CTO at Cohesity: Is the clock ticking on ransomware payouts?
James Thorpe
Share this content
Using insurance policies and relying on ransomware payouts can lead to a false sense of security, writes Mark Molyneux, EMEA CTO, Cohesity.
Without getting too controversial, it’s time organisations took a closer look at what they are buying when it comes to security products and services.
Ransomware payouts on the rise
With rising ransomware attacks and more firms than ever paying out ransoms, as our research highlights, you have to question the efficacy of many cyber-resilience strategies and what some organisations are actually buying from suppliers.
It reminds me of a line in the hit TV drama Succession: “I give the customer what he wants. I don’t think it’s my place to offer dietary advice. If they want red meat and boiling tar… then buon appetito.”
The point is, if cyber-resiliency strategies are built around insurance and an acceptance that if the business gets hit then it will make the ransom payment, it is just perpetuating the cyber-theft problem.
It doesn’t actually solve anything.
What it does do is build up a false sense of security within your business that ‘the insurance’ will cover things and not a fully tested cyber-resilience strategy.
You may find support in developing what will undoubtedly be an extensive strategy and associated regular testing, waning as a result.
Back that up with the recent position from a RUSI study, stating “[…] that there is, in fact, no compelling evidence that victims with cyber-insurance are much more likely to pay ransoms than those without.”
As the UK’s National Cyber Security Centre (NCSC) points out, if organisations pay ransoms there is no guarantee that they will get access to data or systems, while it is highly likely computers will remain infected and the organisation will be targeted again in the future.
We also know from many well documented cases where the ransom was paid, that the keys provided following that were in no structure at all, creating problematic and often out-of-sync recoveries, elongating business recovery.
Of course, there is the additional issue of giving money to criminal gangs.
In February this year, the UK government’s Office of Financial Sanctions Implementation (OFSI) issued new guidance on ransomware and financial sanctions, reminding businesses that paying ransoms to certain organisations is “a serious criminal offence.”
Legislation around paying ransoms is only expected to get more stringent, so the very idea of it being an accepted mitigation of threats is ludicrous.
If anything, it is leading to organisations believing they are covered when it comes to ransomware attacks – and that is a huge concern.
You could be faced with paying for insurance which you use to pay a ransom, then paying a heavy fine from the regulator for breaching sanctions, plus a fine for missing industry SLAs, fines for the breach, for data loss, cost of recovery including third party assistance, paying downstream client impacts and so on.
Cyber-insurance only covers elements of this.
Corporate confidence
As we found out in our recent research, there is a confidence among IT and security leaders that they are well-equipped to cope with an attack.
When asked how confident they feel about recovering data and critical business processes in the event of a system-wide cyber-attack, an overwhelming 93.5% believed they are confident.
Is this a false positive?
Are leaders being lured into complacency through an over reliance on paying ransoms and having insurance policies?
There is also a strong belief they are well placed to recover quickly from an attack.
Just under half (40%) of respondents claim it would take between a week and over two months to recover from an attack, while 54% claim it would take between one and six days.
Interestingly, just 3.6% claim it will take less than 24 hours to recover.
Imagine the impact on the business of this lost time.
It suggests a disconnect between the various functions of protection, detection, identification, response and recovery needed to effectively mitigate threats.
What is clear from the research is the need for IT and security teams to work more closely together to create a more robust data security and resiliency strategy.
Unfortunately, not everyone agrees; our research revealed that just 29.5% strongly believe that IT and security teams should work together more closely.
We believe fundamentally this is the way forward.
The issue is that IT structures are increasingly prone to change due to shifting data demands.
Organisations are having to cope with data in multiple locations; on-premises, private cloud, public cloud, SaaS platforms and applications, co-location datacentres and so on.
This creates complexity and blurs the lines of responsibility, which is why the focus has to be on the data itself.
While prevention is not always possible, how organisations identify, detect and respond to a security breach is critical.
Ransomware re-infection
Just to drive the matter home, one of the more obvious concerns following an attack is re-infection.
Paying a ransom does not automatically remove ransomware from the organisation’s systems.
Trusting criminals to stick to so-called promises to open-up systems once a ransom has been paid makes no sense.
Why would an attacker not leave code in the system hidden away for future exploitation?
A different hack with a different paymaster generates income and increases pain on the customer trying to recover.
Our research reveals that IT and security leaders are not entirely convinced that their organisation could avoid re-infection following an attack.
While 20% were convinced they would be okay, the rest have little to no confidence.
Clearly, something is not working, so why stick to what seems to be a knee-jerk reaction to the ransomware problem?
Finding an alternative way to work, to mitigate against threats through quick and efficient response and recovery is surely an intelligent direction to take.
How can an organisation not just detect ransomware wipers and malicious insiders but also respond through empowering existing security tooling?
This is where backup and recovery come to the fore, using the cloud and automation to establish ‘clean rooms’ and drive analytics for an appropriate and timely response.
It’s about establishing a coordinated strategy of digital forensics and incident response, with a clean recovery at pace, leveraging the power of data and cloud-based file systems to enable that rapid recovery.
This is not short term thinking, it is intelligent thinking, keeping the immediate and longer term interests of the organisation front and centre to any operational and cyber-resiliency strategy.
If organisations are serious about this, then it is time to re-evaluate whether insurance and paying ransoms should ever really be part of their strategy.
