“There will be a ransomware attack every 2 seconds by 2031 on either organizations or individuals up from 11 seconds in 2021,” predicts Cybersecurity Ventures.
According to Sophos’ “The State of Ransomware 2022” research, 66% of organizations were hit by ransomware in 2021, up from 37% in 2020. And, 72% of these respondents experienced an increase in volume, complexity, and impact of cyberattacks demonstrating adversaries’ capabilities and the damage they can do at scale. Perhaps, this is an indication of the growing success of the Ransomware-as-a-Service (RaaS) that requires fewer skills to deploy ransomware.
As recent as last year, the Colonial Pipeline cyberattack – an attack that jolted the corporate world – the company fell victim on May 7, 2021, and it led to a voluntary shutdown of the pipeline supplying fuel to the 45% of the East Coast in the US. It was perhaps one of the deadliest cyberattacks to date on the critical infrastructure. The cybercriminal group, Darkside ransomware, claimed responsibility for this attack.
Later, in an interview with The Wall Street Journal, Joseph Blount, CEO of Colonial Pipeline Co. expressed why he ultimately decided to pay a $4.4 million ransom to hackers who breached the company’s systems. “It was the right thing to do for the country.” He also said, “I know that’s a highly controversial decision,” he said.
In this article, we spoke to cybersecurity experts and practitioners who deal with cyber threats (including ransomware attacks) on an almost daily basis and sought their suggestions on how they respond to such lethal threats.
The Most Basic Mistakes Security Teams Still Make
Undeniably, we make mistakes. All of us do! According to a dated IBM study “2014 Cyber Security Intelligence Index”, 95 percent of all security incidents involve human error. They could be due to weak passwords, timely patching of the systems, clicking malicious links, or as mundane as sending sensitive information to unintended recipients.
Matthew Rosenquist, CISO, Eclipz.io Inc Inc firmly believes no organization can fight ransomware without having a holistic cyber hygiene approach as a first step, and of course, that includes training the employees, using a strong password policy, keeping cyber insurance policy hidden (otherwise, they would know how much money to demand in ransom), having a proper data backup strategy in place, and more.
He also stressed that Chief Information Security Officers (CISOs) should never solely depend on cyber insurance as it could lead to a lousy security program and put your organization in a bad state in the long run.
Listen to Matthew for more clarity and better insights in this 4-minute video:
The Hiscox Cyber Readiness Report indicates that 40% of the total respondents identified that business email compromise (BEC) was the second most common method adversaries leverage to get the first point of entry for cyberattacks.
On a similar note, in 2020, the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) noted over 20,000 BEC complaints with adjusted losses of over $1.8 billion. From 2016 till date, the losses have been colossal (~US$ 43 billion) So, it’s important that every organization has a plan to prevent these threats from reaching users. And, such losses could only be prevented through awareness and training people.
KK Mookhey, Founder of Network Intelligence thinks lack of a proper data backup strategy could cause severe damage to an organization in the case of a ransomware attack. On the other hand, where even such a strategy does exist, backups are not regularly tested to see whether they will actually support the proper restoration, should the situation arise.
Mick Douglas, Managing Partner, InfoSec Innovations, Certified SANS Instructor has an interesting point to make. He believes security teams are struggling because they’re focused on the wrong things. Infosec teams are more indulged in low-return work such as tickets, policies, and meetings. “While they are required, it’s not what they should focus on. Instead, you need to build a continuous improvement model,” says Mick. “If you cannot do the next project better (faster, cheaper, and more accurately), you’re not getting better. It’s anti-intuitive, but there’s always more work to be done. Always. You should instead focus on getting better with the next assignment.”
Less Discussed Topics that Must be on the Top of CISOs Consideration List
A report from the Security firm Nominet indicates that 100% of CISOs surveyed find their role stressful, with 91% saying they suffer moderate or high stress. Therefore, it’s not hard to imagine how stressful a CISO’s role is and also quite daunting with lots of critical responsibilities.
Dr. Burzin P. Bharuccha, Advisor/ManagerAdvisor/Manager, Ernst & Young feels CISOs face an increasingly long list of tasks to manage – all of which relate to the effective management of your implemented controls. The success of any business operation is based on how we implement security controls for an effective and correct performance. “You need the ability to identify and evaluate controls in the business context, its standards, and regulations. With regulatory requirements evolving and third-party networks expanding, tracking and reporting on control performance is complex.”
Below is the list of top points that should be on CISOs’ consideration list while preparing for and dealing with these types of incidents:
- “Work with fellow executives and the company board to figure out the conditions in which you might have to pay the ransom. Ensure those situations do not occur. Also, have a digital wallet ready so you can put funds into it quickly if at all you may have to pay a ransom,” suggests Mick.
- “Run tabletop assessments frequently (preferably quarterly). Don’t focus on who knew the policies though. That’s a mistake we often do. Instead, concentrate on problematic handoffs, the tasks that aren’t easily shared,” adds Mick.
- “Start planning with your public relations team on how to handle the event. Keep the templates for responses/notifications ready. Caution: Do not allow lawyers to drive the entirety of messaging. Lawyer-driven communication reads like you have something to hide. Plan for messages to employees, customers, and regulators (at a minimum),” he suggests.
- “Test backup restoration many times. If everything goes well, increase restoration difficulty by doing what attackers do (e.g., destroying the backup index, testing at odd hours of the day, etc.).”
- “Develop plans for pulling key people off projects and production efforts. Have ways of providing backfill for these people if the restoration process is prolonged.”
- “Have a way of adequately rewarding those who did the prep or helped in restoration efforts,” suggests Mick.
- “Insurance is an overused crutch. It does not mitigate the risk; it only gets transferred. And, you are spending more every year. It’s not a sustainable solution in long run. You should rather build a robust security plan,” suggests Matthew Rosenquist.
- “Regulations to be enacted to forbid digital extortion payments, otherwise they will be contributing to a much bigger problem with well-resourced and motivated attackers,” feels Matthew.
- “Create awareness and educate your employees and stakeholders about cybersecurity. It’s the most cost-effective solution out there,” he says. Watch this 7-minute video where Matthew talks about his suggestions in greater detail:
10. According to K K Mookhey nothing can beat or replace a proper incident response plan. That said, it must address key queries like:
- Who will communicate with the media and what level of information will be shared through various communication channels?
- Will law enforcement be informed and involved?
- Is there a willingness to pay the ransom? If yes, how, since mostly it has to be paid in cryptocurrency.
- Who will we involve to carry out the forensic investigation?
Despite all this, let’s accept that ransomware threats, as they exist today, seem like an unstoppable fury. As said, humans are the weakest link in the chain. So why not tackle that first and develop a continuous, holistic approach to educate employees and other stakeholders? Many progressive and aware orgs run such programs very effectively. The question is whether these programs are delivered with the right mindset and seriousness because a single human error can put the entire organization at risk and your whole effort will become worthless.
Organizations require a structured, well-tested cyber incident response plan that can not only save the company heartache and financial losses but also serve to save and even enhance its reputation amongst key stakeholders.