It’s time to break the ransomware business model, says Jonathan Bridges, pictured, Chief Innovation Officer, at the network and cloud services company Exponential-e.
Ransomware attacks have grown well beyond isolated threats; they’re now big business for sophisticated cyber-gangs. In fact, startling figures reveal that ransomware attacks could cost businesses as much as £120billion globally. So as the ransomware business model becomes more refined and co-ordinated crime groups continue enhancing their ability to take down organisations, the saying “not if but when” has never felt more appropriate.
Despite this posing a huge threat to businesses, their overall attitude towards cybersecurity remains apathetic. In a recent survey of IT leaders a miniscule 15pc said they were prepared to face a ransomware attack.
This makes little business sense. A ransomware attack compromises a company’s ability to trade for between 20 and 30 days on average. That’s an enormous amount of time and money. An organisation with £100m turnover for example would likely lose around £274,000 per day in revenues in such a scenario, which is almost incomprehensible. But the only alternative is to pay up. And many business do, the UK has become the country most likely to pay cyber criminals with over 80% of businesses paying ransomware demands.
Ultimately, the ransomware cycle will continue as long as there is profit to be made. And that’s why defence has never been so important.
What is the ransomware business model? So how do we break what has become such a well-established business model?
First, we must understand what we’re up against. Ransomware as an industry is built on the damaging trend of businesses forking out millions to protect data, financials and reputations. It’s so lucrative – and perpetual – that for thousands of individuals around the world, conducting reconnaissance and co-ordinating these attacks is now a full-time job.
The business model itself is an intricate system comprising several important roles, including money specialists, data miners and coders. Grouped together they make up so-called ‘Co-Located Sophisticated Organised Crime Groups’, and are part of an efficient self-fuelling machine that only grows in power as legitimate businesses fall victim to attacks. These groups aren’t exclusively motivated by financial gain either, with some gangs now state sponsored and not beholden to financial profit from their efforts.
The risk of cyber apathy
With cybercrime growing in prominence every year and business success on the line, it’s hard to believe that defences are still lacking. It’s partly down to a common misconception that only large scale or well-known brands will be targets for attack, but this is simply not the case. No business is too small to be targeted.
Changing this apathetic mindset starts at the top. If a leader does not take security seriously the wider workforce will follow their lead, which considerably increases the chances of falling victim. Recent research found that employee apathy was high with one in three employees saying they do not understand the importance of cybersecurity at work. A quarter of employees also said they didn’t care enough about cybersecurity to mention if they had been involved in an incident, showing a clear lack of collective responsibility amongst the workforce.
While the statistics on ransomware success are worrying and facing up against these sophisticated enemies is a daunting prospect, we shouldn’t take it as given that attacks will be successful and become hopeless. Instead, we must be on the front foot, fortifying businesses with ‘military grade’ security that evolves and empowers business defence.
The case for military grade security
When we look at this digital war, we must look to the once-mysterious defence sector for security inspiration. Contrary to popular perception, it does not require major investment or a complete system overhaul; rather, it can complement and strengthen existing corporate solutions by cutting off threats at the source with airtight defence, and evolve in line with the fast-paced cyber landscape.
Solutions and expertise of this type are now more readily available too, even if you are not in defence inner circles. Air-gapping technology, for instance, promises to keep specified devices off main servers so they can act as back-ups or ‘safe zones’. These isolated environments are perfect for holding immutable data, and can be used to help business recovery in the event malicious actors gain access.
But above all, every security technology you choose to deploy should be accompanied by a recovery plan. We often advise our clients to adopt the 30/3/3 model as a rule of thumb, which mandates that they establish a clear understanding in advance of what data needs to be recovered in 30 minutes, three days, and three weeks should attackers subsequently strike gold. It’s an incredibly useful mantra in a crisis scenario as it removes the need for businesses to make tricky decisions about what data to salvage in the heat of the moment, and they can instead focus their efforts on mitigating potential chaos and saving data that is essential to keeping the business going.
Defending against a continually evolving threat is a never-ending job. Business leaders need to be vigilant in the face of apathetic attitudes, as they are synonymous with being an easy target. And likewise, the consequences of ransomware attacks and the ruthlessness of cybercrime groups cannot be underestimated. Both are crucial to dismantling the business model and protecting organisations in the future.
Businesses that are in the right mindset will recognise that threats are inevitable. And as such, they are in the position to ensure their defence and recovery plans are sophisticated enough to keep them safe in the evolving threat landscape.
