Questions and Dilemmas in An Age Of Intensifying Cyber Attacks
During recent months, there has been a dramatic increase in the number of attacks worldwide and Israel in particular. Most of the attacks go unreported in the media, and for those that do, their full extent is never disclosed.
The experience of an organization under cyber-attack, and ransomware attack in particular, is a jolting and dramatic experience. The element of surprise, combined with the initial confusion that leads to the immediate involvement of the organization's higher ranks, having to make numerous critical decisions and the increasing financial damages as the incident progresses – make a cyberattack a high-stress event.
Managing that kind of incident is a highly complex task that progresses on several fronts: negotiating with the attackers, communicating the event in and outside the company, reporting to the regulator (stock exchange, supervision of banks, institutions, etc.), and more. Each front is led by different people, with differing perceptions that don't always align. It isn't conducted in an orderly manner when decision-makers are well-rehearsed or prepared for a moment of crisis and face an extreme scenario for the first time.
It is important to understand the potential damage of a cyber-attack. Only after discovering the breach, the extent of the disaster can be uncovered: halted business activity (sometimes entirely), damage to reputation following the incident's publication. Often stock prices drop in response, and in some cases, very high ransom payments.
The most common reason for hackers to attack organizations is financial gain. There is a growing trend in recent years of Advanced Persistent Attacks (APT) - highly sophisticated attacks in which attackers target the core of an organization while carefully picking the "victim", gathering business and financial intelligence on its value, executives and existing security systems.
An average attacker will plan their attack for several months (3-6 months), and as long as the expected monetary gain outweighs the time investment, the attacker's motivation will keep rising.
Ransomware attacks stand out among the various types of attacks. Hackers break into the organizational systems, encrypt the information at record speed while moving laterally inside the network, sometimes retaining sensitive business / private information which they uncovered during the break-in.
Employees cannot access or release information, computer systems are paralyzed, while only the hackers have the decryption keys. This type of attacks is becoming increasingly popular in recent years.
A cybersecurity incident is not solely the responsibility of the IT department or cyber division in the organization. It is an extensive and far-reaching event that affects every operator in the organization, from the HR manager through the Head of Marketing to the COO and, in fact, the entire chain of command. Once the organization is well-rehearsed, and everyone knows what they need to do from the get-go, the ability to contain the incident and end it quickly increases by orders of magnitude.
Quite a few incidents have recently ended with ransom payment to the attacker, in considerably high amounts (from hundreds of thousands to millions of dollars). The main motivation was the desire to end the event and get back to business, as well as to prevent the attacker from publishing confidential business information that could cause a great deal of damage.
In a significant portion of these cases, the companies that paid the ransom were covered by a cyber-insurance policy that helped them decide to pay "at the expense" of the insurance company. The question arises - is the actuarial risk for insurance companies not too high in light of the number of attacks? And more importantly, do insurance companies carry out a proper underwriting procedure for each company before issuing a policy?
And the million-dollar question; to pay, or not to pay?
My opinion, of course, is on a case by case basis. No two attack scenarios are alike, and each organization is different. Thus, each incident is unique and should be custom-managed. It is also important to remember that as long as cybercrime pays off, the attacker has the upper hand. Generally, every effort should be made to avoid payment.
From my experience in managing many events, ransomware attacks dramatically highlight the organization's readiness for such scenarios - from effective backup policies and their implementation to real-time monitoring and encryption detection.
Insurance companies must work to raise the level of protection in organizations and make sure that the organizations they insure are adequately protected during the underwriting process. Unlike other insurance policies, cyber-insurance policies carry an essential need for ongoing review of the organization's resilience to these attacks, a kind of dynamic policy that requires constant adjustments according to the organizations' protection against threats. This way, the market will experience fewer extreme events of cyber incidents in general and ransom payments in particular.
And that's precisely the answer to the million-dollar question. Companies and organizations should avoid being under a ransomware attack and invest the money beforehand in properly defending the organization (the cost is significantly less than those post-attack costs).
It is important to note that paying the ransom to the attacker is not the incident's concluding moment. There is no magic formula. The "recovery" time is long, painful and exhausting. The organization is required to reevaluate, implement controls, examine the defense systems, the various attack vectors, and most importantly, learn the lessons of preparedness in all aspects, from identifying the breach through restraining and containing to returning back to normal.
The Ponemon Institute recently published a comprehensive study examining thousands of organizations worldwide affected by cyber-attacks. It found that the average financial damage to an organization stands at $ 3.4 million per incident. An equally important statistic in the same study shows that for organizations with a plan, good network control tools, and well-prepared staff, the damage was up to 60 percent lower than average!
And just like a muscle that needs to be trained to stay strong, it's crucial and necessary to train management and rehearse response procedures so that they do not "degenerate" and better "carry the weight" of a cyber-attack when the time comes.
The Banking Supervisor and the Director of Capital Markets in Israel have each issued advisories discussing annual management training, requiring those organizations to have procedures that strengthen that "muscle". Is that satisfactory?
Will everyone really know their place during an incident? I'll say this is definitely a good start, especially understanding that as with any emergency, without prior practice, chaos will ensue.
Unfortunately, many organizations do not understand the consequences of a cybersecurity event or a ransomware attack in particular. As someone who has closely guided companies through dozens of such events, the experience is unpleasant and the results are dramatic. Uncertainty and recovery time can drag on for many weeks while the organization suffers huge losses, both financially and reputation-wise.
The cyber market has always struggled with a Return On Investment (ROI) model. Dozens of models have been built to measure the return on investment in information security, how and how much is right to invest. It seems the answer will never be accurate, but one thing is certain: insufficient investment in information security can create a loss of millions during an incident.
Few organizations don't experience cyber events. On the one hand, due to lack of means and monitoring, the organization does not know it was attacked, while others, at the other end of the scale, have protected themselves in a holistic and calculated manner. It's important to remember - organizations that experience fewer cyber incidents are not attacked less often. They are simply organizations that have protected themselves based on a comprehensive and holistic approach.
An unprotected organization is basically a ticking time bomb. It is only a matter of time before it will be attacked, and when it happens, it will likely have critical and fateful consequences.
In today's reality, it's not a question of "if", it's a question of "when".Back