can detect
the adversary in his networks. The conceptual equivalent of an employee left the door open, someone comes into your office, then the next question is, can he wander around your entire office at will, can you walk into the Ceo's office and steal the money that's in the safe? So the question that I would ask, sme leaders is that are your digital assets kept in the safe, just like your physical assets are kept? Have you identified what are your digital crown jewels in
the physical world? We know what's important. We keep it in the safe is your office all open for anyone to walk it probably not. Probably they can walk into the reception area, but then if they want to come to the senior management, there's someone to check. There's another layer of doors etcetera. And the most valuable things are kept in the safe.
The kind of thinking the kind of instinct, the kind of layout that we have for physical security should be implemented in the digital space, ransomware evolved out of phishing attacks. What do you think will be the next big cyber threat out there?
All those threats are still around, we still see viruses, we still see worms, we still see phishing ransomware is just the very final payload. Now in the past it was more about defacement or notoriety and there was some monetization of hosts. So if if you got infected by a botnet for example, you could then get resold and get those hosts resold to send spam that might sell, you know Viagra or fake Viagra in this case. Right.
But I think some of the scams that are coming up are related to some of the newer technologies that we're seeing things like deepfakes. So according to the FBI business email compromise or also known as ceo fraud where basically you're tricking somebody into sending money to your account instead of your distributors account. That is one of the bigger crimes out there. Far dwarfs in terms of just monetary value. Far dwarfs, ransomware and that crime works by
Impersonating somebody. And so when we've got these deepfakes now that are getting so convincing, both the voice models that where somebody calling you over the phone or even the video models, it's going to really impact that side of the crime as well. So we're talking about really high tech cutting edge technology that is going to supercharge and
already very big, big crime. In addition to things like business email compromise, we're seeing a lot more crypto scams now that are involving personalities that are being created by hand by people. So they are creating fake instagram accounts and all sorts of different fake personalities. Now with deep you don't have to actually hand create them. You can
let the machines create the personalities for you. And as the technology matures and gets better, we kind of envision a world where these technologies will be able to interface with. You hold basic conversations and perpetrate fraud on a scale that we've never seen before
as technology evolves. So too will the threat from cyber criminals? One major type of cyber attack that's on the rise is ransomware cases reported in Singapore have risen Over 50% and businesses big and small are at risk. What makes such attacks tricky to trace is that they often cross border, which means that solutions will also have to be transboundary, there's help available for businesses to scale up their defenses. But in addition to stronger cyber protection protocols,
a mindset change is also needed. Now, that's because cybersecurity isn't just a tech issue, it's ultimately about protecting your business. Well, those are five things you need to know about protecting against ransomware attacks. My guest today, David cole, chief executive of the cyber security Agency of Singapore, and john Sha senior security advisor at Sophia's Money Mind as every saturday at 10 30 PM on Mediacorp c n a, you can also catch us online at CNN dot asia on youtube.