By Jacqueline Jayne, Security Awareness Advocate, KnowBe4
Let’s talk for a moment about the exciting world of cyber insurance. Well, I suppose it’s not really that exciting until things go wrong. But that’s exactly what is happening all over the world with cyber criminals exploiting the situation with COVID-19 to ramp up their attacks. According to recent reports, coronavirus-related phishing attacks went up 667% in the month of March and every single country around the globe has now been hit with at least one phishing attack related to the pandemic.
With that in mind, cyber insurance has never been more important in an organisation’s survival strategy than it is now. But getting adequate cyber insurance in place has become harder in the last few months. Purchasing cyber insurance was finally becoming less difficult as precedents were set and costs were becoming more predictable with respect to ransomware and data disclosure cases. Due to this refinement, it has been far easier to figure out how much coverage was needed to recover from an event, whether it was ransomware or a data breach.
That has all changed with the new trend in ransomware infections – data exfiltration.
The New Ransomware Landscape
In the past, the ransomware would simply kick down the door and take data hostage, requiring a payment to gain access to it again. Initially this caught a lot of organisations off guard and the rewards for attackers were high. However, organisations quickly realised the importance of data backups and with the increased attention on the ability to restore data quickly and even to operate in absence of digital systems, the need to pay the attackers when ransomware did raise its ugly head dropped dramatically. This cut into the attackers’ wallets and they have decided to fight back.
Late 2019 saw the first real case of ransomware coupled with data exfiltration. The Maze ransomware strain released 2GB of data said to be exfiltrated during the ransomware attack earlier that month. No longer does the ability to restore data protect an organisation from these cybercriminals; now the risk includes unauthorised data disclosure. Thanks to COVID-19, the associated risk of data disclosure is suddenly even larger with the move to telehealth and online learning providing juicier targets for cyber criminals.
Impact on Cyber Insurance Planning
Under the old ransomware attack model, perhaps an organisation budgeted $1 million to cover recovery. This is often calculated on the costs associated with reimaging machines, digital forensics and monetary loss due to downtime while the environment has come to a screeching halt. Now, if in fact the attackers have exfiltrated data and exposed it publicly, organisations will have to deal with a different type of response.
If customer data is exposed, it may have to set up a call centre and response website, deal with legal issues and potential regulatory fines, hold press conferences and involve public relations firms as well. Now that $1 million policy isn’t going to go far. Some of the costs can be shared, however often even shared services such as digital forensics will have additional charges. Now for example, they not only have to look in to how the attackers got in (hint, it is usually a phishing email or remote access portal) and what malware or back doors they left behind, but now they also have to find out what data was exfiltrated and the extent of customer data impacted.
Other Impacts of the New Ransomware Threat
Previously, ransomware attacks would often go unreported. This makes sense because if no data left the organisation, the attack was limited to a few machines and operations were brought back online quickly, in most cases there would be no reason to report the event outside of the organisation. It had become just like any other annoying malware infection. Data exfiltration changes all of that. Now, if customer data is exfiltrated, especially if not encrypted on the disk, you have a totally different set of reporting and notification requirements.
Defending Against the Attacks
Focusing on data backup and restoration is no longer enough to dodge the impact of ransomware. In fact, it never was. A better approach has always been to stop it before the infection. While some believe the issue is too big to prevent, this is simply not true.
There is no security control in an organisation that is 100% effective all the time. That “silver bullet” just does not exist, yet it is often an excuse to focus on recovery rather than prevention. That is a huge mistake and one that, now that data is being exfiltrated and exposed, is even more costly.
When it comes to defence, you do need to have good backups, however addressing the root cause is always required. With ransomware, the attacks almost always occur through a phishing email or through a remote access portal (such as Windows Remote Desktop Protocol or RDP) being insecurely exposed to the internet.
The most effective way to deal with phishing is through user awareness training, and technical people are often not the best trainers for non-technical employees. Not many people like to put together and deliver end-user training, but it is far too important to ignore.
With respect to the remote access issue, wherever possible, enable Multi-Factor Authentication (MFA), make sure to log all authentication attempts, lock accounts after multiple attempts and quickly report failures. This will help security professionals spot brute force attacks and reduce the chance that the attackers will be able to log in using credential stuffing techniques or common passwords (ironically two behaviours that should be addressed in training as well).
Ransomware is not going away any time soon and COVID-19 is making things worse than ever. Organisations would be wise to review current cyber insurance coverage to ensure that it meets the new threats of ransomware attacks. In addition, it makes more sense than ever to tackle preventative measures such as new-school security awareness training and reviewing the configuration and controls around remote access portals to avoid these types of issues in the first place.