Ransomware: overconfident and underprepared?

John Maynard at Adarma explains what businesses need to do to tackle the ransomware threat on Business Reporter

In the last few years, a few key terms have been introduced into our daily vocabulary. Pandemic, hybrid and/or remote working, and social distancing, being among some that come to mind, but also, ‘ransomware’.

As the world relies more heavily on the digital world to conduct business, socialise, and learn, we have also seen a spike in cyber crime, where ransomware made for the splashiest of headlines. According to the World Economic Forum’s 2022 Global Risks Report, ransomware attacks increased by as much as 435% in 2020 compared to its preceding year.

Such attacks have grown to become so frequent; it would not be unusual to read about more than one occurring in any given day. Just recently, numerous European oil port terminals fell victim to an attack and British snacks giant, KP Snacks, was hijacked by the Conti ransomware gang resulting in disruptions to their supply chain.

It’s no wonder then that business leaders worldwide are on edge. Indeed, a recent survey by Adarma of 500 UK businesses with over 2,000 employees, revealed that 94% are either “concerned” or “very concerned” about the threat of ransomware.

On one hand, this new-found awareness of the existing cyber threat landscape is a critical first step towards building a robust defence. Unfortunately, this has yet to be paired with the necessary security measures and strategies.

For the most part, there appears to be a disconnect between how prepared businesses believe themselves to be and where they truly stand. Despite 96% of respondents stating that they were confident in their existing deterrents and preventative measures, a staggering 58% of businesses surveyed have already been hit with ransomware.

Moreover, more than one in every five companies do not have an incident plan in place, suggesting that cyber-security is not as much of a priority as they claim. To put it simply, many are failing to walk the talk.

So, what should organisations be doing moving forwards to bridge this gap?

Firstly, in line with the importance of awareness, is recognising that no one is safe from the virulent hands of cyber criminals. Whether you work in healthcare, arts and culture, finance, retail, legal sectors etc., no single industry is spared. Research from DigitalShadows supports this idea.

While we do see a decrease in targeted attempts on individual sectors, this is largely because attackers are diversifying their efforts across a greater range of sectors. One notable exception to this trend, however, was the Technology sector which saw a 29.8% increase in ransomware attacks.

The next step is breaking down the blame culture that tends to overwhelm a company suffering through a breach. With any number of contributing factors that could result in a breach, holding the correct people to account may not be as simple as it seems.

According to Adarma’s study, nearly half of respondents went for the obvious choice, levying blame on the IT security team. Perhaps unsurprisingly, only a third of business leaders feel that the blame lies with the Board, the CEO or HR. Worse still, a fifth of respondents believe the individual that clicked on a phishing email should be held accountable.

The truth of the matter is, there never really is one person or group of people that should shoulder the burden. Cyber-security is a collective effort and pointing fingers at one another does nothing but create internal divides when we should be banding together against our common enemy: the cyber criminals.

Organisations must also take a proactive, four-fold approach to mitigating ransomware attacks. That is, prevent, prepare, detect and eliminate. To prevent attacks from becoming unmanageable, it is important that businesses get to know their enemy and use this knowledge to bolster their security systems and test the solutions they have.

To ensure they are not caught off guard, preparation is key. Reviewing cyber insurance and internal communications ensures response is swift and cost is lowered. Moreover, speed is of the essence; research suggests businesses only have one day to one week to detect and respond to threats.

Equally, the attacker should be kept in the dark when they have been detected. This may require bringing in external support and technologies to achieve. The final step is containing the threat. Once contained, it is critical that the threat is eliminated from all systems with no hope of returning; backups, files and networks all have to be clean and the processes documented.

Last but not least, in the event of a breach and when faced with a ransom demand, organisations must think carefully about what they choose to do next. Concerningly, two thirds of those that had suffered an attack paid the ransom. This figure rose to 100% for smaller businesses; businesses that are unlikely to be generating enough revenue to come out the other side standing.

While paying the ransom may seem like the most sensible financial and practical decision, this is often not the case. The National Cyber Security Centre (NCSC) warns that paying the ransom does not guarantee regaining access to the computers or data. In fact, following through with the payment could even flag the business as an easy target in the future.

To make matters worse, the legality of paying ransoms is shaky at best. Flavia Kenyon, barrister at The 36 Group, notes that while the law has not reached cryptocurrency just yet, paying an organised criminal group with fiat money is a money laundering offence under the Proceeds of Crime Act 2002.

The current legal position is that making a ransom payment per se is not unlawful. What is unlawful is making that payment to terrorist organisations or prescribed groups in breach of international sanctions.

It is obvious that business leaders are maturing in their approach to cyber-security. Almost all reported that they were concerned by the threat of a ransomware attack and 78% stated that they have measures in place to combat them.

While this is encouraging, discrepancies in concern and action suggest that we’re not quite there yet. Concern is good, but as almost 60% of businesses have been hit with ransomware attacks, it’s obvious that more needs to be done.

The reluctance of senior leadership to accept responsibility is also worrying as it suggests that business leaders still do not view cyber-security as the business-wide problem it really is.