It is fair to say that ransomware is the face of cyber crime today. Not only has the threat been catapulted to the top of any boardroom agenda, just recently the CEO of the NCSC labelled ransomware as the biggest cyber threat facing the UK today.
In the last 12 months, ransomware has increased by 62% on the previous year, with 304 million ransomware hits worldwide. In 2020, 48% UK organisations reported being a victim of ransomware, with the demand from attackers doubling on average to £160,000. One of the key reasons for this sudden increase in ransomware attacks is down to the pandemic. As more companies have been forced to operate remotely, more malicious links have been clicked and more businesses have been hit.
In 2021, it is estimated that ransomware could cost businesses $20 billion worldwide, with sophisticated attackers becoming more prevalent because of the rise in Ransomware-as-a-Service (RaaS) platforms. RaaS has opened up a world of new opportunities for ransomware scammers, as it has provided an avenue for amateur hackers to launch attacks for as little at £70, while inflicting millions of pounds of damage. RaaS tools work to make the top-ranking criminals of cyber gangs richer as they take a commission or royalty from every attack launched using their ransomware — it is the same scalable model every software company strives for.
As a result of this huge increase in attacks, where organisations of all security maturities are getting hit, and when it’s often the result of perfectly rational human actions rather than a technology failure, we need to stop seeing these attacks as a cyber security failure; it can and does happen to anyone.
Instead, executives must work to prepare their organisation for these attacks, so they know exactly how to react when they inevitably get hit. This involves developing a ransomware security strategy that not only covers how an organisation will prevent attacks, but how it will minimise the damage and recover from one as well.
The hidden costs of ransomware
Ransomware security strategy: key components
If we have learned anything from the Covid pandemic, it’s that planning is fundamental to the successful outcome of an inevitable crisis. The last thing anyone wants in the midst of an emergency is to have to research and evaluate options, constantly assessing the likely impact of various decisions. As with Covid, how well you fare under a ransomware attack, ultimately comes down to preparedness.
The core components of a ransomware preparedness strategy include:
1. User awareness training: how to support staff to recognise and avoid ransomware attacks – but specifically not to expect employees to be the main line of defence. While upskilling your workforce can certainly reduce the risk of ransomware infiltrating your network, it is never going to be 100% effective. Humans are conditioned to click on links and visit websites they are unfamiliar with every day at work. That won’t change so it needs to be acknowledged. Instead, organisations should devise employee training, that is simple to understand and gets employees involved in and invested in the process of protecting the business they work in.
2. No blame, no shame: adopt a “no-blame” approach so that employees feel empowered to raise concerns about suspicious emails and links without fear of being made to feel they are overly cautious or alarmist, but also so that they will flag up anything they feel they may have done that they later realise they perhaps shouldn’t have.
3. Get management buy-in: discuss at the management/board level what an enterprise approach to a ransomware attack will be. Which information, systems and data are business critical? Under what circumstances would the enterprise pay a ransom? Who has the authority and responsibility to make that decision? What are the criteria for making that decision? What would happen to the organisation if certain data was encrypted and never retrieved?
4. Back up, back up, back up: implement a sensible backup strategy. There is no point doing backups of critical data on the same machine as the original version; make sure your backups are independent so that in the event of encryption, you have a safe copy stored elsewhere. It is also important to work out what data needs to be backed up in real time, and what can be done every 24 hours, for example. The most sensitive data should be backed up the most frequently.
5. Identify the most critical areas of the network: identify critical data and adopt processes to control how it is managed, how it is accessed and put tighter security controls around it. Once that critical data is identified, what technical resources are in place to specifically address a ransomware attack? For instance, do you have an email solution deployed which will detect when links and attachments are potentially malicious? Do you have tools to automatically apply patches to vulnerabilities that could be exploited? These are considerations security teams must address when developing their security strategy, as only then will they fully understand how well protected their data is and what they stand to lose when they come under attack.
The pandemic has provided the perfect opportunity for ransomware to thrive, and the popularity in RaaS has turned the attack method into a scalable and lucrative criminal industry. Today, no company is immune to ransomware, so the best protection is to be prepared.