The following is an opinion article written by África Mateos, client services & project manager – Sedgwick Spain, and Mark Hawksworth, technology specialist practice group leader, Sedgwick UK. The views expressed within the article are not necessarily reflective of those of Corporate Risk and Insurance.
It was Cybersecurity Awareness Month in October and as we edge into November it is still the perfect opportunity to discuss the growing development of cyber risk with the public and commercial world.
According to the latest World Economic Forum Global Risks Report 2018, cyberattacks are perceived as the global risk of highest concern to business leaders in advanced economies and are viewed by the wider risk community as the risk most likely to intensify in 2018.
As businesses become ever more dependent on technology in order to function, a company’s exposures to cyber risks are also heightened and we need to anticipate the attacker’s objectives and build cyber resilience to protect customers and businesses from malicious cyberattacks.
Damages from ransomware
The focus of corporate and individual cybersecurity has recently been brought to bear on the hijacking of data using ransomware. Although this form of extortion, albeit at a much less sophisticated level, has been around since the late 80s, it really gained widespread attention after the recent “WannaCry” attacks (also known as “WanaCrypt0r 2.0”) hit the headlines. This was a worldwide cyberattack that took advantage of vulnerability in computers running the Microsoft Windows operating system but that had not been updated. Ransomware affected the operations of companies such as:
- Telefónica & Iberdrola – Spain
- Nissan & NHS – UK
- Deutsche Bahn – Germany
- FedEX – US
- Renault - France
NHS computers in the UK were affected across the whole organisation’s internal network, and lasted for six days and resulted in a cost of £92 million to the cash-strapped health service.
In 2016 Microsoft reported that ransomware cost approximately $325 million in damages and it is predicted to rise to $11.5 billion by 2019 with a ransomware attack taking place every 14 seconds.
Cybercriminals spread ransomware using a variety of tactics, similar in nature to classic fraud models such as recognition, contact, trust and manipulation, etc. The targets of attacks are then manipulated into opening an attachment or following links using social engineering techniques, such as a tax demand, package delivery or prize winner, which is used to execute the ransomware.
In this scenario, an increasing number of insurance companies are launching cyber risk policies to the market that include cover such as: third party liability, technical assistance and research expenses, repair and restoration costs, loss of profit, legal defence, crisis communication and management, etc. Some also offer additional services such as adaptation to the new data protection regulation, prevention measures and help lines.
To pay or not to pay?
There is much debate on the subject of paying the ransom, with many views both for and against. The National Institute of Cybersecurity of Spain (INCIBE) advises against paying the ransom, reminding victims that they are dealing with criminals (or potentially terrorists) and paying the ransom does not guarantee that they will provide the private ‘key’ to unlock affected files. This approach on non-payment is mirrored by the UK and US governments.
There are cases on record where when following a ransom payment the criminals have demanded a higher sum or access to the network to unlock the data.
We have also found evidence that the details of ransom payers are sold-on in the form of ‘suckers’ lists – whereby if a ransom is paid the chances of a future attack is increased.
Cyber loss management
Considering how easy it is to purchase and launch a ransomware attack regardless of the expertise or skill a criminal has, it is crucial for cyber loss management to be expeditious, restoring the company’s normal activity as soon as possible through robust coordination among all the parties involved: loss adjusters, computer forensic experts, lawyers and communication agencies. To achieve this, it is essential to have identified all those involved before the attack and loss occurs.
As the saying goes, it’s better to be safe than sorry, and in this case prevention is our main ally against a cyberattack. The best way to protect your data is to create “off-network” back-up copies and store them away from the network. If these backups are not connected to the network, criminals cannot access this data during an attack. The off-network data copies can then be used to overwrite the encrypted (locked data) following an attack. That can make the difference between a few days of lost network functionality or a major disruption event.
Other measures can also be taken, such as providing staff training to avoid falling into the trap, keeping your operating systems updated and using a good antivirus software, etc - although we know that achieving 100% cybersecurity is a myth which exists only in the minds of those who are not computer savvy. Even if all the prevention measures are taken (making daily backups, making employees aware of the techniques used and having a robust protection policy), vulnerabilities always exist. Knowing where weaknesses lie and taking positive action to prevent an attack can potentially be the difference between business interruption and failure.