This article was provided by AXIS Insurance. It was written by Sharif Gardner (pictured), cyber unit training manager at AXIS Insurance.
The term ‘evolutionary arms race’ is often used in the context of cyber security to explain how, much like in the natural world, the prey must try to keep ahead of the predator in the survival stakes. As businesses develop new strategies to defend and protect themselves against innovative modes of attack by cyber criminals, the need to stay a step ahead causes asymmetric evolutionary pressure that can be costly for firms.
When it comes to ransomware, the attack mode of choice for cyber criminals today, financial gain is the main incentive. However, taking into account the demand, recovery and business interruption costs, in some cases the ransom payment itself may potentially be as little as 10% of the overall cost of the incident. Therefore, the damage to the prey is greater than the reward to the predator. This means the evolutionary pressure falls on the business, which needs to evolve quickly to defend against cyberattacks. Over the past 18 months, cyber security minimum standards have become one of the most important and fundamental lines of defense for businesses as the ransomware threat has intensified.
Minimum control standards: what organizations should consider
Up until the rise of ‘big game’ ransomware (the evolution of the predator), cyberattacks were relatively easy to conduct. An amateur criminal group could simply ‘rent’ tools or hacking kits and have a go themselves. This led to frustration among criminals as amateurs would often distribute malware but have no proper governance in place to help their victims decrypt ransomware incidents, for example. This meant victims were left stranded having paid a ransom but not getting their data back.
The biggest threat to a ransomware operation is victims not paying ransoms because they don’t ‘trust’ the model that they will get their data back. This forced both predator and prey to evolve with both implementing heavily layered attacks and defense. However, the severity of the threat has highlighted the importance of a clear strategy to defend against such risks.
Therefore, we must raise the bar across every organization in every single sector. There is not a one size fits all approach, and each company’s approach will differ according to their size, sector and need, but there is no hiding from the risk. All organizations need to ensure their minimum security standards are fit for purpose.
Every organization must identify someone to take charge of cyber security governance, no matter the size of the business. The selected individual doesn’t need to be deeply skilled in technology or cybersecurity; for example, a five-person operation still needs to have a good understanding of which anti-virus software they need, why it is important to keep all systems and software up to date and patched, and that simply implementing 2FA on their company social media and shared file drive accounts will greatly enhance their protection.
The number one critical control is identifying your assets – you cannot protect what you don’t know you have. That could be anything from hardware – physical devices, phones, laptops – to the software that sits on those devices, and then the information assets themselves.
Businesses need to establish a robust understanding of the amount of data they hold and the criticality of that data in remaining operational, as a minimum. They then need to consider who has access to that information, so the user is provided with the minimum access to information necessary to do their job. That stops any information being obtained or shared unnecessarily. There’s no such thing as total security, however a cost-effective way to avoid large ransomware incidents is to purge data you no longer need.
Unfortunately, it is the case that many businesses could be protecting data they haven't used for several years which could cost them from a regulatory or a ransomware standpoint. At an estimate, many organizations may only access 20% of their active data, meaning the rest sits on file servers and is seldom used again. There might be a need to hold on to it for regulatory purposes, but it is crucial to remove it from the system completely – or at least, get it offline.
Minimum standards also need to be implemented around software updates and patching; criminals will exploit weaknesses in systems. The standards chosen don’t have to be the same for all, but they must align with each specific business operation. Standards around software update lifecycles must be implemented and critical and non-critical software must have separate procedures. For example, ‘out of cycle’ patches could need implementing immediately, versus ‘normal’ cycle patches that could take, for example, 30 days to be implemented. While some operational technology software systems cannot be updated easily and take a considerable amount longer to update – if ever - organizations must refrain from treating all updates the same.
Cyberattacks are difficult to predict - malware can go undetected for some time, wreaking havoc when eventually activated – and impact every sector. These attacks should not be easy to execute, and one of the best ways for businesses to remain resilient is by developing and implementing at least a minimum standard. This will vary greatly by size and sector. However, in the race to stay ahead of cyber criminals it is the hunted that must continue to evolve its tactics to stay out of reach of the hunter.