Organizations are increasingly facing cyber attacks resulting in data breaches, and part of their post-incident responsibilities includes adhering to mandatory reporting requirements.
Notably, the infamous BlackCat ransomware group has been exploiting these requirements for their benefit. They apply pressure on victims by threatening to inform the Securities and Exchange Commission (SEC) about the company's supposed failure to report significant data breaches. The validity of the breach claim becomes inconsequential in the face of such extortion tactics, as the mere suggestion of regulatory non-compliance can be damaging enough.
Cybercriminals are using new tools like deepfakes and voice-fakes to their advantage, exploiting even the small gaps in knowledge and awareness amongst their targets. Advancements in artificial intelligence are escalating the difficulty in distinguishing between authentic and manipulated information. Deepfakes and voice-fakes are becoming so convincing that they can easily mislead the public, complicating the fight against the spread of misinformation and disinformation.
Ransomware groups are evolving their methodologies, moving away from encrypting data to simply threatening to leak stolen data on the dark web. This shift emphasizes the significance of the data breach itself over the disruption of operations. Some groups are even contemplating fabricating data breaches altogether. While claiming false breaches is not new, profiting from such deception is a relatively untapped strategy.
A case involving Europcar illustrates this emerging threat. A data set was published by an individual claiming to have hacked the car rental company, but Europcar was quick to refute the claim, stating that the data did not match their records. Despite the inaccuracy, such synthetic data sets can still cause harm by appearing credible, forcing organizations to invest resources in unnecessary investigations and dealing with potential reputational damage.
This situation underscores the need for organizations to prioritize their ability to manage what has become more of a public relations challenge than a technical one. Public disinformation and compliance with reporting obligations require a joint effort between public relations (PR) departments and cybersecurity teams. Organizations must therefore cultivate security awareness not only internally but also among their customers and other stakeholders. In response to these emerging threats, it's essential that PR experts and security professionals combine their expertise to present a unified front.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
