A few big hacks in the US and everybody is talking about ransomware again… Time for a few hard truths
Frankly, this is starting to become embarrassing for some security professionals. In these columns, we have been writing about ransomware since 2016, and even at the time, it was reasonably established as a topic and already a subject of events and conferences. We revisited it in 2019 in the light of an event in Paris targeted at SMBs, in which we participated. Since then, it has grown monumentally and its impact has increased even further with the pandemic; now even cyber insurers are starting to change their tune about it.
Meanwhile, some in the security community continue to go round in circles, looking for straight answers or technical silver bullets: Should you pay the ransom? Is it all about backups?
It’s time for a few hard truths.
The debate around paying – or not paying – the ransom is typical of the confusion that reigns, amplified by increasingly contrasted messages from public authorities – who seem to be resisting making ransom payments illegal – and cyber insurers – who might have played an ambiguous game in the recent past.
There is no “Robin Hood” story line here; this is not about robbing the rich to feed the poor: Paying ransoms finances organised crime. Period. Paying or not should be a reasonably plain matter of business ethics.
Let’s consider the following scenario, as a matter of comparison:
You are the CEO of a business which has been heavily affected by the COVID crisis; you were not in an ideal shape pre-COVID and competition was already hitting hard at you; you have struggled to keep going and find finance throughout the crisis; you literally have a few months of runway ahead of you, before having to have a difficult discussion with creditors, possibly leading to the lay off people in big numbers.
An opportunity presents itself to open a new market in an emerging country; it is a solid opportunity and you have been aware of it for years, but you have stayed away from it; access to the market involves paying large sums to corrupt officials, in a regime which is openly recognised by international agencies as being involved in drug and people trafficking.
What do you do?
My point is simply: You must see the debate around ransomware and the payment of ransoms in the same ethical light, because ransomware is cybercrime; it is deluded to see paying the ransom as some form of economic trade-off and a regular business transaction..
Now, everybody can understand that it is a hard decision to make when your business is actually down, but it should still be guided by ethical considerations and an increased level of support of public authorities towards the victims; something we were already pushing for in 2019 in support of small businesses. Making ransom payments illegal without adequately supporting victims could make things worse, as the Cyber Threat Alliance rightly argues.
Having said that, protecting yourself can be hard, especially if you are just waking up to the problem now, well passed the 11th hour…There is no silver bullet. Period. The only thing that can protect you is defence in depth, and it could take years to put it in place properly at the level of a large enterprise if you’re truly starting now.
- Yes, you need to educate your staff around phishing and opening up attachments. But by itself, that’s not enough. Human mistakes are unavoidable.
- Yes, you need to filter emails upstream to remove any suspicious content. But by itself, that’s not enough. Some might still go through.
- Yes, you need to deploy security patches in a timely manner across your entire estate. But by itself, that’s not enough. You will always miss a few across large estates.
- Yes, you need to take and maintain regular backups, so that you can return to business quickly. But by itself, that’s not enough. By then, the deed is done, and your business has been affected. And by the way, the life of most CIOs is full of backups that didn’t work.
You need to act in a concerted manner across all those levels, and many others, to achieve true protection: This is not just about having a rehearsed incident response plan ready, with lawyers and PR people lined up …
Cynically, many recent ransomware incidents are challenging in a harsh way the way security has been prioritised in many industry sectors over the years, and how the focus on technology, point-solutions, and low hanging fruits fails to protect the large enterprise in real terms. This cannot be reduced to a matter of insufficient investments: Large firms have spent billions collectively on cyber security over the past decades; it’s an excessive focus on pure tech solutions coupled with execution failure, which is at the heart of the situation many organisations are now facing.
This is also a challenge for some CISOs – and tech vendors and large consultancies – who would have effectively accepted and endorsed the “risk appetite” decision of business leaders, unwilling to understand and challenge the fact that this is actually driven by cognitive biases, that “risk appetite” goes out of the window at the first sight of real problems, and that there cannot be a proper discussion around “risk appetite” without a genuine appreciation of the threats targeting the business, and the protective measures the business has in place – or not – to protect itself from those threats.
The hard truth is that…
Good practices – known for decades – can still protect against ransomware if properly deployed – in layers – across the real breadth and depth of the modern enterprise. True defence in depth is complex; it requires a coherent vision, the right governance and operating model, and the right skills at the right level across the enterprise; but it simply works at creating a protective shield: Siloed vision and point tech solutions don’t.