Companies paying up when hit with a ransomware demand don’t always see an immediate end to their troubles, according to this year’s global ransomware report 2018 from endpoint security specialists SentinelOne.
The report covers a survey of decision makers from IT and risk, fraud or compliance at 500 organisations with at least 1,000 employees. Almost six in ten respondents (56%) said they had suffered at least one ransomware attack in the last year, compared to under half (48%) in 2016.
The bad news for those paying up is that nearly six in ten of those whose organisations had paid a ransom claimed that the criminals then tried to extort a second ransom, 42 per cent said the extortionist did not decrypt the affected files, and 38 per cent said that the extortionist still released confidential data after the ransom had been paid.
It seems then that the answer is not to respond to demands, but to put in place protection and recovery plans that reduce the risk and impact of an attack and speed up the recovery time if the worst happens. Companies who didn’t pay up often said that they simply didn’t need to, as they had back-ups or were able to decrypt the data themselves.
Learning from the NHS and WannaCry
A National Audit Office report into the WannaCry attack on the NHS,which caused disruption in at least 34 per cent of NHS trusts across the country in May 2017,pointed towards some key vulnerabilities – all of which can affect organisations of any size and across any industry.
NHS Digital, the national provider of information, data and IT systems across health and social care, told the report authors that all the organisations affected had unpatched or unsupported Windows operating systems, making them vulnerable to ransomware – and they could have taken relatively simple steps to protect themselves.
Whether organisations had patched their systems or not, simply taking action to manage their firewalls would have guarded against infection.
NHS Digital also found that, in general, trusts had tended to overestimate their readiness to manage a cyberattack and this reflected a lack of understanding of the nature of cyber risk. While the Department of Health had developed a plan for responding to a cyberattack, that plan had not been tested at a local level.
Important questions for risk managers
The issues identified within the NHS investigation raise important questions for all risk managers. Some of these also echo the questions that the Journal of the Association of Healthcare Internal Auditorssuggested internal auditors ask themselves in its focus on ransomware in early 2017. Key points for risk managers to consider include:
Are your company’s operational systems and software up to scratch?
Is there a system in place to ensure patches are installed and anti-virus software is kept up to date? Is there a plan (that has been tested) for what to do in the event of a cyberattack, including everyone’s roles and responsibilities?
Is everyone in the organisation taking cyber security seriously?
The NHS is now working to ensure organisations – including their boards and staff – are taking the cyber threat seriously and working proactively to maximise their resilience. Is the same happening in your organisation?
Are resiliency and ongoing protection part of your company’s planning?
Are there systems in place to track and respond to new threats and keep risk assessments up to date? Is end point protection in place? Is it advanced and kept updated? Does your software not only detect malicious incoming traffic but also block access to malicious websites?
Is there a plan in place for when the worst happens?
Has your organisation risk assessed the potential business impact of its data being encrypted following a ransomware attack? Has each part of your company’s network been risk assessed separately? Have you tested how your organisation will recover from a ransomware attack? How are you ensuring that everyone in the organisation is aware of how to avoid an attack?
A word to the wise – don’t underestimate the importance of employees knowing exactly what they should or shouldn’t do if attacked. A third of respondents in the ransomware report that had been attacked said that an employee had paid a ransom in the past without the involvement or sanction of IT/security departments.
The potential cost of a ransomware attack isn’t limited to any pay out, there’s also the interruption to business, damage to reputation, and operational time spent fixing the problem to take into account – as the survey shows, paying out in no way guarantees the immediate return to normal service that a company may expect.
Cyberattacks are a growing threat and while it may be impossible to prevent one, by looking at the threat and its mitigations, risk managers can take their place on the frontline of defence.
Develop your knowledge of the business risks posed by the digital world with the IRM’s training course, Managing Risk in a Digital World.
Test your knowledge with the IRM’s digital risk quiz.