What price would you pay to rescue your organisation from the ravages of ransomware? More and more organisations are having to answer this question, falling victim to hackers intent on cashing in on this increasingly lucrative business. When ransomware hits, whether or not to pay up can be a real dilemma.
Although our rapidly advancing technology continues to help protect businesses against ransomware, it would be naïve to assume that ransomware is not simultaneously keeping up. According to a recent report from WEF, cyberattacks on critical infrastructure are listed as the fifth-highest risk expected to have a severe impact on a global level in 2023. Looking ahead, widespread cybercrime threats are listed as one of the top ten most severe global risks that many expect to play out over the short term (over the next two years), and the primary technological threat to have a severe impact in the long term (over the next ten years). With a new attack every 2 seconds, ransomware is also expected to cost its victims more, around $265 billion (USD) annually by 2031.
Regionally, governments are looking at cybersecurity and data risks at both a corporation and national level. The UAE’s Personal Data Protection Law came into effect last year, as the first federal law to be drafted in partnership with major technology companies in the private sector; and Saudi Arabia’s National Cybersecurity Authority announced a National Plan for Cyber Assessments for 2023.
Meanwhile, the UAE government’s smart city initiatives are spurring widespread adoption of cloud services, with the UAE Data Centre and Cloud Services Market Outlook to 2026 report predicting a compound annual growth rate of 16.9 percent in terms of revenue generation, over the period 2021-2026.
All developments come with inherent risks and extending the technology stack to the cloud is no exception as it opens organisations up to more risks of malware and subsequent data breaches. Whilst governments are moving toward creating policies to reduce these attacks, there is also a requirement for organisations to regulate themselves as they are the ones ultimately at risk should a breach occur. Not only do organisations suffer the monetary loss of paying up, and risk losing their hard-won customers and reputations, but they may also find themselves in breach of compliance and data protection regulations, landing them in hot water from a legal perspective too. Fines have been reported of more than $20 million for high-profile data breaches such as that experienced by social media channels. Organisations are coming under increasing pressure to be prepared for when a cyber-attack hits and when considering their responses to ransomware, five misapprehensions need to be tackled right now.
Myth 1 – The cloud is a silver bullet for ransomware protection
Too many organisations feel safe in the misapprehension that data in the cloud is safer and that their cloud provider takes responsibility for it when it’s there. However, data in the cloud is also at risk of ransomware and most cloud providers pass responsibility for protecting against it back to their customers. A lack of awareness here can lead to cloud data protection being overlooked entirely, making cloud data more vulnerable than data stored on-premise. Both options have vulnerabilities, so gaps must be identified and closed through a comprehensive data protection strategy.
Myth 2 – Paying a ransom will ensure that you can recover your data
There is no guarantee that you will get your data back if you pay a ransom. Even if you pay a ransom, you may not be able to recover your lost files. Because you are dealing with criminals, they will most likely have no interest in ensuring the decryption process gets you your data back. Many hackers will simply note which organisations have a proclivity to pay and use that as a reason to attack them again in the future.
Myth 3 – Decrypting data is the fastest way to get your business operational again
Decrypting data can be a slow process. Despite paying a rumored $5m for the decryption key following a ransomware attack, Colonial Pipeline still resorted to restoring data from their backups after growing impatient with the painfully-slow speed of the decryption engine. Take note – if you have taken the all-important step of thorough backup procedures, in paying up, you may be wasting money for the privilege of doing the job faster yourself.
Myth 4 – Restoring data is always quick and easy
Reflecting on our previous myth, it must also be noted that restoring data is only quick and easy if a business has optimised for it. Restoring data quickly relies on the organisation having the right people, processes, and technology. For example, if companies rely on in-built data protection from multiple cloud providers that each need to be configured and managed separately, the process can be slow and involved. The lesson is that every organisation needs to understand the restoration process and the parameters that might help or hinder it.
Myth 5 – Ransomware attacks always involve encryption
Hackers are now carrying out double and even triple extortion attacks. They steal data and threaten to sell or publish it. Or they blackmail breached companies with the threat of exposing the breach to their customers. Now, 68% of ransomware attacks include some element of data exfiltration, with the number of these attacks rising nearly 200% quarter over quarter. The previously cited case of the Colonial Pipeline attack in May 2021 saw the hacking group DarkSide using the threat of leaks to force the company’s hand. Ransomware, therefore, is not just the threat of encrypted data locked away from the organisation. It can involve the simpler but equally destructive force of using sensitive data against the company – the leaking of customers’ personal information or making knowledge of the hack itself public.
Mythical power
Ransomware attacks are not rare incidents that target an unlucky few – every organisation is at risk. When a more structured and responsible approach to data management is taken, there are countless rewards. Knowing your response in advance and having a tested strategy in place will stand you in better stead should the worst happen. Misapprehension and myths abound, but in this new world, knowledge is power, and paying up is not always what it appears.
With data being at the heart of every business, it’s time we start treating it and managing it with the weight that it deserves – and there’s no better time to do so than now.