Which costs more, the ransom or a good security posture?
Author: Joel Shapiro, EVP, Sales
It is an all too common question that executives and leaders have to answer. Do we have to pay the ransom? Following a breach, the weeks of forensics, legal bills, and upgrades to systems, the question is inevitably asked: How can we stop this in the future?
The "NotPetya" virus, also known as "Petya" or "ExPetr," was a destructive ransomware attack that occurred in June 2017. It initially appeared to be a ransomware attack but later turned out to have destructive intentions, targeting organizations primarily in Ukraine and then spreading globally. The estimated financial toll of the NotPetya attack was significant, with damages reaching into the billions of dollars. How could this have been prevented?
In most cases, a ransom paid after a cyberattack will likely cost more than maintaining a good security posture. The exact costs of a ransom are difficult to calculate given its ranging impact, as it is often a reactive measure taken in the aftermath of a successful attack. On the other hand, investing in a robust security posture is a proactive approach aimed at preventing attacks and minimizing their impact.
While not all ransom payments are successful here is a list of common ransom costs after a cyberattack:
Ransom Payment: Depending on the severity of the attack and the attackers' demands, the ransom amount can range from hundreds of dollars to millions.
Potential Legal and Regulatory Costs: Paying a ransom can have legal and regulatory implications, potentially leading to fines, penalties, and legal fees.
Reputation Damage: Ransomware attacks can severely damage an organization's reputation, leading to customer loss and decreased trust.
Incident Response and Recovery: After paying the ransom, there are costs involved in recovering data, and systems, and conducting forensic analysis to prevent future attacks.
Downtime and Operational Disruption: Ransomware attacks can cause significant operational disruptions, resulting in downtime and lost productivity.
But what does it cost to have a good security posture? There is no one-size-fits-all approach, as each organization's cybersecurity budget will depend on its size, industry, risk appetite, and specific requirements; however, according to industry reports, most IT budgets allocate about 12% to security. With these budgets, the following activities and areas should be addressed:
Patch Management: Ensure that operating systems and software applications are regularly updated with the latest security patches. NotPetya exploited the EternalBlue vulnerability, which had a patch available before the attack. Prompt patching could have prevented its spread.
Network Segmentation: Implement network segmentation to isolate critical systems from the broader network. This limits the lateral movement of malware within the network, making it harder for threats like NotPetya to spread.
User Privilege Management: Enforce the principle of least privilege, where users only have the permissions necessary for their roles. This prevents malware from gaining escalated privileges and spreading further.
Email Security: Train employees to recognize phishing emails and suspicious attachments. NotPetya initially spread through phishing emails, so improving email security awareness is crucial.
Endpoint Protection: Deploy strong antivirus and endpoint protection solutions that can detect and block known malware. Behavior-based detection can help catch previously unseen threats.
Backup and Recovery: Regularly back up critical data and systems, and test the backup and recovery process. In case of an attack, this ensures that data can be restored without paying a ransom.
Network Monitoring: Implement intrusion detection and prevention systems to monitor network traffic for suspicious activities and malware behavior.
Application Whitelisting: Use application whitelisting to allow only approved applications to run on systems. This can prevent unauthorized or malicious software from executing. Mobile Device Management (MDM) for company-provisioned phones and sandboxed/restricted browsers is not common but can help.
Incident Response Plan: Develop and regularly update an incident response plan that outlines steps to take in case of a cyberattack. This facilitates a swift and organized response to mitigate the impact.
Cybersecurity Training: Train employees about cybersecurity best practices, the risks of clicking on suspicious links, and how to report potential security incidents. Employees must have an accessible mechanism to report possible security incidents and attacks without retribution.
Vendor and Third-Party Risk Management: Assess and manage the cybersecurity posture of third-party vendors and partners, as attackers can exploit weak links in the supply chain. This can include requesting letters of attestation from independent security audits.
Network Security Audits: Conduct regular security audits to identify vulnerabilities and weaknesses in the network infrastructure.
While maintaining a good security posture involves ongoing costs, the long-term benefits usually outweigh the costs. It's important to view cybersecurity as an investment in protecting the organization's assets, reputation, and continuity. A proactive approach to security can significantly reduce the risk of successful cyberattacks and the substantial costs that come with them.