A hardline global approach to ransomware
Recently, the Australian government declared war against cyberattack, going hardcore in terms of hunting cyberattackers down, even before they’ve been proven to be connected to particular attacks. But possibly the most controversial measure announced was a plan to make it illegal for companies hit by ransomware attacks to pay the ransoms demanded of them.
We spoke to Kevin Bocek, Vice President, Security Strategy & Threat Intelligence at Venafi, a firm of cybersecurity specialists which recently published fresh research on the willingness of companies to pay ransoms, to get an idea of whether the Australian hardline approach could be the way forward for a global strategy on ransomware.
Why do we businesses pay ransoms when there’s no guarantee they’ll get any data back, let alone the only copy of the data?
Years ago, it was seen as a quick fix. Operations are out, we’re in pain, if we just pay, it will be better. Of course, we’ve learned since then that that’s not the case. And our research shows that there’s this double, or even triple extortion potential to ransomed data. And that even if you pay, you’re not going to necessarily get your data or your operations back. So I think, yes, early on, it was seen as the quick fix, the way to get out of the pain, and now it’s not.
I was encouraged by the Australian action, not just because it puts a barrier in place to paying the ransom, but because it puts the incentive back on protecting the business and protecting your customers. That’s the right focus, because what we want to have happen is that the attackers don’t hold you for ransom, that they don’t steal your data, and that they don’t expose your customers’ data. So, if you’re doing your job protecting the business, then hopefully none of that will happen.
Driving the focus to the board
So, Parenting 101 – don’t reward bad behavior? Instead, step up and head off bad behavior in some way. Are you confident that companies are able to adequately protect themselves, before we remove the option of paying a ransom?
Well, we’re only going to get better if we need to, and I think this type of action drives that focus to where it matters the most now, which is at the board, and CEO, and managing director level. When you think about business risk today, we’ve got externalities, like, you know, the cost of inflation, we’ve got looming or current economic downturns, and those are things that are on the risk radar of a business, but cyberattack is as big and as dangerous as any one of those, because however long you’ve spent building it, however many years of effort you’ve put in, cyberattack can ruin your business in a matter of hours.
Many of the other things we plan for will play out in losing customers or supply chain issues, or the increased cost of goods or manufacturing that will play out over the long term.
A cyberattack will ruin your quarter, or maybe even ruin your business.
So I think that’s the thing for me — that boards, managing directors, and CEOs need to understand that this is one of their top risks. And I think that action by governments, like this Australian move, places it at that high level risk to the business. Because now, in this case in Australia, a CEO or CIO or CFO can’t take the decision to pay a ransom. If they do, it’s like any other crime they could commit, like falsifying their financials.
That’s why I think this is encouraging. For the teams that are focused in the trenches, the chief security officer security team, hopefully it will raise the priority of what they’re doing. It’s not going to directly help them today, they’re already fighting the fight. But by pushing the problem up to the leadership level, it may well help them down the line.
Alternative angles of threat
So by taking options off the board level table, it makes them focus on everything they can do to avoid being put into that situation in the first place?
Yes, because this shouldn’t be a problem for the security team. This is a top level business risk problem. If it’s being taken seriously by your government, then you as a C-suite have to take it just as seriously.
In the research we published, four out of five businesses were hit by ransomware attacks, but were then victims of alternative methods of extortion, like using the stolen customer data. So when you get hit by ransomware, it’s not just a case of what it means to you as a company, like some of the other gradual disasters we’ve spoken of. It’s about what it means to your customers. What it could mean to your supply chain, or the supply chain that you’re a part of. For instance, we’ve seen shipping logistics companies fall victim to attack and suddenly the whole supply chain that they’re a part of is vulnerable, so cyberattack has both a catastrophic immediate effect on your business, and a destabilizing long term effect on the businesses around you.
Does banning ransomware payments discourage hackers? Or will they just go a different way?
The ever-present threat
Cyberattackers are like water in a river. Now, there are stones in rivers. And you can put a stone in a river — and the water just goes around it. Will this move have an effect? Yes. Those who take it seriously will put defenses in place, and cybercriminals will go elsewhere. They’ll look for other mechanisms, like we’ve seen with ransomware. They’ll target the customers of data that’s stolen, or they’ll sell the data on the dark web. They will look to monetize their criminal actions somewhere else, absolutely.
Cyber-risk isn’t going away. We had cyberattacks before ransomware became a fashion. We’ll have cyberattacks once at least what we know today as ransomware goes away.
That’s why I think the intent here of disabling boards from paying ransoms is not done with the intent just to make it hard on businesses. It’s being done so that this will become more serious at a board level, which should make investing in protecting the business, protecting your customers, a much more vital and straightforward decision to make.
In Part 2 of this article, we’ll delve deeper into the practicalities of being a board faced with no ransom-paying option, and what it means in terms of a potential sea change in the cost of doing business in a ransomware world.
1 February 2023
1 February 2023
1 February 2023