There is no question that ransomware attacks are becoming increasingly prevalent. In fact, some have proposed that 2017 is the Year of Ransomware thanks to WannaCry and the Petya outbreak. These attacks didn't just hit individual users, they affected some of the biggest organisations in the world, and showed an increased level of threat sophistication and maturity. What became clear to many recently is that while traditional methods of data protection are essential, they are no longer sufficient.
As the attacks or ‘threat landscape' continues to evolve at a frightening pace, it's clear that many organisations are failing to learn about what they're up against from both a data protection and cyber-security perspective. Sure, they know that they need to have strategies in place to protect their business from being disrupted by cyber-criminals, but do they have the ability to get up and running quickly after an attack or breach?
Cyber insurance explained
Traditional data protection strategies have centered around the three foundational components of IT: people, process and technology.
Data protection with people begins with education and a continuous focus on making employees aware of the most recent threats in the industry. It only takes one weak link, or one unknown threat, before the data is compromised. Focusing on process is also essential. As many have pointed out, recent ransomware attacks would have been mitigated if patches had been applied on a timely basis. And finally, traditional data protection employs technology for network and endpoint protection such as firewalls and anti-virus. All these protections are essential and should not be ignored. Clearly however, they are not sufficient as evidenced by the explosive growth of cyber-insurance.
Cyber-insurance is not entirely new, but it has been growing (unsurprisingly) at a similar pace with malware and ransomware. In 2015, PwC set the cyber-insurance market at £1.9 billion with a projected market size of £5.7 billion in 2020. No matter how significant the cyber-insurance market growth, recent incidents have proven that the adverse effect of malware on government agencies and businesses have made this a board-level topic with a demand for better protection.
Costs of ransomware are not just connected with the ransom demand itself, far from it in fact as the amounts requested are often below £1000, but tangible internal costs such as incident response, forensics, customer call center support increases, legal engagement and public relations. External costs and insurance coverage are associated with the liability of failing to keep the data secure.
Mitigating the ransomware risk with process and technology
However, there is another fundamental insurance component that many have ignored — data backup with air-gapped protection – the process of isolating a backup from the live network. In fact, the very first recommendation that is provided by the US FBI in its guide, ‘Ransomware Prevention and Response for CEOs', is to ensure that critical data is backed up and stored offline, and that restoration of this data is regularly validated. In fact, backup and validation of data restore is the cyber-insurance that provides the most immediate and tangible benefit to the enterprise when compromised.
With proper technology and process in place, recovery time objectives (RTOs) can be minimised for critical systems, with the added benefit of leveraging the data to set up virtual labs where forensics can be applied to the incident. This insurance not only provides availability for the business, but confidence for the board that they are better prepared.
A second, real and tangible benefit is that employing a viable availability solution can reduce the cyber insurance premiums that are paid by the enterprise. While annual costs for cyber insurance ranges from £1,000s to £100,000+ depending on the revenues, industry and company size, one of the factors that determines the premiums are the existing protections that are implemented, just as is the case with house or car insurance.
New technologies, same problems?
With the growing opportunity for more sophisticated uses of data and Internet of Things technologies, artificial intelligence, biometric systems, Industry 4.0 manufacturing robotics, connected cars, and smart buildings, businesses must be aware of how threats, such as ransomware, will evolve in the near future, progressing from the PC to also impact their wider business operations.
But it's not about being hack-proof. The speed at which attacks are changing means this is virtually impossible. Rather, you should make your security as robust as possible and ensure your backups are not solely located on your network, to eliminate the possibility of attack or corruption.
Malware and ransomware aren't going anywhere soon.
Therefore, a combined approach of having your processes in place, making yourself a less attractive target through routinely carrying out updates and backups, and having a data protection insurance policy — inclusive of a cyber-insurance plan and an availability solution in place — is smart business when planning for the future.Contributed by Massimo Merlo, VP of EMEA Enterprise, and regional VP of UK and Ireland at Veeam Software