Thwarting ransomware attacks

The Colonial Pipeline ransomware event illuminated the dark deeds that cyber extortionists perpetrate every hour on businesses of all sizes and types, though few of the attacks have the news value of causing massive fuel shortages.

From 2019 through 2020, ransomware payments using cryptocurrency increased more than 300%. Nearly six-in-10 (59%) of U.S.-based companies experienced a ransomware attack in 2019, with only 25% of the organizations able to stop the attack before their data was encrypted and/or exfiltrated by the extortionists, according to a survey of IT managers by Sophos in early 2020.

Cybercriminals are learning how to go “big game hunting” within company systems as they broaden the scope of industries to attack. For instance, while healthcare and financial services companies have long been favorite targets, law firms are increasingly being attacked due to the sensitive client data they store. Last year, one New York law firm faced a $42 million ransom demand. The average payment reported by U.S. organizations in a 2020 survey by CrowdStrike was slightly below $1 million.

Cyber insurance can lessen the financial impact of ransomware incidents. But the proliferation of such attacks has driven up the cost of cyber insurance. Many insurers have tightened underwriting standards, with some exiting the cyber insurance market, according to the Institute for Security and Technology. The silver lining is that the remaining carriers tend to have the deepest experience in working with companies to help analyze and manage the risk.

To better guard against ransomware and secure the best cyber coverage on the most favorable terms, companies of all sizes need to make sure they have strong risk mitigation plans and procedures in place. Large companies typically have the resources to support these strong risk mitigation efforts, but many mid-sized and small companies have lagged. Our Mid-sized Company Risk Report survey indicates that 40 % of mid-size companies do not have a digital risk management strategy.

Best practices for thwarting ransomware attacks

The best defense against a ransomware attack is to understand the tactics of cybercriminals to better prepare for and respond to incidents (more on these best practices below).

Most ransomware attacks are designed to interrupt business flows until a ransom is paid; others are predicated on extortion — to exfiltrate sensitive or confidential data and threaten to release this information to the public or competitors. While a company can back up its data and network to minimize interruption caused by a traditional ransomware attack, this form of protection is inadequate in a cyber extortion scheme.

We’ve summarized a few of the best practices companies can follow to minimize risk and make robust insurance coverage easier to secure, drawn from the September 2020 Ransomware Guide put out by the Multi-State Information Sharing & Analysis Center:

1. Train employees to recognize and report suspicious cyber activity such as phishing. Implement regular tests to assess employee competence and remind them of the latest tricks used by criminals. Microsoft reports that 90% of attacks start with an email. Employees are often the weakest link in this first line of defense.
2. Use programs and services that automatically evaluate incoming emails to filter out those with indications of malicious intent, such as subject lines or IP addresses associated with criminal activity.
3. Use multifactor authentication (MFA) for as many services as possible and especially for entry points that have access to critical systems. For all accounts with administrative access, MFA should be required. MFA can help thwart credential-based attacks.
4. Segment the data and technology network by different business or functional area assets, ensuring the most sensitive systems and data have the highest level of control. Segmenting can slow an intruder’s ability to move through the network in a search for the most valuable prize. This includes both information technology and operational technology systems.
5. Have a process for evaluating and monitoring your service providers who have access to your company’s systems. As the recent SolarWinds incident proved, third parties can provide an entryway for criminals.
6. Encrypt and backup data and critical system images, and store multiple copies in different storage types with at least one backup maintained offline. Regularly test the backups and maintain backup hardware. The backup can lessen the need to pay a ransom to unlock data and may speed the process of getting the organization back to full operations. While the backup won’t solve the entire problem if the data has been exfiltrated, it can reduce the urgency to pay the ransom because the company can get back to full operations using the backup.
7. Lastly, it is important to understand that some laws prohibit the payment of a ransom to certain entities.

How cyber insurers can help

Regardless of company size, working with an insurance company that offers specialized cyber insurance coverages can help all businesses assess and improve their cyber risk profile. Specialized cyber insurance policies may provide coverage for not just the ransom payment but also the costs of the business interruption and related expenses like data breach notification, forensics costs, regulatory defense and penalties, public relations and credit monitoring, among other costs.

Leading providers often support their insurance policies with resources that are designed to help companies understand their exposures, establish a response plan, and minimize the effects of a breach on the business.

For the large companies that already have strong risk mitigation practices in place, the key issue becomes understanding the complexity of their exposures and tailoring coverage accordingly and in concert with their broader insurance program. Expert cyber underwriters, working closely with their partners in claims, can walk companies through different scenarios to build a better understanding of risk, customize coverage terms and conditions, and ensure confidence in how the insurance policy will react.

At a time when the number of available cyber insurers is decreasing and the cost of cyber insurance is increasing, the best practices cited above will help thwart a ransomware attack, while improving a company’s cyber risk profile to help secure optimal cyber insurance protection.

Meredith Brown is vice president at global insurer QBE North America.

Megan Scully is a senior vice president, financial lines claims, at global insurer QBE North America.

Opinions expressed here are the authors’ own.

Related:

• Key cyber insurance issues hitting the cannabis industry
• Businesses remain hot targets for phishing & ransomware scams
• FBI recoups most of Colonial Pipeline’s bitcoin cyber ransom