Both the number and severity of ransomware attacks have escalated over the past two years. A form of digital malfeasance that initially sought to extort relatively meager sums from home computer users has mushroomed over the past two years into well over a quarter-billion-dollar criminal industry, with the average ransom soaring 82% during the first half of 2021 to $570,000.
And the ransom payment by itself might end up being only a tiny part of the cost of a ransomware attack. For example, the total cost of recovering from a ransomware attack in 2021 reached nearly $2 million for an average victim when downtime, lost business, damaged reputation, and increased IT and insurance costs are considered.
If left unchecked, ransomware attacks are poised to undermine entire critical infrastructure sectors, as evidenced by the attack on pipeline company Colonial Pipeline in May. Although Colonial Pipeline paid the DarkSide ransomware actor around $5 million in ransom, plus other amounts in remediation costs and increased security measures, the economic impact from gas shortages and delayed industrial production bring the actual cost of the attack to some multiple of the ransom payment.
Paying Ransom Can Undermine National Security
That’s one primary reason why the Treasury Department, in its updated ransomware guidance unveiled last month, said that making a ransom payment “can undermine the national security and foreign policy objectives of the United States.”
The Treasury Department also said that organizations hit with ransomware might get some level of penalty relief if they have to pay sanctioned ransomware-related entities if they follow what are generally considered reasonable cybersecurity risk management steps. Among these actions recommended by the Department are “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.”
Administration Urges Risk Management Steps
In June, the Biden Administration’s top cybersecurity official Anne Neuberger issued a memo with the subject line “What We Urge You To Do To Protect Against The Threat of Ransomware.” In the document, Neuberger urged America’s corporate executives and business leaders to undertake a series of steps to significantly reduce the risk of ransomware.
Among these steps are:
- The five best practices outlined in President Biden’s May Cybersecurity Executive Order, including multifactor authentication, detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable), and a skilled, empowered security team.
- Keeping backups of data, system images, and configurations, regularly testing them, and maintaining them offline.
- Using a risk-based assessment strategy to drive patch management programs.
- Testing incident response plans.
- Testing security teams’ work.
- Segmenting networks to limit damage in the event of an adverse incident.
All of these steps represent various aspects of cybersecurity risk management. In a nutshell, cybersecurity risk management anticipates what adverse events could occur and develops strategies for mitigating those risks and recovering from incidents when those risks materialize. Or as Russell Thomas, principal modeler of cyber risk at RMS-Moody’s, put it, “The higher point of information security or cybersecurity is to enable good things to happen and limit or control or recover from bad things that might happen.”
NIST Cybersecurity Framework is the Gold Standard
These tasks outlined by Neuberger are also articulated in a number of existing cybersecurity risk management frameworks, such as the comprehensive NIST Cybersecurity Framework (CSF). Initially developed in 2014 and updated in 2018 the CSF has become the gold standard for how organizations and government agencies across the globe should approach what is a sweeping and complex task.
Composed of five functions (identify, protect, detect, respond and recover), 23 categories (from asset management to recovery planning and communications), and 108 subcategories of specific desired outcomes (for example, ID.AM-2: Software platforms and applications within the organization are inventoried), the CSF covers a wide range of cybersecurity risk management territory.
Piecemeal Approaches Don’t Work
The question is whether implementing risk management at this scale is necessary or desirable to combat ransomware threats. Organizations can’t tackle the ransomware problem in a piecemeal fashion, according to Phil Reiner, CEO of the Institute for Security and Technology and Executive Director of the Ransomware Task Force, a broad coalition of experts in industry and government, law enforcement, civil society, and international organizations. The Institute released its own framework earlier this year to tackle the ransomware problem.
“I think the baseline assertion that we’ve been making since we pushed out the ransomware task force report back in April was that this really is a problem that necessitates a comprehensive approach to solve it,” he says.
“When I say that, that means there needs to be a really broad range of actions that are undertaken in order to combat the threat. And that could include actions being taken by the federal government to engage with international counterparts to do something about the safe havens from which these criminals can operate. That could include Congress taking regulatory actions around the cryptocurrency ecosystem. This could also include actions within the cyber insurance markets to make sure that those policies aren’t inadvertently actually rewarding bad behavior.”
These things “have to be combined with actions being taken by companies to raise their standards of cyber hygiene and to ensure that they’re taking the necessary steps to reduce the risk of their leaving themselves vulnerable to ransomware.”
If “everyone were to do the basics, it would dramatically change the trajectory of the ransomware pandemic. This would not be so easy for these criminals,” Reiner says. “Good cybersecurity risk management “is very much something that everyone could do more of to reduce the risk.”
Risk Management Can Help ‘Negate’ Ransomware Events
Jason Steer, Security Strategist at Recorded Future, underscores the importance of good cybersecurity risk management. “Risk management activities are only going to be a positive step in the right direction to hopefully negate a ransomware or other cyber event,” Steer says.
When it comes to the NIST Framework,” it helps frame the challenge of ransomware right through the lifecycle of an attack, from preparation, policy, right through to detection and mitigation and back to normal. This all needs consideration, documentation, and money to make it happen. Otherwise, chaos happens when there is the inevitable incident.”
The cost of addressing ransomware is the foremost hurdle facing organizations seeking to adopt adequate risk management policies and practices. Nevertheless, “For the vast majority of organizations that lack maturity, risk management practices do need to be considered and put into place even if it’s minimal,” Steer says.
Risk Management Requires Resources
Reiner says the most difficult nut to crack is the organization that doesn’t have a lot of risk management awareness and doesn’t have a lot of resources to devote to the task. “And that comes down to how do you work with managed service providers and others to get the word out. And then also get tools to people.”
“One of the things that is remarkable is that CISA [the Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security] and others offer a lot of the tools that could be helpful to people for free,” Reiner says. For example, CISA devised its recently launched Stop Ransomware portal to spread the word and provide at least informational resources to small organizations that don’t even have dedicated IT teams, much less cybersecurity staff.
It would be nice to take things a step further, Reiner says, and have CISA step in and offer something akin to a CISO-like Geek Squad “where you could have teams that can go out and work with smaller organizations, work with states to get the word out that these are tools that are available to them and that are free.”
Framework Profile for Ransomware Risk Management
In the meantime, NIST has produced a draft document, Cybersecurity Framework Profile for Ransomware Risk Management, that “aligns organizations’ ransomware prevention and mitigation requirements, objectives, risk appetite” with elements of the CSF. This alignment picks out or pares down the relevant CSF categories and subcategories and explains their importance in dealing with ransomware.
Stay tuned for more reports on the importance of cybersecurity risk management in today’s threat landscape. And join our email list using the form below to get timely updates about the topic of risk management and special offers related to our upcoming book Cybersecurity Risks Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework. To be published by John Wiley & Sons Academic Book Division for delivery in December 2021, the book is available for pre-order now!