Paying, risks harming shareholders and possible public shame if your business was brought to a halt by a teenager in their bedroom, so it would seem like the lesser of two evils to take the first option, but in reality, the consequences could be much worse.
Companies that pay up are more likely to be hit again by organised crime gangs that run cyber operations on the scale and level of technological sophistication of a call centre and are only too willing to sell on your details. Even worse, your ransom money could find its way to a proscribed terrorist organisation or to hackers based in a country blacklisted by the USA. Then the police or the security forces could be paying you a visit.
Since the start of the COVID-19 pandemic there’s been a large increase in cybercrime. Criminal gangs have discovered that cybercrime is an easier, safer and more lucrative alternative to drugs or prostitution, especially while COVID-19 is disrupting markets. They also know that many victims would rather pay to avoid bad publicity and disruption.
Payouts are increasing and so is the cost of insurance. Almost half of UK businesses and a quarter of charities have reported cybersecurity breaches or attacks in the last 12 months, according to a Government report.
Many suspect that increased payment is down to insurers deciding that it’s cheaper to pay up than face the cost of media and legal bills, not to mention recovering a business’ IT system. A bitcoin payment could just as easily be received by a hostile state as a lone hacker, but as far as the US Government is concerned, ignorance is no defence. Forensic investigators have tracked payments to countries which are under US economic and trade sanctions because they sponsor terrorism or violate human rights.
The US Treasury has warned insurers and companies that paying a ransom into a country under sanctions could be a breach of US law and face substantial fines or even prison.
Hackers are targeting large companies, local governments and even hospitals because they can pay up. They also go after the customers of certain insurers known to be prepared to cave in to a ransom demand. It is well worth checking your cybersecurity insurance cover, but what else can you do to protect yourself?
What Are Your Options After a Security Breach?
Once the post-attack clean-up is done the inevitable review recommends more staff training, erecting stronger firewalls and investing in more sophisticated anti-virus software but Secrutiny’s Ashley Langley believes they miss the point:
“Board CIOs focus too much on cybersecurity, investing in prevention even though they know it’s only a matter of time before hackers find a way through with more advanced ransomware, but they overlook the recovery option. Their company would be in a much better position with their shareholders and customers if everyone knew that they had systems in place to ensure they could survive with minimal damage to their operation and reputation. In effect, the company would have a big, red ‘reset’ button they could hit, which meant they would be operational again the next day instead of weeks later. Then the board could tell the hackers what they could do with their ransom demand.”
Given the tough choices facing a board of directors during a cyberattack, it isn’t easy to do the right thing, morally and practically; but in this case, the cure may just be better than prevention.
A list of almost 50,000 Fortinet VPN devices vulnerable to CVE-2018-13379 has been leaked to a hacker forum. Researchers have commented that slow patching procedures have left a large number of organisations vulnerable to the two-year-old exploit.
It is by understanding the biggest risks to your sector, that you will understand the most effective ways of managing those risks. And with healthcare becoming one of the most vulnerable and highly-targeted industries in the world – it’s time we addressed the issue…
Secrutiny, a cybersecurity managed services company and incident response specialist, expands into Europe via Dutch subsidiary. Headquartered in Amsterdam, led by regional managing director Patrick van Arendonk, Secrutiny NL will be the company’s first office in continental Europe.