Addressing ransomware has never been more of a top priority for senior IT leaders than it is today. Ransomware can be devastating to both individuals and organizations, and many organizations have been put in a position to pay millions of dollars to recover their data and deal with the implications from both a security and brand perception angle. Earlier this quarter we saw a global retail company focused on GPS wearables fall victim to an attack, and it was reported that they paid upwards of $10 million in ransom. With increased public attention, and bad actors seeing greater pay-days, businesses and governments of all sizes have to focus on combating the rise of ransomware.
To dive deeper into ransomware, ActZero worked with Vation Ventures to bring together a group of over thirty senior IT executives across retail, entertainment, hospitality healthcare, financial services, and local government. Led by a CISO at a global retail company, the group discussed challenges they’re facing in combating ransomware, and trends they’re seeing. Here are four themes that resonated most with them:
1. The Publicity Around Ransomware Has Changed the Conversation
Security has always been a critical concern for IT leaders, but it wasn’t always top of mind for the business. With ransomware starting to hit name-brand companies, business stakeholders now see the (sometimes irreparable) monetary and brand perception damages, the conversation has changed. One executive pointed out that rather than the IT team always approaching the business for security concerns, the business executives were coming to them - referencing current events asking if their organization was safe. This dynamic shift opens the door for IT leaders to have candid conversations with the rest of the business about security, and build a more resilient organization; a stark contrast from when issues were downplayed in the past.
2. Attack Models Have Shifted
Executives also recognized that both the attack models and the economics incenting hackers have changed (check out my colleague’s webinar recording on Ransomware-as-a-Service). One attendee made the statement that ransomware is just evolved classic extortion using the digital medium. The consequence is often less about locked up data, and more about the reputational threat. There’s the classic saying around trust where it takes a lifetime to build and a day to crumble; that’s especially true when a company’s reputation is based on their customers’ data security in, say, for example, the healthcare industry with medical records. Another leader on the call brought up how the access to deploying ransomware has exponentially increased, and bad actors have turned it into Ransomware-as-a-Service (RaaS). We discuss this concept in greater detail in our white paper on The Rise of RaaS).
3. Taking a Deeper Look into Insurance
An IT leader at the session brought up an important point around how some organizations justify being lackadaisical around security because they have insurance to financially protect the business. The consensus was that although insurance was an important part of offsetting financial cost of cybersecurity disruptions to the business, that there was effort required to ensure eligibility of a claim. Damaged reputation aside, one of the issues organizations run into is that their insurance claims don’t pay out when a state actor perpetrates the attack as it can conflict with the terms and conditions of their insurance policy (such as those clauses around war). Additionally, organizations must take steps to ensure they are meeting their own obligations with respect to defending their perimeter, as failure to do so could be considered negligent, impacting their ability to make a claim. With the complexities of today’s global security environment, organizations must spend the time to comb through the T&Cs with their legal departments, and work with their insurers, and security partners, to make certain they are covered.
4. Changing Communication and Incentives for Cybersecurity
Participants in the roundtable found that end user awareness and engagement was still a challenge - perhaps not surprisingly. They agreed that education around phishing and other cybersecurity threats is table stakes today. The most interesting part was discussion around how IT leaders choose to communicate that educational process and reward employees’ good behavior in adhering to it. One CISO on the call mentioned how he personally makes it a point to find and reward employees who forward emails that look suspicious to the IT department by offering them a gift card or other perk as a thank you. Taking the time as an IT executive to lead with support and rewards for good behavior and open communication goes much further in an organization rather than a policy led by fear.
In sum, IS, IT and business leadership stakeholders have taken notice of the profound threat represented by ransomware. Competition in the lucrative market has made ransomware affordable and ubiquitous, and for decades, ransomware attacks around the globe have grown in sophistication. As bad actors have reaped the profits of these crimes, they have grown more organized and competitive, operating in some ways like legitimate businesses, or “criminal enterprises'', offering a “service.” At the same time, they have also become more extortionate in their threats and demands to victims and there is strong reason to believe that there will be further escalation in the medium to long-term for organizations of all sizes.
This roundtable of IT and IS stakeholders from mid-sized enterprises yielded four areas of focus when it comes to their security. I hope that the direction they provide, and the supporting resources ActZero offers, can help you examine your own strategies when it comes to cybersecurity in your organization - to help you further reduce the risk and impact of a breach.
With that risk in mind, ActZero believes organizations must shift away from simple prevention tools, and toward detection and response. Proactive measures like hygiene and remediation are necessary for effective security now, given the long dwell times and long-cycle attacks conducted by hackers. AI-enabled MDR, guided by expert human threat hunters, provides the most secure defense for organizations looking to combat this growing threat. Learn more about our offering here.