The Association of British Insurers’ (ABI) recent decision to include ransomware payments in first-party cyber-insurance policies raises many questions. This is good news on the surface, but it shouldn’t mean organisations can rest on their laurels.
After all, insurance payouts are only relevant after malicious actors have breached your network, and prevention remains a better outcome than remediation.
Of course, preventing an attack altogether and protecting against costly reputational damage is easier said than done. It requires maintaining data security and a robust, comprehensive strategy that incorporates cutting-edge tech tools with human expertise. Here, we’ll further explore the implications of the ABI’s decision and explain what you can do to keep your business safe in this rapidly evolving risk landscape.
Suggested reading: If you need help explaining cyber security to leadership, check out our free toolkit — Board Presentation Template: Cyber Security and Threat Management.
The Details About ABI’s Decision
In light of a rapid spike in cybercrime — nearly half of British companies experienced a cyber-attack in 2020 — the ABI has asserted its view that insurance plays a key role in minimising the risk of cyber-attacks and supporting post-attack business recovery efforts. The ABI also argues that its decision will play a vital role in supporting the UK government’s goal of increasing cyber resilience in the private sector.
However, many cyber security experts are understandably concerned about the broader implications this move will have on the risk landscape. Former Chief Executive of the National Cyber Security Center, Ciaran Martin, has stated that ransomware was already ‘close to getting out of control’ and believes that insurers providing payment support would only exacerbate the issue. Likewise, Prof Martin of Oxford University’s Blavatnik School of Government expressed worry that insurers were essentially ‘funding organised crime’ through accepting ransomware claims. However, he did concede that the issue of ransomware is inherently too broad and complex for the insurance industry to address on its own.
Despite these concerns, the ABI defended its decision, noting that insurance isn’t intended to serve as an alternative to a larger risk management strategy. Instead, its sole intention is to protect firms that could face financial ruin without proper insurance coverage. An ABI spokesperson also reiterated the fact that insurers will require companies to take ‘reasonable precautions’ against cyber-attacks, similar to those homeowners and car-owners must take to deter thieves.
How Dangerous is the Current Ransomware Risk Landscape?
Unfortunately, the current ransomware landscape does look bleak. Over just the past year, the estimated cost of ransomware attacks has nearly doubled, from $11.5 billion in 2019 to $20 billion in 2020. For companies, the average cost of a malware attack comes in at $2.6 million, while the average data breach ends up costing a whopping $3.9 million.
There’s no question that social distancing measures and the accompanying shift to distributed workforces have played a significant role in the uptick and increased cost of cyber-attacks. For instance, the necessity of remote work has led to a rising number of remote desktop protocols (RDPs) exposed on the internet. And today, 95% of companies do some work in the cloud. As we all know, cloud presence — whether for internal functions or via solutions such as Microsoft 365 — has the potential to increase attack surface if not configured and managed correctly, creating vulnerability.
Here’s just a brief overview of how the landscape has evolved over the past year—and remember, as remote work carries on, all of these 2020 ransomware trends are likely to continue in 2021 and beyond:
- An increase in attacks and payment demands: Since the start of the pandemic, cyber-attacks have increased by 400%, and the average ransom payment amount increased by 104% from Q3 2020 to Q4 2020. Many experts predict that in 2021, more opportunistic hackers will make a point to target organisations’ most critical assets, prompting significantly higher ransom demands.
- New ransomware threats: At the beginning of 2020, 60% of ransomware attacks were carried out by three main variants (Maze, Phobos and Sodinokibi ransomware). By Q2, that figure had fallen to 30%, with the remaining 30% distributed amongst smaller and newer ransomware variants. Many of these variants are available on the dark web and delivered as ransomware-as-a-service (RaaS), which attracts novice hackers due to low upfront costs and minimal manual work. Simply put, there are now more threat actors seeking to take advantage of the current situation — and succeeding has become significantly easier.
- An increased focus on medium and small-sized businesses: 2020 saw a sharp rise in attacks against smaller businesses — in fact, 43% of breach victims considered themselves small- to medium-sized. Savvy hackers often scout their targets and customise payment demands based on an organisation’s size — there are even examples of hairdressers being targeted for amounts as small as £1,500. Of course, this trend only reflects the widening of the ransomware playing field — larger businesses and enterprises, particularly the financial industry and healthcare organisations, remain at increased risk in 2022.
- Double-extortion attacks: Paying a ransom and regaining access to data no longer necessarily marks the end of an attack. It’s critical to remember that once a breach has occurred, the ransomware operators likely still have access to the stolen data. Increasingly, expert hackers — particularly those deploying Conti ransomware — are using retained victim data in other ways, including returning with more demands or intentionally seeking to harm a company’s reputation via leak sites.
Ransomware Defence Best Practices
Tomorrow’s risk landscape looks even more treacherous than today’s. And as experts have noted, insurers’ inclusions of ransomware attacks could indeed lead to larger (and in many cases, virtually guaranteed) payment demands from hackers. In turn, this could legitimise, embolden and incentivise these malicious attackers to continue striking.
So how should organisations respond to this new development? It’s critical to start by considering the merits of taking out an insurance policy that covers ransomware. After all, protecting your financial assets in the event of an attack must remain a priority — and that’s why this insurance exists.
However, it’s also critical to protect yourself in more direct ways. Attacks cost much more than just the ransomware demand — they can also cost your company:
- Time, due to system downtime and disruptions to business-as-usual
- Reputational damage, due to having data leaked
- Lost sales opportunities
- Incident response, mitigation and recovery costs
- Legal costs and non-compliance fines
Being proactive means creating a robust and flexible cyber security system that limits its exposure to ransomware in the first place — but also one that can respond to an attack when it occurs.
Why Endpoint Security Matters
Ensuring that your company is adequately armed to operate in this risk landscape begins with investing in the right technology. For businesses working remotely, endpoint security strategy is key. Endpoint security focuses on protecting the overall network by securing user devices, known as endpoints, where 70% of all breaches originate.
That said, even the best technology can’t stand on its own. While smart tech tools can alert you to a problem and quarantine an issue, you really need real-time human expertise to eliminate and remediate the threat.
Managed Services Can Help
As the number of threats increases and the severity of attacks escalates, human expertise is increasingly in demand and difficult to come by. While it’s certainly possible to build a threat response team in-house, it’s not always practical, especially given the growing skills shortage of cyber security experts. For many businesses, the costly and time-consuming efforts around recruiting, hiring and retaining in-house talent pose a significant barrier to entry.
Fortunately, bypassing this issue is easier than ever if you partner with cyber security experts who can deliver high-level cyber security outcomes as-a-service. Managed detection and response (MDR) services, like those we offer at Six Degrees, play a vital role in most modern operations. Working with an MDR partner enables you to benefit from:
- More security
- More sophisticated resources
- Less cost
- Less risk
- Less tech to manage
For businesses of all sizes, combining the tech benefits of endpoint security with the human expertise offered by an MDR service is often the most efficient and effective way to minimise exposure and respond quickly to threats like ransomware.
Remember: the ABI’s decision — while intended to help businesses — is likely to incentivise attackers. Although insurance might help you recover your ransomware demand payment, it won’t help you prevent an attack from happening in the first place, nor will it protect against other costly forms of damage.
Ready to arm your business for battle in the ever-evolving ransomware landscape? Check out our guide, Planning For the Future of Cyber Security Today and learn about how MDR can help you do more with less and future proof your cyber security for 2021 and beyond.