PropertyCasualty360, March 25, 2020, with comments by Willy Leichter;
As cyberattack risks are set to increase sharply in the coming months and years, no one is immune and many are unprepared.
As we see new victims in the daily news falling prey to cyberattacks, public entities are especially vulnerable to cyberattacks. They typically don’t have big IT or security budgets and the public’s reliance on them increases the pressure to pay ransoms and restore services.
This year the Internet turned 37. Billions of people rely on it every day for information, entertainment, employment opportunities, services and much more. But so too are the avenues it provides for criminals to take advantage of businesses, public agencies, and individuals.
As the Internet gets older, its services may be getting better but its threats are also getting bigger. Just for quick reference, below are the Top 15 Data Breaches in the last 15 years.
In 2019, more public places such as cities and schools were targeted by cybercriminals than previously seen. Ryuk ransomware has been a common attack in recent months, earning a reputation for going after large enterprises, government and city networks.
Ransomware has gotten a lot of attention of late as strikes are occurring at an alarming pace. This is in part because ransomware is a hacker’s useful tool to take control of the victim’s data by encrypting their files. Ransom malware is a relatively easy attack to levy as a first-level attack and it carries the promise of a high payoff. Monetary demands have risen from the tens of thousands five years ago up to the millions now. And there’s no shortage of other types of attacks being carried out as well.
Willy Leichter, vice president of marketing & product management at Virsec says, “Preparing for data breaches, ransomware incidents and spoofing attacks are all legitimate concerns for organizations with limited resources. However, there are multiple levels to consider.”
The next level up from ransomware brings efforts to invade victim’s infrastructure and spy on activity, which requires more sophistication.
Leichter says attackers are very patient, adding that unless they make a mistake and are exposed, it can be years before they’re discovered. “There is a lot of malware out there that is in our infrastructure that hasn’t reared its head yet, but it has the potential to be remotely controlled and activated to do something bad,” says Leichter.
Another concern is a new class of attacks called memory-based attacks that infiltrate software while it’s running, as opposed to some virus that comes in on a disk or USB that “explodes when plugged in.” Leichter says these attacks often steer information to the wrong memory location — like with the WannaCry and NotPetya attacks. “That’s kinda the new frontier,” says Leichter.
While most attacks tend to have a financial motive, some attacks are politically or ideologically motivated in order to simply cause the destruction of systems. Leichter says examples of attacks that fit these criteria haven’t been worst-case scenarios, but it doesn’t take a lot to cause disruption and fear. For example, if a power grid went down for a few hours, the psychological impact and damage can be significant from a relatively short disruption period.
When an organization is hit with ransomware, business as usual ceases immediately. The ramifications of the halted operations also include great cost, even if the ransom isn’t paid. In fact, sometimes the ‘cheapest’ way out of the situation is to pay the ransom.
One example of a public entity being vulnerable to cyber attack was the city of Baltimore. Baltimore suffered a ransomware attack last year and they were among many others. In Texas, 23 cities were struck in the same timeframe. Baltimore’s mayor refused to pay the ransom (the cities in Texas also refused). Baltimore's ransomware hit cost them $18 million in lost revenue from disruption, repairing systems, possible fines and more. After the fact, they considered cyber insurance. In 2017, forty-four percent of local governments had some kind of cyber insurance coverage.
When companies believe they can’t stop a ransomware attack, they might pay the ransomware or they might hope their cyber insurance will be their saving grace. Cyber insurance policies vary widely and organizations should analyze them closely. Sometimes paying ransom jeopardizes a policy. Other times, insurance companies advocate paying the ransom to avoid the even higher costs of recovering the data and managing the fallout.
Cities like Baltimore can get their own plans and smaller municipalities can band together for group coverage. A company’s security status matters as well. When companies purchase cyber insurance, they must fill out risk assessment forms used to set rates. If a company’s security practice is deemed to have been lacking or behavior negligent after a breach, that can be grounds for an insurance company not to pay out.
The FBI of course presses organizations not to give in to ransom demands, the same way governments usually follow the policy of not negotiating with terrorists. But each company makes their own decision and desperate times can bring less logical reactions.
The ever-increasing ransomware and data breach headlines should motivate more companies and public entities to purchase coverage. But cyberinsurance is no guarantee and many businesses and agencies remain unprepared. Not being prepared is a planning for failure. Selecting appropriate insurance coverage combined with a healthy, layered security plan and human training equip companies to be in a much better place or readiness to avoid the data breach nightmare.
Read full Public entities are under (cyber)attack article
Further resources:
Solution Brief: Ransomware Protection
2-Minute Virsec Story
Ransomware Attacks Rising Against Many Cities, Striking Local Governments & School Campuses
It’s October, Cybersecurity Awareness Month, & Ransomware Is the Biggest Fight We’re Losing