Ransomware: what IT contractors' defence preparations should involve

A look back over the last year will show that cyber-attacks have been on the rise regardless of the increased awareness around cybercrime. One of the most common cyber-crimes is ransomware and malware attack. Indeed, ransomware costs have been projected to exceed $20 billion by the end of 2021.

Ransomware involves small fortunes

The biggest ransomware payments to date were made by some of the largest, best-resourced businesses. For example, US$10m was paid by cloud computing firm Blackbaud; $11m by JBS Food; and to top it all, $40m was paid to attackers by CNA Financial. Last week, the financial office of the government of Papua New Guinea joined the long list of ransomware victims.

And all this is without even including ransomware attacks which aren’t making the headlines but still have the power to upend operations – those attacks on smaller businesses such as consultancies, recruitment agencies, umbrella companies and freelance technology suppliers, writes Anthi Pesmazoglou, legal consultant at Gerrish Legal.

All of these ‘lower hanging fruit’ tend to hold high volumes of sensitive data and, for lacking a departmental team of security experts behind them, may be even more vulnerable from a security perspective.

What are the most common challenges for cyber-defence teams?

With the introduction of increasingly sophisticated antivirus technology and increased global security standards, one might think that cyber-crimes are on their way to extinction. However, as long as we live our lives in the digital world, we will be susceptible targets for cyber criminals. But if we can’t protect ourselves from hackers, then it is the responsibility of businesses, regardless of their size, to take adequate measures to provide a safe environment for their users.

This is easier said than done as, in a recent research by security firm Deep Instinct, CISOs and SecOps teams have clearly identified the challenges businesses are facing on a daily basis.

In the research, all but every one of the survey respondents (99%!) reported that they did not believe all their endpoints were protected by at least one security agent. Another risk identified was exposed cloud storage and malicious file uploads. And the respondents admitted to a lack of qualified security and operations staff, which causes challenges for incident response.

But most importantly from our perspective as an information law firm, is the time taken to resolve identified threats. It is mostly alarming, because the “slow response time is a critical factor causing a majority of industry professionals to believe that it is not possible to fully prevent ransomware and malware attacks,” the security firm said. All the security concerns point to the imperative need for organisations to adopt a ‘security-first’ strategy to combat the gaps that exist in their security posture.

Security incident, or privacy incident?

A cyber security incident is typically an incident of cyber fraud involving some degree of service interruption or data loss. These can range from phishing or malware attacks - including viruses, worms, trojans, spyware, rootkits and the like. 

What is Ransomware?

We take Ransomware to mean malware that employs encryption to hold a victim's information at ransom. Fundamentally, a user’s or organisation's critical data is encrypted so that they cannot access files, databases, or applications, and a ransom is then demanded to provide access.

Put another way, ransomware attacks work by gaining access to your computer or device, and then locking and encrypting the data stored on it with no restoring of access to that data unless you, the rightful owner of the data, pays up.

Further irritatingly for victims, when a ransom is demanded of them, there's no guarantee their data will be restored if you pay that ransom. Even if you pay, the attackers may never give you the decryption key.

What is Malware?

A malware attack is a common cyberattack where malware - normally malicious software - executes unauthorised actions on the victim's system. The malicious software (or ‘virus’) encompasses many specific types of attacks such as ransomware, spyware, command and control, and more.

What is a personal data breach?

According to the UK data protection watchdog, a personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just about losing personal data.

Personal data breaches can include access by an unauthorised third party; deliberate or accidental action or inaction by a data-controller or data-processor; sending personal data to an incorrect recipient; computing devices containing personal data being lost or stolen; alteration of personal data without permission; and loss of availability of personal data.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed -- if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

Delayed response times, and other issues

It takes security teams nearly 48 hours for a typical cyber incident to be resolved once a threat has been detected (according to the Deep Instinct survey which polled 1,500 security professionals).

That delay is because it is hard to orchestrate an incident response plan, especially when the impact of the security incident is global and different legal rules have to be considered in different jurisdictions. For example, if a security incident is also considered a personal data incident for impacting individuals’ privacy rights, one might have to follow different procedures of reporting the data breach to local authorities which can be increasingly complex. This is a major consideration as not only can it impact more individuals, but also can trigger high fines. For example under the GDPR, businesses can get fined 4% of their annual turnover regardless of the size of the business.

How to prepare for a cyber-security incident

Many IT contractors will be well-versed in how to prepare for a cyber security incident. But we provide the following as a bare minimum preparation kit, especially in light of that key finding -- that more than eight in 10 respondents don’t think it is possible to fully prevent ransomware and malware attacks from compromising their organisation’s defences.

1. Adopt adequate technical safeguards including firewalls, anti-virus software, access controls.
2. Invest in other non-tech safeguards such as cybersecurity insurance.
3. Comply with ISO and other industry standards, so you can effectively ‘tick off’ vulnerability boxes and understand what technical safeguards are required for your business and, where appropriate, your client’s business.
4. Don’t leave preparation for a ransomware attack to someone else, set up an incident response plan and always test your plan based on the worst-case scenario.
5. Identify the right / lead supervisory data protection authority to handle a potential data breach.
6. Know where you’d go for legal advice, and ask for some in advance, to ensure you have adequate contractual safeguards and internal policies.
7. Build your SeCoPs’s team skills (even if that team has just one member -- you), and ensure you have the right resources and solutions to hand.
    

And finally, here's the mindset you need...

As to our final and seventh recommendation, above, it might be fitting to give the survey authors the final word.

So, Deep Instinct says that because ransomware can cause significant damage in just a short amount of time,  a ‘prevention-first’ mindset is key.

“Attacks need to execute and run before they are picked up and checked to see if they are malicious, sometimes taking as long as 60 seconds or more, which is too long to wait,” the firm adds. “Organisations need to invest in solutions that use technology such as deep learning which can deliver a sub-20 millisecond response time to stop a ransomware attack, pre-execution, before it can take hold.”