Cyberattacks are expected to cost organizations worldwide about $6 trillion by the end of 2021, up from $3 trillion in 2015, according to Cybersecurity Ventures. Furthermore, TechJury estimates that 30,000 websites are hacked daily, there’s a new attack every 39 seconds somewhere on the web, and almost two-thirds (64%) of companies worldwide have experienced at least one form of cyberattack.
Ransomware is the hottest topic of the day. In the past year, there has been a significant uptick in the frequency and severity of ransomware attacks, impacting businesses of all sizes and in all sectors. In fact, Group-IB – a Russian-led cyber security company – reported that global ransomware incidents surged by 150% in 2020, with the average extortion amount also doubling. The statistics go on and on, but the underlying message is loud and clear: the cyber threat landscape is growing more and more dangerous, and cyber protection should be a top priority for businesses, no matter what industry they operate in.
According to Oren Wortman (pictured), managing director of the national cyber practice with Beecher Carlson, part of the Brown & Brown team, the first thing that companies must do if they want to protect themselves against cyber risk is figure out exactly what their loss exposure looks like.
“You can’t protect what you don’t understand,” Wortman pointed out. “What is the nature of the risk that you have? Have you gone through an exercise of understanding what your loss exposure potentially looks like? Do you understand the nature of your assets? Have you identified and do you have an inventory of all your critical asset Crown Jewels? Making sure that you have a really thorough understanding of your risk is the number one step to getting ahead of this, because you can only start implementing the right mitigation steps once you understand the value at risk.”
Basic cyber hygiene
Once businesses understand their risk profile, there are lots of simple mitigations they can implement that “don’t require a significant six- or seven-figure investment,” Wortman stressed. He described it as “basic cyber hygiene” or even just “IT 101”.
“Companies need to understand their external attack surface,” he said. “What do you have out there that’s exposed to the public internet, and are there known attack vectors that you’re leaving exposed? The common example that we hear about all the time is remote desktop protocol (RDP). Do you have RDP open? I know for many insurers nowadays, if they have evidence that a company has RDP open currently, or even have had it open anytime in the last 90 to 180 days, that will trigger an automatic denial or non-renewal.
“And it’s not just RDP; there are lots of other known attack vectors. Applying administrative consoles to firewalls, enabling a VPN without multi factor authentication (MFA) – these are all risks on the external attack surface. Again, these things don’t require a tremendous investment to mitigate. Putting all of your publicly facing assets behind your VPN and enforcing MFA for all users goes a long way towards mitigating that risk.”
Another free thing that businesses can do to protect against initial attack vectors is carry out regular patching and software updates. Critical vulnerabilities come out, day in and day out, and while there’s often fatigue around dealing with these vulnerabilities, doing so can provide valuable protection. As Wortman pointed out, software vulnerability exploit is the second or third most commonly used initial attack vector. And finally, businesses should shore up the human element of their defenses by conducting employee training and awareness, so that employees get to the stage where they can identify and report suspicious cyber activity.
Mitigating the likelihood of success
“Let’s assume there’s a breach,” Wortman added, “because there are sophisticated threat actors out there who can still get through, even if a company uses MFA, patches their vulnerabilities, and keeps their external attack surface clean and secure. What can you do to mitigate the risks once an actor is inside of your network? Again, end-user training and awareness goes a long way.
“Also, enforcing MFA for all privileged accounts inside of the network perimeter is important. A threat actor getting in is step one of the problem, but if they can’t escalate their privileges to a privileged account - somebody with administrative privileges - they can’t execute on their objectives. So, enforcing MFA and properly protecting your credentials, especially your privileged credentials is critically important.”
Read more: Tokio Marine HCC bolsters cyber practice
Businesses should also ensure they have an up-to-date endpoint detection and response (EDR) tool on all of their endpoints, the cyber expert added, as legacy antivirus software is not going to detect and protect against today’s cyber threats.
“Another element to think about is that we’ve got a very blurred or disintegrated network perimeter nowadays, which has been the case for the better part of two years because of work from home during the COVID-19 pandemic,” he added. “So, how are you protecting all of those corporate endpoints that are no longer inside the network perimeter? Making sure that you subscribe to an always-on cloud-based web proxy, for example, so that all traffic is being scanned, malicious sites are being blocked, etc. - that’s very important.”
Mitigating the impact
If a cyberattack is successful, there are ways for companies to mitigate the impact of the event, especially when it comes to ransomware. A lot of it revolves around preparation and having strong technical disaster recovery controls.
“Backups should be done regularly, they should be stored offsite and offline, and they should not be accessible through standard active directory corporate credentials but through a secondary mechanism. If you have confidence in your backups, you have very little reason to pay the garden variety traditional ransomware attack,” Wortman commented. “That being said, there is a little bit of complexity given that nowadays, in excess of 70% of ransom attacks are double extortion events, where they combine both the encryption and also the threat of data exfiltration from your environment.
“You can protect against the encryption component for backups, but how do you protect against the exfiltration? This goes back to things that we’ve been doing for years. Six or seven years ago, the threat of a cyberattack was all around data breach. We grew up learning how to protect against data breach. Make sure you have good data loss prevention tools in place, make sure that you encrypt your data on your network at rest so that even if it is exfiltrated, there is no risk of it being exposed. There are things you can do to also protect against the secondary extortion, which would then also lessen the likelihood that you’d be inclined to pay the ransom.”