The threat of cyber attacks and data breaches are among the top issues for executives working in business continuity and resilience. According to a survey of companies in 79 countries by the Business Continuity Institute (BCI) and the British Standards Institution, 88% of respondents say they are “extremely concerned” or “concerned” about cyber risks.
“Cyber attacks and data breaches continue to cost organizations billions of dollars annually, a sum that is only likely to go up with the increasing integration of new pieces of technology into daily operations,” said BCI Executive Director David Thorp.
Along with these cyber threats comes the emerging risk of ransomware – malware that scrambles data and demands a ransom to decode it. A study by IBM Security shows ransomware increasing 6,000% in 2016 as compared to 2015 and was on track to be a $1 billion business by the end of the year. The FBI said ransomware in the first three months of 2016 alone cost victims $209 million, up from $24 million in all of 2015.
Examples of organizations that have paid ransoms to get their system back up and running include many industry sectors from healthcare providers, hospitality to educational institutions and others. For example, in 2016, hackers got into the Hollywood Presbyterian Medical Center’s computer system, scrambling the files with an unbreakable code and refused to release the files until they were paid $17,000. After three weeks of operating without crucial computer programs, the Los Angeles hospital paid the ransom to restore its system. South Carolina’s Horry County School District was hit last year when hackers froze networks for 42,000 students and thousands of staff. The district technology director tried to shut down the system, but within minutes, the attackers immobilized 60% of the county’s computers. The district paid $8,500 in Bitcoin to unlock their systems.
The problem is that the ransomware business model works, despite the FBI’s recommendation to not pay the ransom and to call law enforcement: 70% of business victims paid the hackers to get their data back, according to the IBM study. Of those who paid, 50% paid more than $10,000 and 20% paid more than $40,000. These findings were underscored at this year’s RSA Conference, which found that businesses choose to pay the ransomware as it was less expensive than holding out against the attackers.
The key is to take as many precautions as possible to prevent a ransomware attack. Experts recommend the following:
- Keep clear inventories of all digital assets and their locations, so cyber criminals do not attack a system of which the company is unaware.
- Keep all software up to date, including operating systems and applications.
- Back up all information every day, including information on employee devices, so encrypted data can be restored if attacked.
- Back up all information to a secure, offsite location.
- Segment the network: Don't place all data on one file share accessed by everyone in the company.
- Train staff on cyber security practices, emphasizing not opening attachments or links from unknown sources.
- Develop a communication strategy to inform employees if a virus reaches the company network.
- Before an attack happens, work with the company’s board to determine what protocols are in place for paying a ransom or launching an investigation.
- Perform a threat analysis in communication with vendors to go over the cyber security throughout the lifecycle of a particular device or application.
- Instruct information security teams to perform penetration testing to find any vulnerabilities.
In addition, companies should review their Cyber Liability policies for ransomware coverage. Policies are available that include coverage for a cyber extortion loss, and provide assistance to an insured responding to a threat and reimbursement of the ransom amount if payment is made. RPS provides Cyber insurance programs to a broad spectrum of industries and offers policies that include Privacy Liability, Professional Liability, Network Security Liability, Media/Website Liability, Notification Expense, Regulatory Proceedings, Brand Protection/PR, Business Interruption, Damage to Systems, Electronic Theft and Cyber Extortion.