Would you not invest in a front door lock or security system, hoping that if you were robbed, the thief would give you a good deal on your stolen property? As with security, it is not a matter of ‘if’ you need homeowner’s insurance. It is a matter of ‘when.’
Why then do so many organizations fail to invest in security, thinking that they can pay off a hacker’s ransom or predict, many times incorrectly, the ultimate cost of a breach? Though the average is just over 1.5M, a growth of 50% in just two years, the real cost depends upon the type of data compromised – i.e., the vertical, such as finance or healthcare – the extent of the breach, and the length of time the intruder has gone undetected. And, there are both direct and indirect costs, with some estimating the overall cost of a breach at over 10% of revenue. How many organizations can afford this loss?
In fact, based on a recent study by NTT, 34% of organizations would rather pay the ransom, a low of 21% in the UK to 41% in Germany. Remember that a ransom that may not actually result in recovered data, and also has the effect of delaying the correction of the root cause. Another day, another ransom request. However, the industry is heading in a positive direction, since a year earlier, an analysis published by Trend Micro found that 75% would be willing to pay.
The problem with paying the ransom is that it usually doesn’t pay off. A study by the CyberEdge Group shows that of the 39% of ransomware victims who have paid, less than half recover their data. One interesting observation is that the number of organizations who actually pay is about half when compared to those that say they will pay. When combined with those who refuse to pay in the first place, the total data loss is on the order of 27% if an organization has been hit by ransomware.
Despite these less than reassuring numbers, organizations do in fact pay, with the FBI estimating that total payments grew from $24 million in 2015 to over $1 billion in 2016, possibly due to better reporting. 2017 data is not in yet, and one must assume that not every company that pays, reports. And, the amounts are growing, with an IBM survey showing that of those who do pay, 50% pay more than $10K, and 20% more than $40K. As one analyst noted, it is much like a business having to pay protection money to the local mob. It rarely ends well!
However, with conflicting guidance even among security researchers, it is really up to the executive team at the organization to decide whether or not to pay. Panic sets in, and continuity of business or the threat of confidential data in the public domain can be the deciding factor. Still, much better not to be placed in a compromised position in the first place. But how?
A common refrain is that the organization is ‘too small’ to be subject to such-and-such breach, or that security controls are too much of a burden for employees. True, security must be usable to be effective, and a balance is required, but this balance is really about understanding the difference between being first or being first and secure. And, being too small increasingly is not an excuse if part of a larger vendor’s supply chain. There is a growing awareness of this third party risk, with contractors and temps identified in the NTT report as the weakest link by 60%, and partners / suppliers identified by 49%. There are larger issues at play as well.
The same report shows that less than half (45%) of the organizations surveyed have an incident response plan, possibly a driver for the ransoms described earlier, 41% consider all their critical data to be secure, an overestimation, and 43% believe that security is only the responsibility of IT, leading to stovepipes and lack of communications.
So, how not to fall victim?
Brian Krebs, a well-known influencer in the security space, has published three cardinal rules of online security:
- If you didn’t go looking for it, don’t install it.
- If you installed it, update it.
- If you no longer need it (or, if it’s become too big of a security risk) get rid of it.
Mapping these precepts to action:
- Point 1 relates to user training, and where required, locking down endpoints (i.e., no USB drive access).
- Point 2 addresses basic security hygiene, and calls for continuous assessment of the infrastructure, both on-prem and in the cloud. This includes continually monitoring the current state of the organization’s ‘CyberPosture’ against the required securing baseline, and immediately adjusting when drift is identified. A corollary is to ensure that if an application and associated data is installed, ensure that an automated backup plan is in place that is logically and physically separated from the primary network.
- Point 3 also mandates hygiene, eliminating services, applications, and especially data that is no longer critical. The last item – data – is what trips up many organizations. A corollary to 3 is limiting the same services, applications, and data to only those in the need – a zero-trust model.
While larger organizations can of course deploy more sophisticated forms of protection, but the above should serve as a baseline. That being said, why not avoid the bandage solution of simply “winging it” and hoping the organization isn’t targeted altogether and actually invest the time and money into curing the actual issue at hand – security. By doing so, organizations will be able to prevent and not remediate any types of ransomware attacks they might find themselves faced with and can come out on top.