Ransomware is well recognised, but nothing paints a picture of the threat it poses to firms better than hardcore data. Business continuity solutions provider, Databarracks, highlights some insightful trends, based on data from annual surveys conducted over the last 10 years. Hardware failure is the root cause of data loss in 15 – 30 percent of organisations. It’s the same percentage for human error. Key point of note – these percentages remain consistent – i.e., these numbers haven’t changed year-on- year in the last 10 years.
Now let’s look at cyber as the reason for data loss. In 2012, cybersecurity was the number one cause of data loss in only 5 percent of organisations. In 2022, this figure has exponentially grown year-on-year, to 40 percent. And we haven’t seen the end of it yet. This trend is showing no sign of plateauing – as we have seen with hardware failures and human error.
Worryingly, 44 percent of the firms that lost data due to cyber actually paid the ransom to hackers. Potentially, they paid the ransom because they knew that without paying the money, they were unlikely to recover the data. Databarracks comes to this conclusion, as of the firms that lost data due to cyber, 34 percent didn’t pay the ransom, instead recovering data from backups and 22 percent used a decryption tool.
The message really is that every organisation must constantly interrogate their security to ensure that systems are fit for purpose. Here are three key considerations to keep in mind:
- Cybersecurity insurance. Most organisations today take cybersecurity insurance, which in tune with the growing threat, is also rapidly increasing quarter-on-quarter in terms of cost. It is an unavoidable business expense, and can potentially help mitigate some of the financial impact should the – what some consider, the “inevitable” – happen. Unfortunately, the “security” that insurance provides isn’t as clear cut as we would like it to be.
To get insurance protection, organisations are required to demonstrate the safeguards and measures the firm is taking to protect itself from the security threats. So, you need to provide evidence of strong foundations of security – processes, training, incident response strategies, backups, disaster recovery plans, and so forth.
Typically, there are a range of exclusions and limitations in the insurance policy, and dare I say it, quite often, organisations don’t always know how exactly the insurance policy would play out, in the event of a breach. For example, many insurance policies exclude attacks from state sponsored actors, if the attacks are directly linked to a national government. Similarly, some insurance companies mandate that if a breach happens, their own forensic experts will evaluate the situation before releasing the insurance money. Insurance companies will inevitably protect their financial as far as they are able.
So, make sure you are in control. Prior to taking insurance, take a careful look at what you need the insurance for, how much cover will you get in real terms, how much does it cost, and based on that determine the value of cover to take. Crucially, be mindful that when the bad actors breach organisations, they also look for information on ransomware premiums taken out by the organisation to help determine the company’s likely appetite for paying their ransom.
- To pay or not to pay, that is the question! Rational thinking says, don’t pay ransom. All advice – from law enforcement through to the National Cyber Security Centre and the government at large – categorically states not to pay ransom, based on the premise that it feeds crime. Agreed, of course. But when the business’s leadership is staring the enemy in the eye and the firm has lost business-critical data, IT can’t restore backup, the organisation faces a real possibility of going under and investors are breathing down the neck, their perspective might be a little different.
It depends on the nature of the business too. If all that you have suffered is theft of data, and hackers are trying to just extort a ransom with no guarantee of return of data, there is no gain from paying the money. On the other hand, if you are part of the senior leadership in, say a bank, the scenario is going to be entirely different. Foremost, you are required by law to inform the regulators, and there are several. This in itself is a horrendous situation to be in, let alone all the other business issues you will need to deal with. Hackers know what buttons to press.
Regrettably, there is no single, clear cut answer, but there is a conversation to be had internally on ethics and morals, so that should an attack take place, the business knows how to approach these issues.
- Business resilience. The sophistication of cybersecurity actors is growing, and firms need to keep evolving their security defences, at pace. Security cannot be static. Not only is it essential to establish business resilience through best practice, security principles such as Zero Trust, employee training, supply chain security, backup processes, and so on – it’s imperative to stress test it routinely to find loop holes, adopting a “hacker” mindset.
And the final take-away? Complacency with regard to cybersecurity is simply not an option. Technology providers today are actively devising ways of helping organisations to stem this threat immediately, whilst working hard to address the problem more permanently in the future. If you would like to discuss any of the issues highlighted in this blog, please get in touch with your LexisNexis Enterprise Solutions account manager.
This blog is based on a recent joint webinar with Tom Notley, Head of Channel, and Chris Butler, Head of Consulting, at Databarracks. To request a link to watch a recording of the webinar, please complete this form.