There is no denying that 2016 was the “year of ransomware” with many commentators back in January predicting record numbers of attacks. According to SentinelOne's global survey of 500 cyber-security decision makers in organisations across the UK, US, France and Germany, 48 percent had fallen victim to a ransomware attack in the last 12 months, with 80 percent indicating they had suffered from three or more attacks.
Targets and techniques
As they have for decades, cyber-criminals continue to illegally access sensitive data by simply tricking users. As evidenced by the survey results, phishing remains the most popular method of attack with 81 percent of respondents globally reporting this as the method that attackers used to access their networks. For the UK, drive-by downloads and infection via a botnet followed in second and third place, respectively.
Globally, employee information (42 percent), financial data (41 percent) and customer information (40 percent) were the types of data most often affected by these attacks. Targeted ransomware attacks are also increasing, with recent examples including Petya targeting German corporate HR employees. Similarly, 22 million government workers were targeted in an attack in June 2015 with hackers going after employees' information; these employees then found themselves the targets of phishing campaigns designed to trick them into downloading malicious payloads onto their computers.
How organisations are responding
The common reaction of businesses, once hit by a cyber-attack, has been to turn to mitigation rather than defence; cyber-insurance companies have been one of the beneficiaries from this approach, with 15 percent of companies claiming to have taken out cyber-insurance to help mitigate the cost of attacks. The impending EU GDPR regulations and the threat of fines of up to €20 million (£17 million), or four percent of turnover is causing another 52 percent of those companies who don't currently have insurance to investigate the possibility. It was also found that US companies are much more likely to already have cyber-insurance in place than their European counterparts; 72 percent of organisations globally already possess cyber-insurance, but just 49 percent of UK companies have such policies, representing a lucrative new business opportunity for the insurance sector.
The onus is also on vendors to take responsibility for their products; the survey results revealed that 90 percent of companies would like to see a security vendor offer guarantees on their products and services – for France and the US this figure climbs to 95 percent. More than 80 percent have also claimed they would change providers if they could find an alternative IT security vendor who offers a guarantee. It has long been an anomaly that security vendors have been able to avoid guaranteeing their technologies and services when in most other industries, product guarantees come as standard. The security industry has been in the midst of a credibility crisis but taking responsibility when security technology fails would prevent vendors focusing on sales and marketing hype that gives businesses a false sense of security, and ensures that security technology innovation keeps pace with that of fraudsters and cyber-criminals.
Security product guarantees are beginning to gain market traction and industry acceptance, and a handful of forward-thinking security vendors are now starting to offer their own flavour of warranties too. The information security industry is headed for a major shift where security vendors could be required, not only by customers, but lawyers and insurers too, to put their money where their mouth is. And doing so is a good thing for everyone.
Ransomware has caused a significant loss of confidence in existing cyber-security techniques. Around two in three respondents (65 percent) believe that traditional cyber-security techniques are ineffective in combatting ransomware and 44 percent consider antivirus an ineffective solution to the problem. Similarly, 53 percent of respondents believe hackers are winning the battle against IT security vendors due to the fact that traditional, static-based detection methods just can't compete against the targeted and elusive modern threats of today.
Security is at a point of crisis, and customers and vendors must both instigate change. There's an immediate need for a new generation of security technologies that can discover, adapt and stop the new breed of threats and hacker strategies.
Contributed by Tony Rowan, chief security consultant, SentinelOne