Do you really want to hurt me?
Can hackers have a heart of gold? A lot of times "It's not personal, it's business" comes into play in the mind of those who rely on ransomware as their income. But also "Work smarter, not harder." That is my motto. It's also something a lot of hackers do.
A weak cybersecurity stance will cause hackers to target you - it's not your size, not your revenue. You aren't too small or too important. If you did a covid pivot to going exclusively online, this made you an even easier target. Let's look at some examples of what hackers will do - and it's not just "you're locked until you pay," it is also, "pay or else we will release stolen files into the public domain with personal/confidential information in them" as extra incentive. Fun!
Schools have been victims of ransomware attacks. During normal times, they could still hold classes in person. That changed with covid. Schools went exclusively online during covid. By and large this was a build-the-airplane-as-we-fly-it operation for many school districts. Inherent in that process was a lack of cybersecurity. Cybersecurity needs to be sophisticated to thwart the best hackers (or at least slow them down). The need was get a service to children, so go online. How much thought went into securing the system? Not enough. What was the impact? Not just the inability to hold classes. Payroll systems, access to databases, the ability to produce transcripts for those applying to jobs/other degree programs - all things that have broader impacts than just missing a class.
Hackers attack hospitals. Often. Part of the draw is based on the assumption that hospitals, which actively keep people alive, will surely pay ransomware. That isn't always the case. Hospitals have gotten better about their cybersecurity posture. They have and will go back to paper documentation during the event (which later requires data entry once systems are back online). During the covid pandemic there was a tacit truce, so to speak, in the hacking community to not target hospitals and nursing homes at that time. Some hacking groups agreed, some agreed but found wiggle room to still exercise their intended purpose (direct patient care was a no-no, but a hospital's parking system was not [which required payment to the criminals regardless], neither were manufacturers of medical equipment like ventilators nor drugmakers). Some didn't agree to the truce at all and ramped up their targeted attacks.
The Metropolitan Opera in New York City is a renowned non-profit cultural institution. They run on a very tight operating budget. They were greatly impacted by the pandemic (when live performances and butts in seats are your bread and butter, how do you make ends meet?). They are still trying to recover and yet, last week, their box office and website were targeted by cybercriminals. They couldn't sell tickets to upcoming performances, which, during the holiday season, sees daily sales around $200,000. The work-around was to use Lincoln Center's website and add their own ticketing page. But since the workaround doesn't do specific seat inventory, they've had to sell all tickets as general admission for a set price. Best seats go to those who show up first. If you're an opera fan (I am, and was a season subscription holder at The Met for years), you know that a $50 ticket is a steal for orchestra seats. The problem also impacted payroll systems.
How do you feel about your cybersecurity program? Do you think hackers will pass you over out of the kindness of their heart? Or do you think a good cybersecurity program will be the reason?