Information security is vital for economic security, innovation and business continuity. Cybersecurity is becoming a high-impact board and senior leadership issue. Digital transformation efforts and cloud service adoption increases the reliance of business-critical functions on digital infrastructures. Malicious actors seek to exploit human and technical vulnerabilities, for profit. Increasingly, data breaches and cybersecurity incidents affect all parts of organisations, their value chains and supply chains. The human element, seen in employee errors, phishing and social engineering, are significant weak points in the fight for information security resilience. Now that boards are increasingly paying attention, their priorities, strategies and actions are crucial for sustainable impact and success. Priorities should be risk based, context-rich, applied in a multi-disciplinary way across the organisation and based on proactive analysis.
The Increasing Problem of Ransomware
The information security landscape changing rapidly, but key indicators and trends can be identified and monitored. The Verizon Data Breach Investigations Report 2021 reported that 85% of data breach incidents involved the human element, 36% involved phishing and 10% included Ransomware (the latter is double the rate of the previous year). The median breach cost per incident is $21,659 (USD), but most organisations can expect their costs to rise to $650,000 (USD) for large incidents. The UK Cyber Security Breaches Survey 2021, found that 39% of businesses and more than a quarter of charities (26%) report having cyber security breaches or attacks in the previous 12 months. For the organisations that have suffered breaches or attacks, around a quarter (27% of these businesses and 23% of these charities) experience these at least once a week. Phishing is the most common method for cyberattacks. Among the 39% identifying breaches or attacks, 83% had phishing attacks, 27% were impersonated and 13% had malware (including ransomware). For those who suffered breaches or attacks, 21% of businesses and 18% of charities lost money, data or other assets. Of all the organisations surveyed, 43% have cyber insurance cover in place, a rise from 32% in the previous year.
Ransomware is a form of malicious software, or malware, that prevents organisations and computer users from accessing their computer files, systems, or networks with a demand that a financial ransom is paid to restore system access or for data to be returned. Cyber attackers often demand that ransom payments are paid in cryptocurrencies, which are hard to trace. Ransomware attacks can cause significant disruption to IT operations and the loss of critical business information and personal data. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware onto a computer by opening an email attachment, clicking an advertisement, clicking on a hyperlink or visiting a website that has been deliberately infected with malware.
Ransomware can be introduced to an IT system by phishing or spear phishing emails, which aim to appear legitimate to users who open and click on infected hyperlinks. These emails may also enter a system as unwanted spam, hoping that an unwitting user will unknowingly click on the link. Highly targeted campaigns, using social engineering, aim to target high profile and senior figures in companies and organisations in order to access the most sensitive information and have the most impact because of the high levels of trust the senior user enjoys internally. Ransomware can also be introduced using Remote Desktop Protocol (RDP) vulnerabilities (after gaining user access credentials) and by exploiting software vulnerabilities. Malware and ransomware are pernicious and can ensnare a wide range of individuals. As a result, board awareness, continuous staff training and vigilance are crucial.
Ransomware is at the frontline of global cybercrime. Companies and organisations have been warned that these tactics can be used by rogue states, by hackers, to avoid international sanctions, for money laundering, for terrorist financing, for illegal drug trafficking or for modern slavery. The effect of ransomware attacks can also be technically devastating to IT systems and to an organisation’s critical data. Services can be stopped, IT systems can be destroyed, data disclosed on the dark web, confidential information published freely online and data permanently deleted. Ransomware can be an existential threat to a company’s reputation and the future commercial viability of businesses and organisations. Several organisations and governments have adopted official policies of not paying ransom demands and not engaging with ransomware gangs. Paying ransoms do not guarantee that stolen data will be returned or that IT systems will be repaired. Of all the persistent cybersecurity threats and risks, it is ransomware that creates the most uncomfortable and unforgiving catch 22.
The Cybersecurity Insurance Puzzle
Cybersecurity insurance is important for good governance, financial resilience and business continuity. However, many businesses and organisations are under insured against modern cybersecurity threats and risks. Some companies and organisations rely on the information security coverage in their general business insurance policies. These protections are often narrow and can be excluded when claims are made after information security incidents and cyberattacks. Some companies and organisations have specific cybersecurity insurance policies, but these can be poorly underwritten and are not future proofed to cover modern and evolving threats and risks.
When information security claims are made, companies and organisations could find that their claim is rejected, or that the payments received do not meet the true costs of the claim. Boards and senior leaders need to realistically assess their organisations’ standing and take strategic decisions as to the optimal range of insurance coverage. Organisations should learn about the cyber insurance market for their industry and sector and balance this against their business, regulatory and financial needs. A company’s or organisation’s supply chain should also be regularly audited for information security compliance and adequate insurance cover.
Increasingly, general insurers and cyber insurers are refusing to pay the ransoms demanded by ransomware attackers. This is because these activities often contradict their corporate values or may be illegal if the ransom is linked to terrorism, money laundering, illegal trafficking or breach international sanctions. These insurers also understand that paying ransoms can incentivize criminality and create greater information security risks due to increased sophisticated cyberattacks. Paying ransoms is always very risky because it involves dealing with those involved in illegal or unethical activity. The risk-reward calculations often reveal significant risks.
Board and Leadership Priorities and Solutions
Boards and Senior Leadership should adopt a “whole organisation” and multi-disciplinary approach to resourcing and empowering their internal teams, partners and supply chains to:
i. Improve and extend cybersecurity strategies to include a cybersecurity insurance strategy as part of financial governance arrangements with Chief Financial Officers or the heads of finance in smaller organisations. This work should be done in conjunction with the Chief Information Officer, Chief Information Security (Risk) Officer or Head of Security in smaller organisations. This group of stakeholders should also include the General Counsel, the organisation’s lead lawyer or the compliance lead in smaller organisations. Human Resources leaders and external specialist advisors should also be included or consulted to strengthen internal resources.
ii. Develop internal expertise about emerging cybersecurity threats and risks. Board and leadership teams should receive summaries of specialist reports and then update their strategies to reflect the changes to the cybersecurity landscape, new business models and the cyber insurance market. This should not be treated as an IT-only issue.
iii. Include insights from work on international sanctions compliance, export controls, international cybercrime trends, anti-money laundering standards, blockchain strategy and cryptocurrency financial controls into the cybersecurity strategy and ransomware policies and procedures. This will apply most to complex global businesses and organisations.
iv. Refine and clarify the personal data breach and personal identifiable information (PII) compromise response procedures to specifically reference the nature of ransomware attacks. This will include legal duties to notify data protection and data privacy regulators, informing individuals affected, liaising with cyber insurance providers, informing enforcement authorities and the police, dealing with ransom groups and establishing a team of first responders. Compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), other national laws and sectoral laws is also vital. Fines and financial penalties for data breaches could be 2-4% of global turnover, in addition to the financial impacts of the ransomware attack.
v. Improve information classification and data management by categorising data according to its value to the company or organisation and establish physical and logical separation of networks and data for different organisational units. For example, high value research and development or business data could be deliberately held on a separate server and network segment from the organisation’s email environment. Virtualised environments could be used to execute operating system environments or specific programmes.
vi. Improve information security awareness and training for all levels of the company or organisation. Ransomware often targets end users and so employees should be told about the threat of ransomware, how it is delivered, ways to identify it and how to report likely malware. Training should also include key cybersecurity definitions, principles and techniques.
vii. Increase information security hygiene and resilience activities by regularly backing up data and verifying its integrity. This includes ensuring that backups are not connected to the computers and networks that they are backing up. For example, these could be physically stored offline. Backups are vital in ransomware resilience efforts. After a ransomware attack if computer systems are infected, backups may be the best way to recover business critical data. Backups are very important for recovery, business continuity and ransomware mitigation.
viii. Systematically and regularly patch operating systems, software and firmware on all devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier by using a centralised patch management system. Ensuring that anti-virus and anti-malware solutions are set to automatically update and that regular scans take place. Another solution is to disable macro scripts from Office files transmitted via email. For example, Office Viewer software could be used to open Microsoft Office files transmitted via email instead of the full Office Suite applications.
ix. Set up application whitelisting to only allow systems to execute programs that are known and permitted by security policy. It is also useful to implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression and decompression programmes. This includes those located in the AppData or LocalAppData folder. Other solutions include applying best practices for RDP use, including auditing networks for systems using RDP, closing unused RDP ports, applying two-factor authentication where possible and logging RDP login attempts.
x. Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Least privilege should influence how access controls are configured. Requiring user interaction for end-user applications communicating with websites uncategorised by the network proxy or firewall is also helpful. For example, mandating users to type information or enter a password when their system communicates with a website that is uncategorised by the proxy or firewall.
xi. Invest in developing zero trust networks, especially in mission critical parts of IT systems. Agile project management could be used to test, review, assess and repeat trials and experiments to find the right balance between confidentiality, availability and integrity. Zero trust practices can then extend across the IT system and into critical supply chains. Introducing blockchain technology can accelerate these processes.
xii. Audit supply chains for cybersecurity risks and increase standards through clear contractual obligations, practical and accessible information security schedules, Key Performance Indicators (KPIs), robust reporting and dynamic analysis.
Board and Leadership Resources
National Cyber Security Centre (UK)
An Garda Síochána (Ireland’s National Police and Security Service)
Federal Bureau of Investigations (FBI – United States)
For assistance with Personal Data Beach Response, Ransomware, Cybersecurity Strategy, Board Awareness or Information Security Training, contact PrivacySolved:
London +44 207 175 9771
Dublin +353 1 960 9370