Olly Jones, Senior Cyber Security Consultant
Not a month goes by that we don’t see that another organisation has suffered a ransomware attack. In fact, in the last month we’ve even seen global car manufacturer Honda become a victim, along with several lesser-publicised organisations, including the city of Florence, Alabama in the US.
A recent global study done by Veritas Technologies found that 40% of consumers hold business leaders personally responsible for ransomware attacks. Why? Ransomware attacks (and, in turn, cyber security) are being covered more and more by mainstream media and there have been so many high-profile attacks, it’s hard to ignore. Just look at Travelex over the 2019/2020 new year period. This type of coverage may be one reason why consumers are apparently becoming less forgiving of businesses who do not take the risk seriously.
The Veritas Technology survey found—leaving aside a minority (9%) of the 12,000 respondents who would want to send the CEO to jail—65% would want compensation and 44% indicated that they would stop buying from a company that had been the victim of such a crime.
To pay or not to pay?
So, what should companies do in the wake of a ransom demand? The opinion from most cyber security experts and law enforcement agencies is that paying up:
- Encourages criminals to pursue more ransomware attacks.
- Doesn’t necessarily ensure that your data will be returned, or that your system won’t be left vulnerable to future repeat attacks.
- Risks identifying you as a “known payer” who will be attractive to repeat attacks.
Despite this, it appears that many victims decide there is less of a financial burden by paying their attackers to retrieve data, rather than attempting to recover. The 2020 Hiscox Cyber Readiness Report found that of the total respondents that had experienced a ransomware attack, 16% paid a ransom—with combined losses adding up to $381 million. Luckily, the rest of the organisations had backups that meant they could rebuild without resorting to paying a ransom.
Meanwhile, the Veritas Technologies study found that 71% of the respondents wanted companies to make a stand and refuse to pay a ransom. That position changed however when their own personal data was at risk—55% then wished their suppliers to actually pay.
Who are ransomware targets?
It’s not just commercial organisations, like Honda and Travelex, who face this tough decision in the event of a ransomware attack. In the US in particular, a number of cities and municipalities have been targeted in recent months and, although a resolution was passed by the United States Conference of Mayors (USCM) just last year which agreed to ‘stand united against paying ransoms in the event of an IT security breach’, the number of ransom payments being made suggests that many cities are choosing to ignore it. The Hiscox Report showed that of US organisations that fell victim to a ransomware attack, 18% paid their attackers (higher than the global average). Just last week, the city of Florence in northern Alabama agreed to pay US $300,000 worth of Bitcoin to hackers who had compromised and encrypted its computer systems.
Managing the risk of ransomware
The most effective way for organisations and senior leaders to avoid this dilemma altogether is prevention. This is not new advice and you’ll likely have heard all of this before; but there’s a reason for that. It works.
- A majority of cyber attacks (around 90%) begin with a successful phishing campaign, so it is important to ensure workforces are educated on the threat and the importance of good cyber and password hygiene. Read more about password hygiene here.
- Backing up of the organisation’s most sensitive and crucial data should be embedded in business processes i.e. done regularly and robustly maintained. In the event of an attack, your information assets won’t be lost or compromised.
- IT teams should ensure that systems are regularly patched with the latest security updates—this makes it less likely that threat actors can access your networks using well-known vulnerabilities.
- Ensure appropriate filtering on email and internet use is set up to limit the likelihood of end users (your workforce) accessing malicious files or websites.
- Correctly configured access management should be part of ongoing security operations. Do staff only have access to what they need? An attacker only needs to gain access to a network via the marketing assistant who has access to everything on the network and they can spread out and find the information they need.
- Understand your supply chain. While your cyber security might be good, cyber criminals will take advantage of suppliers with a weaker cyber security posture. Read more about supply chains here.
PGI’s team of information and cyber experts provide a range of training, information security and technical security services to help you manage the risk of ransomware. Contact us to talk about how we can help: firstname.lastname@example.org or +44 (0)845 600 4403.