Four measures to prevent being held to ransom by malicious actors and cyber insu...

Wednesday, 27 October 2021 16:08

Four measures to prevent being held to ransom by malicious actors and cyber insurance

By Brad Newton

Brad Newton, ANZ Managing Director at Cohesity

GUEST OPINION by Brad Newton, ANZ Managing Director at Cohesity:  Insurance by definition is ‘a financial agreement whereby premiums are paid in exchange for a guarantee that costs will be met if a predetermined event occurs. Given the Australian Cyber Security Centre receives over 67,500 cybercrime reports each a year, and a ransomware attack happens globally every 11 seconds, it’s little wonder the global cyber insurance market is valued at more than $8 billion annually, with a compounding annual growth rate of 23.76% through 20271.

For many organisations, ransomware insurance is simply a line item in their wider cyber insurance policies. For others, ransomware coverage may not have been proactively sought out when taking out cyber insurance, and some companies may not even have cyber insurance on their radar.

However, many insurers are now automatically increasing cyber insurance premiums by upwards of 15% depending on their customers’ industry of operation, and others, like multinational insurer AXA, have announced their cyber insurance that covers ransomware will no longer be sold.

With IDC’s recent 2021 Ransomware Study: Where You Are Matters! report revealing more than a third of organisations in the past 12 months have experienced a ransomware attack or breach that blocked access to data or systems, organisations are now faced with being held to ransom by their cyber insurance policy coverage - or lack thereof – and not just malicious actors.

This same IDC report found only 13% of organisations who experienced a ransomware attack or breach in the past year did not pay the ransom. This is despite the average ransomware payment totalling almost $US250,000, which highlights the dilemma organisations are faced with when hit by ransomware; whether they have insurance or not.

The report also revealed the manufacturing and finance sectors have the highest rates of ransomware incidents. Meanwhile, IBM2 has found the average cost of a data breach in the healthcare sector now totals $US7.13 million. Organisations have several considerations to weigh up when hit by ransomware, with paying the ransom often seen as the only choice to ensure cybercriminals will unlock their files, with their reputation at stake, and customers at risk.

However, there is no guarantee that their data and usual business operations will return. In fact, ‘big game hunting’ is becoming a common ransomware strategy, where instead of a single endpoint being hit, multiple server-side elements of infrastructure are compromised to force a victim’s compliance.

These types of attacks are also resulting in more sensitive corporate data being extracted, so that their attackers can threaten victims with its sale or public release - essentially increasing the blast radius beyond the encryption of files and backups, to fully-fledged extortion or double-extortion.

The unfortunate reality is that paying ransoms often achieves the opposite intended result of remediation, with criminals often seeing companies who pay ransoms as weak. Earlier this year, the REvil ransomware group revealed it specifically targets organisations with ransomware, even hacking insurers first to see their customer database. Darkside, the group behind the Colonial Pipeline attack, has revealed it typically searches through a victim’s system looking for insurance coverage to determine how high they can raise the demands.

Shifting from a reactive to proactive state

With the cost of ransomware remediation set to rise over 13-fold to more than $US265 billion annually, and attacks increasing from every 11 seconds to every 2 seconds by 2031, organisations are wondering what measures they can put in place, while insurers continue to consider how they can provide ransomware insurance that holds neither their clients or themselves to ransom.

As with any serious situation that requires remediation, the best approach is prevention. Similar to an insurer charging a lower premium for car insurance if a vehicle is housed in a garage and has an immobiliser, the right data management technology offers a preventative measure for organisations, allowing insurers to establish a technology mandate and ransomware insurance to continue being provided.

The first measure or technology mandate that should be considered is the adoption of a 3-2-1 rule for data backups, whereby organisations must have at least three copies of their data, stored on two types of media, with one backup copy kept offline or offsite. This simple data backup and recovery approach ensures that organisations will always have an available and usable backup of their data or systems. Offsite and offline backups not only limit the effects of ransomware but, when combined with the right security solutions and employee awareness training, can help prevent ransomware altogether.

Building on the role of backups, the second data management measure and technology mandate that should be implemented are immutable backups. In theory, immutable backups and their data cannot be modified, encrypted, or deleted. This makes immutable file systems or backups one the purest ways to tackle ransomware threats, as they ensure the original backup job is kept inaccessible. This means that, while ransomware may be able to delete files in a mounted or read-write backup, these files are not able to be mounted on an external system and the immutable snapshot is unaffected.

Technology vendors now offer the ability to create and apply a “DataLock” policy to selected jobs and achieve a higher order of immutability for protected data, which security officers and admins aren’t even able to modify or delete. However, it is crucial to review your chosen vendor's level of immutability, because some add it later like icing on the cake while others, including Cohesity, bake immutability in by design or into the filling of the cake.

A third technology measure, or mandate, that is important to implement is multi-factor authentication. While this should be occurring across your technology stack, whether it’s an end-user employee logging into their email, company intranet or internal hub, and file system, or it’s your backup data that is being accessed. As much as strong passwords with multiple criteria are helpful, they do not offer guaranteed protection, which is why multi-factor authentication is the best way to mitigate against phishing and other password hacks or leaks.

Encryption is the fourth area for consideration when it comes to technology adoption and insurance mandates, whereby data that is backed up should always be encrypted either at rest or in transit over a network, with AES 256-bit encryption to secure data. Our customers benefit from encryption in flight, provided data is replicated to a Cohesity cluster and is tiered or achieved to the cloud from the Cohesity platform.

On the flipside, the other consideration on encryption that the right data management will support is whether data ingested into backup solutions is changed, typically these are compressed or de-duplicated, however, when a change occurs this is usually a red flag to a malicious act.

Changes to entropy or randomness of stored data may indicate outside encryption; a typical signature for ransomware. If this occurs, the right data management technology will help detect it and notify all the key stakeholders in the IT and security teams via multi-channel alerts including mobile, email, and UI or API.

As organisations continue to grapple with a threat landscape that grows daily and global ransomware proliferates to the point of occurring every few seconds, having the right data management technology is paramount for organisations’ preventive efforts, and provides for insurers with an avenue to continue offering ransomware insurance. Proactivity not only helps organisations to protect their operations and critical data, it helps to ensure trust with customers and maintain revenue. Unfortunately, every organisation will be faced with a ransomware attack at some point, how they respond and get back online must be the focus. The capabilities of best-in-class data management such as immutable backups and encryption, combined with a 3-2-1 approach to backups, and the implementation of multi-factor authentication, offer a path to a positive ransomware response and support business continuity.

1  https://www.verifiedmarketresearch.com/product/ cyber-insurance-market/ 5.95B

2 https://newsroom.ibm.com/2020-07-29-IBM-Report-Compromised-Employee-Accounts-Led-to-Most-Expensive-Data-Breaches-Over-Past-Year

PROMOTE YOUR WEBINAR ON ITWIRE

MORE INFO HERE!

INTRODUCING ITWIRE TV

SEE WHAT'S ON ITWIRE TV NOW!