Ransomware isn’t a ‘new’ threat, but it’s not going away, either. The recent attack on the City of Atlanta — which spent $2.6 million to recover from a ransomware demand of $50,000 in bitcoin — demonstrates that organizations still aren’t prepared to deal with these types of attacks.
It’s not entirely clear whether the city paid the ransom. But the SamSam attack, which destabilized municipal operations across 13 departments, came with a hefty price tag in the form of incident response, digital forensics, extra staffing and consulting.
And while taxpayers probably weren’t upset about not being able to pay their water bill, consider other potential consequences, such as taking down the dispatch system used by 911 emergency personnel — which happened in Baltimore shortly after the Atlanta attack.
While the financial impact of ransomware attacks cost $5 billion last year — growing a whopping 1,400 per cent between 2015 and 2017 — the real costs include “damage and destruction (or loss) of data, downtime, lost productivity, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hostage data and systems, reputational harm, and employee training in direct response to the ransomware attacks,” according to a CSO article.
And cyber extortion, along with IoT breaches, are expected to ramp up over the next three years, according to Ponemon Institute’s 2018 Study on Global Megatrends in Cybersecurity.
Of the 1,100 senior IT practitioners surveyed, 67 per cent believe cyber extortion will increase in both frequency and payout over the next three years, while four out of five believe a data breach caused by an unsecured IoT device is not only likely, but could be “catastrophic.”
While identity and access management systems are still ranked as the top technological tools being used to fight cyber crime, the Ponemon study predicts that artificial intelligence, threat intelligence feeds, analytics and blockchain will become more prevalent for cyber defense over the next three years.
Despite these new tools, IT pros are growing more pessimistic about their ability to provide adequate protection against cyber attacks; only 46 per cent of respondents feel their organization’s cyber security posture will improve over the next three years (and the number who feel it will decline has risen to 19 per cent from 11 per cent in 2015).
As tools evolve, so must strategies. In a Gartner blog, research director Jeffrey Wheatman argues that “organizations have tended to focus on stopping data breaches, despite the fact that it’s a losing battle. Leaders need to focus on supporting business resiliency and responding to cyberattacks, including ransomware, denial-of-service outages and other types of attacks.”
But those surveyed by Ponemon report that cyber security is still not considered a top strategic priority by executives — and boards of directors are not engaged in the oversight of their security strategy — despite the fact 66 per cent of respondents believe their organizations “will experience a data breach or exploit that will seriously diminish our shareholder value.”
As an article in Forbes points out, it doesn’t help that both public and private enterprises “do not typically treat cyber risk like an enterprise-wide threat, but rather consign it to cash-strapped and ill-equipped IT departments and vendors.”
They need to change that approach: A 2017 report by CGI and Oxford Economics found a “significant connection” between a severe breach and a company’s share price performance — which fell, on average, 1.8 per cent (permanently).
Gartner’s Wheatman points out that while cyber attacks can be costly, they can also cost senior executives — and not just CIOs — their jobs.
Organizations will have to increase their security spending, however, to achieve federal and global regulatory compliance, according to the Ponemon report (the EU’s General Data Protection Regulation goes into effect on May 25). That means leaders may be starting to get the message — even if it’s not by choice.