While it is generally accepted that cybercrime has being getting more and more sophisticated over time, this recent sharp rise in ransomware attacks, exacerbated by increased remote working and low oversight of systems, suggests we are entering a new domain of criminal activity with catastrophic consequences if not carefully managed.
Before 2017, ransomware attacks were small and sporadic; demands were low and there were relatively few enterprise-size attacks. Following the 2017 Petya incidents in Ukraine which resulted in collateral damage on a global scale, there was a surge in attacks the following year with the introduction of new strains of ransomware and hacker groups such as DarkSide. These groups lowered the bar to entry by allowing users to sign up for an account and offering services such as payment gateways. Some even provide media relations support so attacks can get press coverage and cause reputational damage.Most ransomware groups now blanket attack, and the entities they are able to get into are those with vulnerabilities. They have also become more strategic around pricing. Demands should be low enough so that the entity will pay and high enough so that the attack is profitable. In addition to monetary payment, a common tactic deployed nowadays is double extortion where information is stolen before systems are locked. Hackers can then threaten to release the stolen data which constitutes a data breach under GDPR regulations.With all this in mind, there is still a worryingly low penetration of organisations safeguarding themselves from cyberattacks, whether through insurance or through robust internal risk mitigation measures. In the UK, only around 30 per cent of large companies and 10 per cent of smaller companies have adequate protection through their cyber insurance programme.
Over the last two years, the frequency and severity of claims have gone up which means that organisations are becoming less inclined to pay ransoms. This could be due to many of them choosing to take a principled approach in an effort to reduce the reputational risk. The problem is that news of attacks often gets out anyway. With insurance claims becoming more substantial, cyber insurance is seen as being extremely valuable for those who have it not just in terms of cover but also advice.
While insurers are, for the time being, still providing coverage for ransomware attacks, it is not in their remit to advise companies on whether to pay ransoms. They can however provide guidance on whether something is a credible threat, whether there are any legal issues to address and if there is a need to bring in forensic investigators to determine what type of attacks have been orchestrated. When purchasing insurance, insurers will want to know what controls are in place. For example, whether an organisation has ensured secure remote access to online systems.
The outlook remains uncertain for how ransomware attacks will be handled by the Scottish government. They may eventually make ransom payments illegal or mandate more information-sharing with a direct line to the National Cyber Security Council which can investigate. In the meantime, it is incumbent on both public and private organisations in Scotland to appropriately safeguard their systems, processes and ultimately their end-users. With the lighting speed pace of digitisation, the risk of becoming a victim of ransomware is exceedingly high.
Ben Bailey, CEO Scotland and Northern Ireland, Marsh Commercial