By Pragati Verma, Contributing Editor, Straight Talk
Cybercriminals seem to be stepping up their attacks — from stealing data to disrupting operations. Recent attacks have taken down operations at several companies, including Colonial Pipeline, the largest pipeline system for refined oil products in the US. JBS, one of the world’s largest beef producers, has faced attacks. The hacks are big enough for FBI director Christopher Ray to compare them to 9/11 attacks and for the White House to urge American businesses to build defensive infrastructure.
And the fastest growing part of the rising cybercrime wave is ransomware —a type of malicious computer code that locks up a victim’s network files and demands ransom to return the data. In fact, cyberattacks using ransomware appeared in one out of every 10 breaches last year, more than doubling its frequency from the previous year, according to Verizon 2021 Data Breach Investigations Report, which analyzed 5,258 breaches from 83 contributors around the globe.
It’s About Disruption
These attacks come at a huge cost. About 35 percent of businesses that paid a ransom demand shelled out between $350,000 and $1.4 million, while 7 percent paid ransoms exceeding $1.4 million, according to Cybereason’s survey of 1,263 cybersecurity professionals in several industries in the US, UK, Spain, Germany, France, UAE, and Singapore. Cybereason found that the total costs were even higher because ransomware attacks often caused massive business disruptions. They point out that about a third of the organizations facing a ransomware attack saw a significant loss of revenue and about a quarter were forced to close their business for some period.
And these shutdowns seem to be the reason that hackers are targeting critical infrastructure providers. Forrester analysts Allie Mellen and Steve Turner explain why in a blogpost. “Critical infrastructure providers are being targeted by ransomware actors because, when hit with ransomware, they need to choose between indefinite suspension of critical business processes or paying the ransom,” the analysts write. “Shutting down a crucial resource for an indeterminate amount of time is simply not a sustainable option for a business, and it backs affected providers into a corner, where their only option is to pay up.”
To Pay or Not to Pay
For any company faced with a ransomware attack, the immediate question is whether to pay the ransom. While the risks of not paying are obvious, paying the hackers might not guarantee a successful recovery or reduce chances of getting hit again. Eighty percent of the businesses that chose to pay a ransom demand suffered a second ransomware attack, often at the hands of the same threat actor group, according to Cybereason.
According to Paul Proctor, VP and Distinguished Analyst at Gartner, dealing with ransomware after the attack might be too late. In a blogpost, he advises organizations to treat ransomware as a business decision. “Here’s the trick. You need to be acting NOW… before you get hit with ransomware,” he writes. “Security and risk people need to be working with executives right now to ensure that they are making the business decisions necessary to prepare them for ransomware. Treating ransomware as a business decision means you can CHOOSE not to invest, which is a legitimate business decision.”
He argues that this approach will create visibility across the business and there will be no surprises if they are hit. He breaks the process down into four business decisions. The first is to prioritize the business outcomes and process that should have a full restore test. “You know when the first time most organizations test restore? After they’ve been hit by ransomware. And that is the single biggest factor in whether it devastates the organization or takes a couple of hours to clean up,” he writes. Second, he recommends looking at average click-through rates across different populations of employees supporting different business outcomes.
Third, he suggests thinking about how to prioritize the business outcomes and processes that should be able to function through a ransomware attack: “Take the time to understand what will grind to a halt if the computers go away and either invest in alternate procedures or make darn sure you run a restore test and invest in confidence that you will be able to bring it back.” Fourth, check how long will it take to patch systems supporting critical business outcomes and processes. “If we patch faster, our systems are available for exploitation for less time. If we patch slower, our systems are available for exploitation for more time,” while noting that patching fast will cost more because it needs more people and more resources.
Protecting Your Business
As ransomware attacks surge, IDC recommends building a system where the data will be defended and recoverable. Phil Goodwin, Research Director, Infrastructure Systems, Platforms and Technologies Group at IDC, says in a research report, "The consequences of ransomware can include lost revenue, lost productivity, damaged company reputation, and permanent loss of customers. To defeat ransomware, IT organizations need to architect a system that assures data recovery without paying a ransom. Such a system should include encryption, immutability, air gap, a 3-2-1-1 backup strategy, and the ability to scan backups for malware."
In a blogpost, the Forrester analysts Mellen and Turner provide best practices that businesses can follow to reduce the risk of a ransomware attack, counter it, and limit its impact on the business:
- Enforce strong passwords.
- Check your backups and make sure that they restore successfully.
- Implement multifactor authentication that’s easy to use and is ubiquitous, to avoid stolen log-ins and credentials being used to siphon data and infect your organization.
- Secure privilege accounts that have permission to access critical applications.
- Update and test your incident response plan.
- Ensure that your endpoint protection and security policies on your endpoints are up to date and enforced and that the protection is turned on and working.
- Make sure that your devices are being patched regularly.
- Block uncommon attachment types at your email gateways.
The bottom line, according to Gartner’s Proctor: Treat cybersecurity as a business decision and create cybersecurity priorities and investments based on levels of protection and readiness in a business context. “Most organizations treat cybersecurity like magic and security people like wizards,” he says. “We give the wizards some money, they cast spells, and the organization is protected. If we get hacked, then the wizards made a mistake.”
Pragati Verma is a writer and editor focusing on new and emerging technologies. She has been a business journalist and managed technology sections at India’s The Economic Times and The Financial Express.