Globally cyber policies require a revamp to be more in line with the new work environment.
Cybersecurity control failures was listed as the top emerging risk in the first quarter of 2021 in a global poll of senior executives across function and geography, according to Gartner’s Emerging Risks Monitor Report.
Despite a myriad of risks resulting from the pandemic, such as the new work environment and environmental, social and governance (ESG) concerns, cybersecurity risk was singled out with notable consistency across all geographic regions and most industries, cited by 67 per cent of respondents. The next highest cited risk, “the new working model” was cited by 43 per cent of respondents.
“Many organisations were forced to implement quick fixes to serious operational gaps as a result of their initial pandemic responses,” said Matt Shinkman, vice president with the Gartner Risk and Audit Practice. “Nowhere has that been more apparent than in cybersecurity policies that have prioritized on-premises security over secure remote work access.”
According to Shinkman executives responsible for these areas are realising that the time to enact more sustainable and robust policies is now.
Internal risks related to a company’s operational and cultural capacities continued to be most pressing to the executives polled and made up the top five emerging risks selected in the firs quarter 2021, despite no reprieve from external risks including navigating an uneven global vaccine rollout, added ESG regulatory requirements and looming potential changes to the corporate tax environment.
High-Impact, High-Velocity Risk
The roots of executive concerns around cybersecurity control failures come from the hasty implementation of remote work brought on by the pandemic and ensuing lockdowns. IT teams were forced to quickly scale up VPN access to the entire organization. Security teams had to immediately reorient their risk postures from a focus on securing on-premises operations to developing remote work access policies on the fly. While access management issues were a focus of the initial response, consensus among executives polled suggests that more work needs to be done as increased remote work becomes a permanent feature of the new work environment.
Previous Gartner research identified the key trends for security and risk management in 2021, with recommendations including a shift towards identity-first security and moving endpoint protection services to the cloud.
In addition to ranking first on the list of emerging risks this quarter, cybersecurity control failures also ranked third overall in “risk velocity,” an additional metric that Gartner tracks in the Emerging Risks Monitor Report. When assessing risk velocity, Gartner analyses executive polling data and overlays additional analysis of how fast-moving the risk is and how impactful it would be should it materialize. Failures in cybersecurity control trailed only a protracted vaccine rollout and reputational risks from citizen journalism in the risk velocity analysis.
“Risk velocity can help executives see blind spots of emerging risks that might be moving towards an organisation quickly, but aren’t appreciated yet by their peers,” said Shinkman. “However, in the case of cybersecurity risk, it’s good to see that the level of awareness among executives matches the severity of the risk facing their organisations.”
Prevalence of ransomware attacks
While the level of awareness of cybersecurity risk is high, so is the prevalence of global ransomware attacks. Sophos’ recently released State of Ransomware 2021 indicates, India has the dubious honour of topping the list with 68 per cent of respondents reporting that they were hit by ransomware last year.
While the ransomware actors that make the headlines are often based out of China, North Korea, Russia, and other former Eastern Bloc countries, SophosLabs sees high levels of domestic ransomware in India, i.e., Indian adversaries attacking Indian companies.
Japan stands out as a developed economy with incredibly low levels of ransomware – just 15 per cent of respondents reported being hit by ransomware last year. Japan traditionally reports exceptionally low ransomware levels in our annual surveys. It may be that Japanese organizations have invested heavily in anti-ransomware defences, or that the unique nature of the Japanese language makes it a more challenging target for adversaries.
Retail and education experienced the highest level of attacks, with 44 per cent of respondents in these sectors reporting being hit. Healthcare, which often hits the headlines for ransomware attacks, actually reported slightly below average levels of attacks, with 34 per cent of respondents saying their organization was hit.
The sector’s over-representation in news reports is likely due to regulatory obligations that require healthcare organizations to reveal an attack, while many commercial organisations can keep them private. The impact of ransomware Encryption is down. Extortion is up.
According to Sophos the organisations hit by ransomware whether the criminals succeeded in encrypting the data. 54 per cent said yes. 39 per cent were able to stop the attack before their data could be encrypted, while 7 per cent said that their data was not encrypted but they were held to ransom anyway.
Over the last year there has been a large drop in the percentage of attacks where the criminals succeed in encrypting data, down from 73 per cent to 54 per cent, with many more organizations now able to stop the attack before the data could be encrypted. This indicates that the adoption of anti-ransomware technology is paying off.
However, we also see that the percentage of attacks where data was not encrypted but the victim was still held to ransom has more than doubled. Some attackers are moving to extortion-style attacks where instead of encrypting files they steal and then threaten to publish data unless the ransom demand is paid. This requires less effort on their part – no encryption or decryption needed. Adversaries often leverage the punitive fines for data breaches in their demands in a further effort to make victims pay up.
Distribution and transport are the sectors most able to stop attackers encrypting files (48 per cent), closely followed by media, leisure, and entertainment (47 per cent). Conversely, local government is the sector where organisations are most likely to have their data encrypted in a ransomware attack (69 per cent).
This is probably due to the double whammy of:
- Weaker defenses: In general, local government organisations struggle with lower IT budgets and stretched/limited IT staff.
- Increased attacker focus: Due to their size and access to public funds, government organizations are often considered lucrative targets, and therefore the focus for more sophisticated attacks. Plus local government is also the sector with the second highest propensity to pay the ransom. The State of Ransomware 2021 9 A Sophos Whitepaper. April 2021 Central government and non-departmental public bodies (NDPB) is the sector most likely to experience extortion (13 per cent).
Healthcare experiences a below-average number of attacks. However, attackers succeed in encrypting files in almost two-thirds (65 per cent) of incidents, which is considerably above average.
Energy, oil/gas, and utilities is the sector most likely to pay the ransom, with 43 per cent of respondents from those organisations submitting to the ransom demand. This sector typically has a lot of legacy infrastructure that cannot easily be updated, so victims may feel compelled to pay the ransom to enable continuation of services.
Local government reports the second highest level of ransom payments (42 per cent). Interestingly, this follows the earlier finding that local government is the sector most likely to have its data encrypted. It may well be that the propensity of local government organizations to pay up is driving attackers to focus their more complex and effective attacks on this audience. There appears to be a link between an organisation’s ability to restore data from backups and their likelihood of paying the ransom.
Manufacturing and production is the sector least likely to pay the ransom and also the sector most able to restore data from backups (68 per cent). Similarly, construction and property, as well as financial services, have both below-average levels of ransom payment and above average ability to restore their data from backups. Central government and NDPB has been excluded from this chart as the base is too low to be statistically significant.
Anecdotally, of the 23 organizations in this sector whose data was encrypted, 61 per cent reported that they were able to restore data from backups and only 26 per cent paid the ransom. This indicative finding may help explain why this sector is a particular focus for extortion style attacks.
Of the 357 respondents who reported that their organization paid the ransom, 282 also shared the exact amount paid. Across this cohort, the average payment was US$170,404.
However, the spectrum of ransom payments was very wide. The most common payment was US$10,000 (paid by 20 respondents), with the highest payment a massive US$3.2 million (paid by two respondents).
These numbers vary greatly from the eight-figure dollar payments that dominate the headlines for multiple reasons. Ransomware actors adjust their ransom demand in line with their victim’s ability to pay, typically accepting lower payments from smaller companies.
The data backs this up, with the average ransom payment for 100-1,000 employee organisations coming in at US$107,694, while the average ransom paid by 1,000 to 5,000 employee organisations was US$225,588.
There are many ransomware actors and many types of ransomware attack, ranging from highly skilled attackers who use sophisticated tactics, techniques and procedures (TTPs) focused on individual targets, to lower skilled operators who use ‘off the shelf’ ransomware and a general ‘spray and pray’ approach.
Attackers who invest heavily in a targeted attack will be looking for high ransom payments in return for their effort, while operators behind generic attacks often accept lower return on investment (ROI).
Attackers target their highest ransom demands on developed Western economies, motivated by their perceived ability to pay larger sums. The two highest ransom payments were both reported by respondents in Italy. Furthermore, the average ransom payment across the U.S., Canada, the U.K., Germany and Australia was US$214,096, which is 26 per cent higher than the global average (base: 101 respondents). Conversely, in India, the average ransom payment was US$76,619, less than half the global number.
Sophos recommends the following best practices:
- Assume you will be hit: Ransomware remains highly prevalent. No sector, country, or organization size is immune from the risk. It’s better to be prepared but not hit, than the other way round.
- Make backups: Backups are the #1 method organizations used to get their data back after an attack. And as we’ve seen, even if you pay the ransom, you rarely get all your data back, so you’ll need to rely on backups either way.
- Deploy layered protection: In the face of the considerable increase in extortion-based attacks, it is more important than ever to keep the adversaries out of your environment in the first place. Use layered protection to block attackers at as many points as possible across your environment. Combine human experts and anti-ransomware technology” Key to stopping ransomware is defence in depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology gives you the scale and automation you need, while human experts are best able to detect the tell-tale tactics, techniques, and procedures that indicate that a skilled attacker is attempting to get into your environment. If you don’t have the skills in house, look at enlisting the support of a specialist cybersecurity company – SOCs are now realistic options for organisations of all sizes.
- Don’t pay the ransom: We know this is easy to say, but far less easy to do when your organization has ground to a halt due to a ransomware attack. Independent of any ethical considerations, paying the ransom is an ineffective way to get your data back. If you do decide to pay, be sure to include in your cost/benefit analysis the expectation that the adversaries will restore, on average, only two-thirds of your files.
- Have a malware recovery plan: The best way to stop a cyberattack from turning into a full breach is to prepare in advance. Organisations that fall victim to an attack often realize they could have avoided a lot of cost, pain, and disruption if they had an incident response plan in place.