When the Chief Information Security Officer (CISO) in one of the largest US credit reporting agencies said in his LinkedIn post that organizations must have an “option to pay” when ransomware hits them, it sparked a debate with the cybersecurity techies and pundits. Some even expressed their extreme disagreement with the proposition, stating that the supposed defenders and guardians are the ones who empower the cybercriminals.
While every cybersecurity organization promotes a proactive approach to ransomware, many organizations seem to be reactive and downplay the threats. In a Feb 2022 BBC Report, 82% of British firms that have been victims of ransomware paid the hackers to get their data back. The global average is 58%.
Even the government is not spared. In 2019, the government in Lake City in Florida paid hackers $460,000 to give back email and server control. The ransomware resulted in city workers not being able to work and froze the capability to pay the city dues online. Another report shows that 79 reported ransomware attacks occurred in US municipalities/counties that affected 71 million people. Around $1.75M was paid to retrieve their data.
While there are hackers who are professionals when it comes to honoring their word in returning the stolen or encrypted data, there are many who don’t. As the techies and government agencies say, “A criminal is a criminal. We don’t negotiate with criminals.” A 2021 Kaspersky report showed that 56% of their respondents paid the ransom to get their data back. Of those 56% respondents, 17% didn’t get their data back even after paying.
The numbers tell us that while organizations have dedicated security teams and subscribed to an advanced endpoint and server security protection, a good number will likely pay the ransom depending on the gravity of the situation. “You should have done your back up” or “You should not have clicked that” is easier said than done.
So what should be the approach? Is there a pragmatic approach? Like every security issue, everybody has a responsibility to do.
Listen to the Technical Teams
Coming from technical security, I understand where SOC and Incident Response teams are coming from. The nitty-gritty on what technologies and processes must be in place are usually neglected in some organizations. It is especially true for organizations that consider security an afterthought and treat it as something reactive.
The practices are simple regardless of the reference you have:
- Periodic security awareness to avoid and counter social engineering attacks
- Implement patches promptly to fix known vulnerabilities
- Enforce least privilege and separation of duties to data access depending on its classification
- Run and test backup of files for data redundancy
- Implement data encryption to devices that process critical data
- Enable and conduct routine auditing and respond to security incidents within SLA
More stringent laws and continued compliance
Legislation and regulation will compel organizations to follow best practices primarily to avoid fines. Although following just for compliance may not be the best motivation for organizations, setting a baseline of best practices is a good start. One of the most recent developments concerning compliance is the law signed by President Biden that compels organizations with critical infrastructure to report cybersecurity incidents to the US Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.
Other organizations even follow global standards like ISO 27001 to have a solid security baseline even if they have no intention of certifying. Note that even compliance with such international standards doesn’t provide foolproof protection from ransomware. Equifax was ISO 27001 certified when they were hit with a massive data breach.
The other important aspect is monitoring. Without enforcement, we wouldn’t be able to measure the effectiveness of the law or policy. We wouldn’t be able to get the correct numbers and determine areas of improvement. It is commendable that the Philippines’ National Privacy Commission (NPC) has continually published informative and detailed circulars ranging from technical to procedural. One significant development that we want to see in the coming years is the growth of the NPC’s audits and surprise visits to various organizations.
Subscribe to cyber insurance when able
Risk transference is a risk approach. Cyber insurance has been in business for a while, and it provides a win-win situation for both parties. In a Deloitte report, transferring a cybersecurity risk has been a cost-effective strategy, especially when vast attack surface. On the insurance side, it seems that cyber insurance is profitable since the loss ratio is even lower (35%) compared to the usual P&C (62%).
Prep the business for a worst-case scenario
In business continuity planning (BCP), the security team assumes that there may be instances that all security systems will fail, and there must be actions to be done to continue the business. Ransomware is no exception. In many discussions about whether to pay or not to pay the hacker, the ending is that it is a business decision. In May 2021, Colonial Pipeline paid $4.4M to hackers as the ransomware attacks stopped millions of barrels of fuel from flowing. The company provides nearly half of the US East Coast fuel supply.
To pay or not to pay is not an easy question to answer. Business decision-makers must be prepared and aware of potential ransomware attacks. During business planning, there should be a thorough business impact analysis, so they have an idea of the thresholds and triggering points when to negotiate, pay, ask for vendor support, or work with authorities. With this preparation in place, the key decision-makers are not held at gunpoint to make a discussion with no context about the situation at all.
In 2020, the University Hospital New Jersey (UHNJ) paid $670K to hackers for them to unlock encrypted hospital and patient files and prevent it from being posted publicly. They have no strong IT support, and backups were not available. It is crucial to have access to these data, especially for those who need urgent care.
In one of my classes in the Executive Diploma Program in Cybersecurity where I teach, I asked the participants, all professionals, if they would pay the hackers as UHNJ did. For most batches, the majority of the answers were “no” since most were from technical teams. However, for this particular class, the lone C-level executive answered “yes.” He stated that it is a management decision. He shared that in his present and previous roles, they are already allotting a budget for ransom-type scenarios. It is the last trigger when all else fails. They included it in their BCP.
In summary, layered defense is still the approach in dealing with ransomware. The government, organizations provide the best practices and reputable vendors and service providers. But when all else fails, there must be a Plan B, and organizations with its key decision-makers must be prepared and ready to make the call.