Insurance industry regulation needed to stem the flow of ransomware attacks
By Florian Malecki, Senior Director, International Product Marketing, Arcserve
There is a growing need in the IT industry to ‘switch off the tap’ that is fuelling the increase in ransomware attacks. We continue to see the devastating impact that such attacks have on organisations, including the high-profile Colonial Pipeline attack that disrupted oil distribution across the east coast of the United States, as well as the crippling attack on Ireland’s healthcare systems. South Africa too is under constant bombardment from malicious actors, with the education, healthcare and other critical sectors under immense pressure from ransomware.
In the case of the Colonial Pipeline attack, a payout was made to cyber criminals so the organisation could recover its systems and resume operating. High-profile ransom payouts such as this have provoked much controversy. Former UK Cybersecurity Chief, Ciaran Martin, advocated for legislation to be put in place to stop ransomware payouts. This idea has been widely discussed since. Insurers are also finding the recent spate of ransomware attacks costly, having bumped up policy premiums by an average of 27%.
Ransom payments ultimately fund more attacks and enable bad actors to develop more sophisticated capabilities, which help them avoid detection for longer periods of time. While insurers are undoubtedly vital in helping organisations to stay afloat following the hard-hitting financial and reputational costs of ransomware attacks, comprehensive insurance should under no circumstances be seen as a replacement for comprehensive cyber security. The time has come for governments around the world to pass legislation stipulating that organisations give cyber security and data protection serious consideration before insurers can agree to offering them cyber cover. With such legislation in place, insurers and organisations would share collective responsibility for ensuring companies’ IT systems are prepared for an attack.
Mandating stringent requirements that companies have to comply with before their cyber insurance policies are underwritten is a no-brainer, since when companies fall victim to cyber attacks, it is often customers who suffer most. Often, the personal data of thousands or millions of people is leaked, and access to key services like healthcare or banking is put at risk. If the right procedures and tools are in place to prevent and mitigate the impact of ransomware, customers' sensitive data will be collected and stored safely, and IT infrastructures will have the capabilities necessary to maintain business continuity.
Any legislation that is introduced will need to ensure that all trading businesses have met a minimum legal requirement in order to be covered by any cyber insurance. This sentiment has been echoed throughout the cyber security industry for some time, as organisations continue to underestimate cyber criminals and under-prepare for attacks.
So, what should legislation require companies to do before they’re eligible to claim on cyber insurance?
Backups are essential to effective cyber security
At a minimum, any future legislation relating to cyber security insurance should require companies to protect and backup systems and data, as well as ensuring they have an effective cyber security solution in place to detect any known or unknown threats.
Today’s attackers are using strains such as the EKANS ransomware, which goes after a company’s data backups with the same hostility as its primary systems. Therefore, backups need to be treated as part of an organisation’s core infrastructure. They should be secured with the same high standard of cyber security as primary systems to properly protect a business's continuity and customer data.
Additionally, legislation would need to ensure a company’s data backup system follows the 3-2-1-1 rule. If followed to the letter, two identical copies of data should be stored alongside the original. These should be kept on two separate types of media, and one of those should be stored at an offsite location. Plus, one of these copies should be stored on an immutable storage solution, being on-prem or cloud based. With these measures in place, if the worst were to happen and systems became encrypted, an organisation would still be able to quickly and seamlessly recover its services and data.
Benefits of an all-in-one cyber security solution
Often, bad actors stay dormant in an organisation’s IT infrastructure while harvesting data and preparing for an attack. In order to protect against this eventuality, many large organisations are paying top prices for the best cyber security and data protection solutions. However, not all organisations have the resources to justify multiple expensive solutions, so the best approach is to seek an all-in-one encompassing solution that can be implemented with minimum hassle. This will ensure a high level of protection, and also offer organisations visibility into their threat landscape.
Implementing a cyber security solution that also provides protection for backups of data ensures organisations can restore systems following a ransomware attack, thereby mitigating any serious consequences. Opting for a solution that continuously monitors backup images for any malicious code also means that organisations won’t inadvertently backup ransomware.
Today, ransomware is certainly the biggest threat facing organisations across the globe. In order to protect consumers in South Africa and the rest of the world, new cyber insurance legislation will help encourage greater organisational security. For some time now, experts have been urging companies to take security seriously, yet we’re still seeing increasing numbers of ransomware attack victims using their insurance as a safety net.
Any new regulation covering cyber insurance must ensure organisations adhere to the 3-2-1-1 rule and have fit-for-purpose data protection and cyber security solutions in place. By doing this, we’ll ensure that both businesses and customers are protected, and we’ll stem the flow of ransomware by cutting attackers’ main source of income – ransoms.