Standing up to ransomware – the “zero tolerance” approach

Australia recently declared that it would take a hardline approach to cyberattacks and ransomware, as part of which it would make it illegal for companies to pay ransoms to get their data returned. The idea is to take a “zero tolerance” line with hackers.

We spoke to Kevin Bocek, Vice President, Security Strategy & Threat Intelligence at Venafi, a firm of cybersecurity specialists which recently published fresh research on the willingness of companies to pay ransoms, and in Part 1 of this article, Kevin explained why the culture of paying ransoms had arisen in the first place, and why, while it might not eradicate the ransomware threat, the Australian decision might still be useful in putting the issue right in front of boards and forcing them to confront it.

While we had him in the chair, we asked Kevin about the practical implications of legally banning boards from paying a ransom in the event of a cyberattack.

THQ:

Do you think that boards will survive this sort of legislation to ban them from paying ransoms?

KB:

I think it will change them, certainly, because it will make it harder for cyberattackers to be successful, no matter what they try, to be successful. That’s the real intent of moves like this – they’re not out to punish companies, or boards, for that matter, they’re out to educate boards in the importance of an issue.

Moves like this are the very start of new action – whether the company is on the London stock exchange, or in Paris, or Frankfurt, or New York, or Sydney – it should drive them to report cyberattacks as part of their annual reports, and reveal the level of their cyberexposure. That will probably change boards, but it should only change them to make them more effective at fighting ransomware attacks. It’s not intended to be an anti-business move, and it shouldn’t drive boards to breaking point.

THQ:

So the payment ban doesn’t drive companies between a rock and a legal hard place? It just shifts the focus of the C-suite, so it treats this issue as seriously as it should?

KB:

That’s precisely right. And I think that’s why this focus should be applied universally, certainly in Western countries. Hopefully, this will drive start a standardization in Western countries on how we approach this.

THQ:

That’s the next logical step, isn’t it? See whether this works and how it works, and what the fallout and the effects of it are? And then to deem whether it’s a worthwhile approach to apply more universally?

KB:

I think it will be applied more universally. And I think it’s a good opportunity to drive action. Talking with cybersecurity professionals in Australia, it’s always been their challenge to get executive and board level focus on cyberattacks and cybersecurity. So for example, in Australia, there are data protection rules. But it’s all always been the perspective among cybersecurity professionals that those data protection rules have lacked teeth. And this starts to bring a different perspective to bear, driving positive action.

And I think that’s also why these Australia rules will be welcomed by cybersecurity professionals internationally.

THQ:

That’s always been an attitude in business, hasn’t it? That certainly, cyberattacks are possible, so we should do whatever we can to protect against it. But at the end of the day, the possibility of cyberattack is the cost of doing business.

We’ve been speaking to people in the cyberinsurance recently, who say that because of the rising risk threshold of cyberattacks, they’re quietly carving ransomware protection out of their cyberinsurance policies, or demanding lots of stringent cybersecurity measures be followed before they’ll even write policies for companies.

The time of cyberattack being part of the price of doing business is over, isn’t it?

KB:

It definitely is over. Certainly in the UK, we’re going into probably the longest recession in anyone’s memory. So having a cyberattack on top of that is not what you need on your margin. So turning the attention of the C-suite onto the fact that cybersecurity is their shared responsibility feels like key even to survival through this upcoming period.

There’s a shared responsibility between the security team, who already know their part in the process, the board, who need to change to embrace their part in the process, and even of investors, whose money may well be flushed away by cybernegligence, to make sure there’s at least one board member that has real cybersecurity experience, so that when the chief security officer is reporting on their preparedness, there’s a board member who understands what they mean – and can, if necessary, explain it to the rest of the board, at their own level. All of this should be a cycle. It is not a fix overnight, but it’s the right type of progress.

THQ:

That will eventually change the makeup of boards, won’t it, so that the boards of the next generation are significantly more aware of the importance of preparedness for cyberattack?

KB:

It has to do that, absolutely. Normally on your board, you have member usually who’s a financial expert, an audit expert, someone who may have maybe deep labor expertise and understanding. They’re all there because their expertise is deemed to be vital to the successful running of the company. The same thing has to happen with cybersecurity.

THQ:

We don’t know exactly how this is going to play out, but we expect the cyberattackers will go elsewhere and try other things to monetize their attacks. Presumably, we meet that problem down the road and deal with it when we know more?

KB:

In our research only, less than 20% of attacks were straightforward “We have your data encrypted, and if you pay us, we’ll give it back to you” ransomware attacks. Over 80%, were variations on that theme, including going after customers. That is an opportunity that we’re seeing more and more of. And so this is all going to continue to evolve, especially as businesses move more and more to the cloud. #

So this is an area where cyberattacks have to be taken more seriously at board level, because whereas the CIO, the CEO, or CMO thinks a cloud native business delivers a necessary 21^st century agility, and it does, it also brings new vulnerabilities. You no longer have servers in a data center that you can go and rip out if you absolutely need to. Being cloud native is very, very different. That’s probably one way that we’ll start to see these types of attacks evolve. If you’re looking for our prediction of the future, ours is that we’ll see more cloud-centered attacks.

Imagine someone holding your cloud for ransom.

Or someone masquerading as your cloud, even for a short period of time, taking over whole networks of things. You know, today ransomware, generally, has to infect one system at a time. But in a world of connected machines, whether that’s your cloud, or whether you’ve got connected IoT devices, if I can pretend to be the cloud, you can send all sorts of commands and software down, and that’s a lot more effective than having to infect one computer at a time. So these are the places that will see the attacks evolve.

THQ:

We’ve spoken recently to an IoT device specialist, who warned about exactly that – the ease and rapidity of infection from device to system to the cloud.

KB:

I agree with that perspective on IoT connected devices, absolutely. But we also have connected machines running in the cloud. So with cloud-native companies running Kubernetes, there’s the opportunity as well to infect or take over those, and the speed of that infection is either just as fast or faster as my ability to take over a network of things.

Business has focused a lot on the identity of people, both customers or team members. There’s been less focus on machine identity, and I think that will be the next challenge as we move into cloud-centered ransomware and cyberattack.

We’ll need to know whether instructions are coming from the cloud, or a cloud service, or an IoT device – the identity of that is in many ways going to be as important as the identity of a person. That machine identity awareness has grown recently, and it will only get more and more important as the ransomware threat evolves.

THQ:

It’s essentially an arms race between businesses and cyberattackers, isn’t it?

KB:

You could say that. We’re building more protections, and the cybercriminals will evolve too. They always evolve. That is a certainty.

But if we’re really serious about protecting our business, then we’re doing our jobs. Yes, there will be incidents, even in the best protected businesses. But you’ll be better prepared, and so you’ll respond better. Cyber-risk isn’t going away. But if you’re serious, if you’ve got the protection that controls your ability to respond, and your competitor business doesn’t, where are the attackers going to succeed?

And come to that, where are they going to focus? It will be in those places that aren’t protected. So, certainly with government backing as the Australians are proposing, it becomes a competitiveness issue. It’s not just a question of whether we are protecting critical infrastructure, it’s a straightforward competitiveness issue. Take cybersecurity more seriously than your competitors and you’re the more competitive business.

THQ:

It’s like that story about two people faced with a lion. One puts on running shoes, and the other says “You’ll never outrun a lion, even in those.” And as the first person ties up their laces, they turn to their friend, looking confused, and say “I only have to outrun you.” Businesses are instantaneously made more competitive simply by being better prepared for cyberattacks.

KB:

Right?

THQ:

Finally, the Australian approach was the result of two fairly enormous attacks that really hit home and were very public. What persuades governments in the rest of the Western world to do this? In the absence of such massive attacks, hopefully.

KB:

I think that having it done somewhere is a start. One country taking an action will start to grow awareness of this. Multinational companies will have business in Australia, and will understand that that means they have to obey the Australian rules. And if you’re going to have to do it to trade in Australia, why not do it throughout the company, irrespective of national rules. That will drive a lot of awareness and action to this issue. Yes, successful cyberattacks do drive awareness because you get the attention focused on it. But I think in general, there is a growing awareness.

I think this foretells the future. No matter what, there’s going to be more government action, more government requirements. It’s one domino that continues to drive action. If anyone is out there acting like a naysayer, declaring that in Western Europe and North America, we’re not going to see this type of action, I think they’d be very much mistaken.