Ransomware is the biggest cyber threat to business. But most firms still aren’t ready for it
Many firms have no incident response plans, or ever test their cyber defenses says cybersecurity chief.
Ransomware is the most significant cybersecurity threat facing organizations ranging from critical national infrastructure providers and large enterprises to schools and local businesses – but it’s a threat which can be countered.
In a speech at the Chatham House Cyber 2021 Conference, Lindy Cameron, CEO of the UK’s National Cyber Security Centre (NCSC) warned about several cybersecurity threats facing the world today, including supply chain attacks, the threat of cyber espionage and cyber aggression by hostile nation-states and cybersecurity exploits and vulnerabilities being sold to whoever wants to buy them.
But it’s ransomware which is “the most immediate danger to UK businesses and most other organizations” said Cameron, who warned that many businesses are leaving themselves vulnerable because “many have no incident response plans, or ever test their cyber defenses”.
Drawing on examples of high-profile ransomware attacks around the world including the Colonial Pipeline ransomware attack, the ransomware attack against Ireland’s Health Service Executive and those closer to home like the ransomware attack against Hackney Council, Cameron detailed the “real world impact” that these cyber attacks have had over the last year as cyber criminals encrypt networks and attempt to demand ransom payments of millions for the decryption key.
And one of the reasons why ransomware is still so successful is because some victims of the attacks will pay the ransom, perceiving it to be the best way to restore the network as quickly as possible – despite warnings not to pay.
“We expect ransomware will continue to be an attractive route for criminals as long as organizations remain vulnerable and continue to pay. We have been clear that paying ransoms emboldens these criminal groups – and it also does not guarantee your data will be returned intact, or indeed returned at all,” said Cameron, who also detailed how many ransomware groups are now stealing data and threatening to leak it if the ransom isn’t paid.
“Their intention is clear: to increase pressure on victims to pay,” she said.
In recent months, the impact of ransomware has become so great that world leaders have discussed it at international summits.
“We should not view ransomware as a risk we have to live with and can’t do anything about. We’ve seen this issue become a leader level G7 topic of conversation this year. Governments have a role, and we are playing our part,” said Cameron.
“We are redoubling our efforts to clamp down and deter this pernicious and spreading crime, standing firm with our global counterparts and doing our best to turn this into a crime that does not pay,” she added.
But while governments, law enforcement and international bodies have a role to play in helping to fight back against ransomware attacks, businesses and other organizations can also examine their own defenses and what plans they have in place, should they fall victim to a ransomware attack.
“But victims also have agency here too. Do you know what you would do if it happened to you? Have you rehearsed this? Have you taken steps to ensure your systems are the hardest target in your market or sector to compromise? And if you would consider paying a ransom, are you comfortable that you are investing enough to stop that conversation ever happening in the first place,” said Cameron.
Actions like applying security patches and updates promptly and using multi-factor authentication can help protect networks from cyber attacks – and the NCSC has published much advice on how businesses can help protect their networks, emphasizing that cybersecurity must be a board level issue.
“One of the key things I have learnt in my time as NCSC CEO is that many – in fact the vast majority – of these high-profile cyber incidents can be prevented by following actionable steps that dramatically improve an organization’s cyber resilience”, said Cameron.
“Responsibility for understanding cyber security risks does not start and end with the IT department. Chief executives and boards also have a crucial role,” she said. “No chief exec would get away with saying they don’t need to understand legal risk because they have a general counsel. The same should be true of cyber risk”.
By Danny Palmer | October 11, 2021