The extraordinary events set in train by COVID-19 have turned working lives on their heads. Broadband and cloud computing – previously regarded by some sections of society as luxuries – were confirmed as critical infrastructure.
Business as normal is simply an impossibility without them. In the wake of this revelation has come the realization – and outright fear – of just how vulnerable our world is to cyber-attacks.
Of all the companies one might expect to be protected from cyber threats, defense contractors would be up towards the top of the list. Yet earlier this year Communications & Power Industries (CPI), which makes components for electronic warfare technology, paid a ransom to cybercriminals who had infiltrated its network.
The company, which counts the U.S. Department of Defense as customers, had little choice. A senior member of staff had clicked on a malicious link while they were logged in, infecting the workstation, spreading across the network and crippling the company’s IT systems.
This was a ransomware attack – by far the biggest cyber threat circulating today. Attacks are becoming ever more sophisticated and growing exponentially. Last year saw a 41 per cent rise in reported ransomware attacks.
“For cybercriminals, ransomware is a high-reward, low-risk activity, and one that doesn’t require a large degree of expertise and effort, since modern ransomware toolkits are easy to apply and can even be provided “as a service” on the dark web,” says Philipp Hurni, Cyber Risk Engineering Global Practice Leader at Zurich Insurance Group (Zurich).
“In many countries, cyber risk and indeed ransomware are still substantially underestimated at board level. Boards and senior management must understand what the threats are and how to manage them to an acceptable level by prioritizing resources and activities accordingly.”
“Business impact analysis needs to be carried out to analyze which business processes, systems and data are the most valuable and which in turn need to be protected against ransomware attacks.”
This dimension – to Identify cyber risk in a company’s business – represents stage one of a five-dimension approach to management of cyber risk, mirroring a strategic framework developed by the U.S.’ National Institute of Standards and Technology (NIST) that is widely known in the field of cyber security, and which also give a good orientation assistance to manage ransomware risk.
The second dimension is to Protect, i.e. by using technology-based solutions to detect known strains of ransomware in communication flows, blocking corrupted or malicious traffic.
“Investing in security technology is vital but it is equally important to provide awareness education and employ good IT hygiene practices,” adds Hurni.
“Training and awareness for company employees is particularly effective to reduce for example the risk of targeted phishing campaigns attempting to lure employees into opening malicious links or email attachments to infect their workstations.”
The third dimension of the ransomware management is Detect, which means adopting continuous monitoring solutions that spot anomalous activity. This model of threat-hunting is an effective way of analyzing and preventing cyber incidents.
But no matter how well-educated staff are, or how good your monitoring, at some point a malicious links will be activated (as seen in the CPI ransomware attack in January). This triggers the fourth dimension: Respond.
“Incident response plans that foresee concrete actions to be taken in the event of a targeted ransomware attack should be periodically tested - not only by cyber security staff but with key senior members of the organization too,” says Oliver Delvos, Zurich’s Global Cyber Underwriting Manager.
“Roles and responsibilities should be defined in advance, such that precious time is not wasted in case an event materializes.”
The fifth and final dimension is Recover. It is crucial for organizations to continuously create backups of critical systems and data, as well as preparing recovery plans for anticipated attack scenarios. Rigorous testing of the recovery infrastructure will ensure it is working properly.
Ransomware campaigns typically affect critical systems that underpin a business’s operations, yet many companies are underprepared when the time comes to restoring from backups. This means their business processes can remain impaired for a prolonged time, often leading to substantial loss of income.
Insurance has a role to play here, too. “Above anything else, it is best to be prepared for all eventualities,” says Delvos.
“Cyber insurance can complement a business’s preparation, detection and response capabilities. It aims to take over the residual risk which might remain even if companies invest significantly in cyber security.”
In the case of public sector organizations the risk extends beyond the financial to potential loss of life – as seen in the devastating WannaCry cyber-attack which hit hospitals across the UK in 2017.
The World Economic Forum’s Global Risks Report 2020, produced in collaboration with Zurich, predicted that heightened geopolitical tensions could lead to a fragmented cyberspace with a lack of global technology governance. As tensions persist, the motives behind ransomware deployment could become multifaceted rather than merely financial.
And for all victims of ransomware attacks, the legacy is deeply damaging. “Many ransomware victims in 2019 did not get their files back regardless of whether they paid up or not,” adds Delvos.
“It’s the worst-case scenario that no business wants to encounter, but you’ve better have a plan in case IT infrastructure is severely compromised.”
“In addition to critical processes, strategies should be in place to communicate with customers and employees to minimize disruption and potential reputational damage.”
According to the FBI, bank robberies in the USA have halved in the past decade, with the perpetrator being caught and convicted in almost two thirds of cases. In stark contrast, just 0.05 per cent of cyber-attacks result in a conviction.
And as technology continues to evolve and reshape the way we do business, so too are the cyber threats. The numbers involved are staggering. The Global Risks Report 2020 warns that by 2021 cybercrime damages could reach $6 trillion – on a par with the GDP of the world’s third largest economy.
Now companies know what they must do to help protecting themselves, the time has come to take action.
- Ransomware is a sobering reality which demands that companies take action to protect themselves
- Companies are advised to apply the five dimension approach for cyber risk management to tackle the problem of ransomware attacks. These five dimensions mirror the NIST strategy
- The dimensions are Identify, Protect, Detect, Respond and Recover
- No company can eliminate cyber risk through protection. Even with the best protection in place, significant residual risk remains. Cyber insurance is a means to enhance the corporate cyber risk management strategy by transferring this residual risk.