ESET Chief Cyber Threat Officer Tony Anscombe joins Yahoo Finance Live to discuss for cybersecurity threats in 2022 and what to look out for.
- Welcome back to Yahoo Finance. Well, this year saw an unprecedented number of cyberattacks in the US, but our next guest says there's still more to come. Here to tell us what to expect and how businesses and individuals should prepare themselves is Tony Anscombe, ESET chief cyber threat officer. Tony, thanks so much for joining us today. I want to start off with a fascinating statistic. Ransomware attacks obviously hit hard in the US this year, and one of the biggest culprits, you say, was [? Revel. ?] How much did they-- how much did they make away with?
TONY ANSCOMBE: Well, you have to understand that ransomware is a business as a service. So when one of these gangs, say they made $2 to $500 million-- and I think the number they put on it was around $500 million-- that means the actual payments from corporations and organizations paying the ransom was probably nearer a billion dollars, or even more, because you have a reseller channel and then the service provider. So this is a split revenue stream.
- And Tony, I want to get your take on a particular cyber threat that's attacking Apache servers. It's been called-- and I have a quote here from a former Obama official-- this is one of the worst vulnerabilities in the history of vulnerabilities. It's called Log4j.
And it popped up on my radar only because we had a guest who was saying virtually the same thing, that this is unprecedented in scope. It has such widespread deployment right now, it's going to take small businesses and large businesses thousands and thousands of person hours in order to correct. This seems like a perfect candidate for ransomware. I'm just wondering what your threat level assessment of it is.
TONY ANSCOMBE: Well, this was definitely a critical issue because this is a small piece of code that's open source code. So it's freely usable and freely available code that then other companies have used in their products or services. So then you see this one small piece of code that has a vulnerability in it affecting thousands of products or services that other companies may use.
And in fact, in a lot of instances, companies may not even realize that they have this piece of code in use in their organization because it's not a product of its own nature. So companies have had to scan all their services and their software to actually find out if this software is in use within their organization. And that takes time, and it takes a long time then to go through each individual piece of software to mitigate the issue, ie patch it or turn it off or find other ways around securing it.
- And Tony, what are some of the biggest threats that have been posed right now, especially during the holidays, for business and individuals, as well, that they need to be aware of?
TONY ANSCOMBE: Well actually, that was probably one of the biggest ones over the holidays, because that happened just before the holidays broke. So that's a huge issue. But if we look forward going into the 2022, you know, I suspect we're going to see lots more regulation. And while that's not specifically the threat, I think it means cyber criminals will adapt.
You know, they won't want to actually see their revenue stream disappear, so they're going to adapt their attacks and go in other directions. And actually, that causes businesses then to look at other places in their networks and their systems of how they need to protect them. And it's an unknown of where cybercriminals might go next.
- And could you expand on some of the regulation that you expect coming down the pike, specifically the Securities and Exchange Commission? We have Gary Gensler as a chair there. He's been pretty heavy-handed in certain areas, like crypto regulation. I'm just wondering what you expect on the cybersecurity front.
TONY ANSCOMBE: Well, you've already got some regulation in there. So the SEC already requires material cybersecurity incidents to be reported. But you've also got going through legislation, you've got the Ransomware Reporting or Disclosure Act. You've already got other-- the FDIC made a statement in December of increased reporting requirements for financial institutions. So you've got lots of legislation coming down.
The legislation at the moment is about disclosure. Say the burglar has already left the house, and you have to disclose it to somebody. I suspect in 2022, you're going to see that move somehow that the regulation or the disclosure might have to be during the incident, so that, in effect, you're calling the police while the burglar is in the building, as opposed to once he's left the building. And I suspect that will put a lot more emphasis on cybersecurity for a lot of companies because, you know, reputation damage of a cyber incident is incredibly hard to recover from.