SC Media and Mimecast recently convened with IT decision-makers to discuss how businesses can protect themselves from ransomware threats
This article is produced in partnership with Mimecast.
Cyberattacks reached an all-time high in 2022, fuelled by geopolitical conflict and rapidly evolving threats. The numbers involved are sobering, with businesses being targeted with millions of attacks on a weekly basis. And the challenge will only get more difficult for organisations in 2023.
Ransomware alone has a devastating impact on businesses, government, public services and everyday lives. Mimecast’s global report, The State of Ransomware Readiness, revealed that 80% of organisations have been attacked by ransomware and more than one-third of cyber security professionals feel they could lose their jobs over a successful ransomware attack.
Against that backdrop, SC Media recently teamed up with IT security specialists, Mimecast, to bring together some of the UK and Ireland’s sharpest security minds. The virtual roundtable brought together experts from the private sector, the consulting world, and the charity space to ask how to best protect against rising ransomware risks and to separate cybersecurity facts from fiction.
Perception vs reality
With so many experts in one place, the roundtable was an excellent opportunity to find out about some of the misconceptions that businesses have about cyber threats. Tim Rawlins, senior adviser and director of security at NCC Group, said there needs to be more understanding among senior executives in the UK regarding the fallout of cyberattacks and the lasting impact.
“Many executives are still working from old business continuity plans where they’re planning for two-hour outages of one of the IT systems. The reality is that you could be dealing with an outage of four weeks, four months, or even longer. Consider the Scottish Environmental Protection Agency, which was still suffering from some service outages 18 months after the original incident.”
Rawlins also said there is a focus on ransomware from the C-Suite, but that other types of attacks, such as business email compromise, can potentially cost businesses more money. “There’s a significant gap between perception and reality,” he added.
The blame game
Andrew Barratt, vice president at Coalfire, likened the reaction to cybersecurity attacks to the five stages of grief: “The people on the ground feel panicked and exposed, and part of that is a real worry that they’ll lose their jobs.”
It’s an understandable concern; two-fifths of firms sacked staff for cybersecurity breaches during Covid, according to Censuswide. Barratt said educating executives about the reality of cyber threats is a crucial step to avoid “terrible, knee-jerk decisions” such as sacking staff for incidents which they had no power over.
Rawlins said: “We recently worked with a business where the COO sacked an individual for clicking on a link that gave unauthorised access. That was completely the wrong thing to do because they were the one person who will never make that mistake again. Instead of being sacked, that individual should have become the most compelling proponent for doing the right thing.”
“I would like to see a no-blame approach being taken, modelled on the aviation and nuclear industries,” said Barratt. “They have both taken phenomenal steps over the years to completely remove the culture of blame. People can be materially at fault, but will not be blamed until the systems that helped make those mistakes are resolved.
“We have to take the same approach, or we’ll lose people from the industry. We’ll get to a stage where nobody will put their hand up to be a CISO, because they know they’ll be blamed the second anything happens.”
To pay or not to pay
Several of the panel had their say on one of the toughest conundrums businesses face after ransomware attacks, whether or not to pay in the hope of getting information back. The experts debated the rights and wrongs, including the likelihood of attackers keeping data even after they’ve been paid.
Andy Bone, head of cyber, information security & privacy at Mencap, said: “Our view is that we wouldn’t pay. But if you’re a ransomware organisation that doesn’t give a key back, how long will it be before companies stop paying you anyway because they know they won’t get their information back? I’m not saying we should trust ransomware organisations, but most will give you the key. The risk then is that they target you again.”
Barratt said that any company considering paying ransomware should take legal advice as a matter of urgency: “There are some very significant legal implications to paying ransomware, not least of which is potentially being seen to fund a criminal group. We also repeatedly see businesses paying ransom and then not fixing the issue, so they’re targeted again.”
Budgets
Many businesses face significant cost pressures, impacting their ability to invest in cyber technology and human capital. And all too often, the business can view requests from security teams purely as a cost.
“You must understand the business in minute detail,” said Barratt. “Try to attach yourself to sources of revenue, so you can make the argument that without your systems, that source of the money goes away. If you can’t do that, you’ll just be seen as an IT resource that costs the business, and all of the context and protection get lost. The worst thing is to be seen as a cost, because costs will always be minimised. Attach security to revenue streams, because things that make money aren’t commonly cut off.”
Saiyid Noor, senior sales engineering manager at Mimecast, advised security teams to work with their vendors to create compelling evidence for the c-suite of value protected and costs saved.
“The C-Suite has to see the value in what you do. Because while you may be protecting revenue, it’s not directly creating revenue for the business. Talk to your vendors and work on material showing how those services have stopped x, y and z incidents, which would have cost the business this much.”
Top security tips from the experts
The panel was asked by the discussion chair, SC Media’s editor, Alicia Buller, to outline some simple steps businesses can take to help protect against cyberattacks. Here are some of the responses:
Barratt: “There’s no silver bullet, so develop a well-rounded strategy. Organisations need a deep understanding of how threats operate, and the ability to pivot their defensive position.”
Noor: “Keep your systems up-to-date. Interserve Group recently paid a £4.4 million fine for a breach that could have been protected against had their systems been updated.”
Orlando Milford, CIO at Oxera Consulting LLP: “2FA was a big step for us. We have got that everywhere, not just on admin accounts. Making it a bit more difficult for cybercriminals is important; they’ll look for the easiest target, so have steps in place that make it harder for them.”
Bone: “Understand and develop rules around vulnerabilities. Put measures in place and think about how to reduce risk. If you have legacy systems or servers, can they be taken offline and only switched on when needed?”
Rawlins: “Look at how you manage risk across your entire estate. Talk continually to your CIO to help them realise the value of the security advice available to reduce risks and enhance the resilience of the organisation. And plan how you would operate without your IT, because if a crisis does happen, it could be lost for a long time.”
To register your interest in a free one-to-one consultation with Mimecast about how to protect your organisation from ransomware click here.
(Places are limited to senior IT professionals from organisations with 350-1999 employees)