Cyber attacks take various guises but one of the fastest growing forms globally is ransomware. Tom Draper of Arthur J. Gallagher says that employees and third-party suppliers are often the weakest link, and urges risk managers to take action.
Ransomeware is the most favoured form of online attack by criminal enterprises and its high success rate means it will continue to be a fixture of the cyber risk landscape. For example, research from Malwarebytes, a computer security firm, found that 54% of surveyed businesses in the UK had been targeted with ransomware attacks. Meanwhile, another cyber security firm, Symantec, logged 100 new ransomware ‘families’ in 2015 – the highest to date.
Ransomeware is the practice of using sophisticated malware to lock or encrypt access to a victim’s systems and data, then demanding payment for its release — with encryption ransomware a particular problem. After an attack, access is only possible with a decryption key and payment of a ransom, typically in the form of a cryptocurrency such as Bitcoin, to receive the key and restore access.
Attempting to simply remove the malware will not solve the problem as the files will still be inaccessible. A survey conducted by cyber security firm Trend Micro found that although two thirds of UK companies confronted with a ransomware situation end up paying the ransom, only 45% of those infected got their data back once they had paid.
A successful attack can cause significant reputational and operational damage to a business, as well as financial loss. According to Trend Micro’s findings, the average amount of ransom requested in the UK was £540, but 20% of companies reported ransoms of more than £1,000. On top of this is the cost to the business of fixing the issue. Businesses affected by ransomware estimate it takes an average of 33 man hours to fix the issues caused by the infection.
Tom Draper - Technology and Cyber Practice leader, Arthur J. Gallagher
Firms cannot be complacent and companies of all sizes are a target. With ransomware attacks looking set to increase, businesses need to ensure they are taking proactive steps to mitigate this threat. These include strengthening security around digital infrastructure, implementing a culture of resilience, and educating employees on this threat. It is not difficult to bolster your defences: consider running cyber-attack simulations, regularly test back-up systems to ensure they are working properly, test your incident response plan and ensure you have appropriate cyber liability insurance or other coverage.
Educating your employees is vital as people are the weakest link in any security chain. Research by Symantec found that 43% of ransomware victims (between January 2015 and April 2016) were employees in organisations. It is therefore vital that they understand how to identify a phishing email and what the protocol is when discovering a suspected email. This should be part of an ongoing training and competence regime, and not viewed as a tick-box exercise.
It is also important to tackle your third party supplier vulnerabilities. Many companies store data and run business operations via the cloud. This is cost-effective and, while it is a secure system, it is not immune to attack. Businesses should be conducting risk assessments which identify threats within their own digital infrastructure as well as any relating to third party providers they use. One of the most infamous cyber attacks was the highly-publicised data breach on US store Target in 2013. Over 100 million customer records were compromised and the cause of the attack was found to be with one of its suppliers rather than its own digital infrastructure.
Risk managers need to work with their executive team and IT division to ensure their people are being educated on best practice and strengthening the business's security practices to defend against this threat. With the advent of ransomware-as-a-service (RaaS) — which enables even the most technically illiterate cybercriminal to extort payments from victims — and the high success rates of encryption ransomware attacks, this method of cybercrime is set to continue. Ignorance is not an excuse and it’s vital that businesses take steps to proactively mitigate this threat.
By Tom Draper, Technology and Cyber Practice leader at Arthur J. Gallagher