There was an Important Lesson Learned in the LockBit Takedown and it was Not About Threat Groups

In what could be called a fantastic move, global law enforcement agencies attacked and took down LockBit’s infrastructure. The day of the event was filled with much celebration on X (Twitter) LinkedIn, Facebook and elsewhere. The memes flowed freely and even the usual naysayers could not dampen the enthusiasm over this significant event. Especially since it all appears to have been due to an unpatched vulnerability in PHP 8.x.

However, in the midst of the screen shots from law enforcement to affiliates, comments on how much better LockBit’s customer support and notification of an incident was that most legal businesses, there was a piece that was perhaps overlooked. Law Enforcement discovered data from companies that paid the ransom which had not been deleted. What’s this you say? Gasp!! (lots of pearl clutching) … criminals are not honest and might lie about something? Well really if you think that they don’t lie all the time, you are only fooling yourself. However, that is not why this small detail was important; although that was a large part of the conversation.

You see, oh intrepid seekers of truth on the internet; I am talking about the known, yet often unacknowledged fact that some companies will pay a ransom and then never report the incident. This is why that list of victims is so much more important than it may at first seem. I am certain, that when that bit of data hit the news, there were many executives and c-suite members who experienced a good deal of the pucker effect. They will now know that there is evidence out there, in the hands of law enforcement, that shows they are in violation of multiple regulations. They also know that while they might not get fined or have consequences from a failure to report to regulatory bodies, they could be in a rather actionable position were this data to become publicly available.

Imagine the lawsuits that could begin. This litigation, combined with public pressure might then give regulatory bodies (especially the SEC and NYDFS) to decide that something must be done. The consequences for that “oversight” could be massively impacting from a financial perspective and cyber insurance, might not want to touch it with a 10-foot pole.
The potential negative financial impact sure does make that cybersecurity spending look different now, doesn’t it? Oh, you clever bean counters, you thought that not spending a small amount on preventative measures would never come back to haunt you, didn’t you? Just like all of those LinkedIn influencers who claim a CISO should only be focused on acceptable risk and business outcomes. How do those lines of logic look now? I bet they do not look so airtight anymore do they.

Long story short, (I know too late), the age-old adage that an ounce of prevention is worth a pound of sure, is absolutely correct. You cannot sweep things under the rug as someone will eventually lift that rug and see the mess you have tried to hide. As a vCISO, vCTO, and even when working “in-house” I saw these things fail time and time again and the costs to fix things after the fact was exponentially more than just getting the right tool or hiring the right staff.

So how about we all agree to just stop trying to P&L IT operations and cybersecurity and do the right things to ensure consumer and corporate data is protected? I think it will save a whole lot of time and... a whole lot of money.

No comments

Leave your comment

In reply to Some User