By Brian Pinnock, cybersecurity expert at Mimecast
Even as the world remains in the grip of a global pandemic that is showing no signs of abating, another threat is vying for the crown of number one risk to the global economy.
In scenes reminiscent of action thrillers, high-tech criminal organisations are targeting high-value organisations and critical national infrastructure.
Data is being locked away in encrypted formats and criminals are demanding ransoms for millions in exchange for the release of data or, in some cases, the promise to not release sensitive customer and company information such as passwords and ID numbers publicly (in what is known as double extortion attacks).
These ransomware attacks are forcing organisations offline, which can lead to major disruption of an organisation and its supply chains.
Downtime means organisations are unable to deliver services which could be catastrophic when it affects critical national infrastructure.
Following a series of highly publicised ransomware attacks on businesses and critical US infrastructure, the US Department of Justice has announced it is elevating investigations of ransomware attacks to a similar priority level as terrorism.
Recently, a successful ransomware attack on a US IT management software firm, Kaseya, put more than 1 000 businesses – all customers of the firm – at risk.
What distinguished the perpetrators of this latest attack from historic ransomware attackers is that they offer ransomware-as-a-service, suggesting that anyone who was willing to pay it for its services could launch similar attacks against businesses or critical infrastructure.
In fact, one report found that nearly two-thirds of ransomware attacks in 2020 employed a ransomware-as-a-service model.
Local organisations targeted
In South Africa, organisations face the dual challenge of securing against ransomware attacks and avoiding regulatory penalties should they fail to take all reasonable steps to protect against data breaches.
The Protection of Personal Information Act has raised the stakes for businesses who already face a growing volume of increasingly sophisticated attacks.
In Mimecast’s State of Email Security 2021 Report, 47% of South African respondents stated their organisations were hit by a ransomware attack in the past 12 months, with seven days being the average amount of downtime.
Common consequences for affected organisations include data loss (66%), business disruption (53%), damage to their reputation (45%), loss of productivity (38%), financial losses (38%) and negative impact on regulatory compliance (30%).
Recent research by the Ponemon Institute also brings into stark relief the cost of data breaches to local organisations.
According to the latest data, it took South African organisations an average of 177 days to identify a data breach and 51 days to contain it, costing them on average $2.14-million, or around R30-million, per breach.
Organisations, desperate to get their data back and avoid downtime as well as damage to their customers and reputations, are paying huge sums to these criminal organisations.
Mimecast research found that 53% of South African organisations that suffered a ransomware attack paid the ransom, but only 60% actually recovered their data. Forty percent never got their data back despite paying the ransom.
However, in a twist of irony, ransom payments are playing into the hands of criminals.
When an organisation suffers a ransomware attack and makes the payment, they become prime targets for future attacks. And cyber insurance is no longer the silver bullet: many insurance firms no longer cover the cost of ransomware payments.
A layered security strategy approach for best protection
What can organisations do in response to the growing threat of ransomware attacks?
Harden the email perimeter.
Email remains the most attractive attack vector. Using a mature, cloud-based secure email gateway with advanced inbound and outbound scanning remains the most effective way to do that.
Deploy a layered email security strategy to augment the built-in email security of solutions such as Microsoft 365.
Recent Mimecast research found that 95% of South African IT decision-makers use additional third-party solutions to better secure their business email platforms.
Forty seven percent of respondents identified ransomware as a reason for deploying third-party solutions for email security, while nearly a third (31%) said ransomware was one of the primary reasons.
Thirty eight percent suggested their email platform’s built-in security does not have adequate ransomware tools.
Protect and preserve corporate data by archiving to an independent, separately secured environment.
This allows organisations to recover their data in the event of a successful ransomware attack while also maintaining a lean amount of data that reduces the organisation’s exposure and attack surface.
Our research found that 45% of respondents deployed third party solutions for email as they required reliable and robust back-up solutions in the event of a breach.
Establish an email continuity plan that allows you to continue operating in the event of a cyberattack or other disruption.
As the lifeblood of modern business productivity, email is essential to keeping the business running in the wake of a disruptive event, including ransomware attacks.
Support end-users by empowering them with regular and effective cybersecurity awareness training.
This helps strengthen overall organisational defences and removes opportunities for threat actors to breach the perimeter due to human error or negligence.
Employ new technologies such as AI and machine learning to bolster the capabilities of security teams.
Such tools can be invaluable in helping recognise patterns for detecting threats or vulnerabilities, equipping security teams with greater visibility over potential risk areas.
Finally, organisations must monitor and control shadow IT.
With the rise of the hybrid digital workplace, the lines between employees personal and professional lives are increasingly blurred.
Unsecured Wi-Fi, public file sharing services and insecure website access all increase the risk to the user and, by effect, the organisation.
By gaining greater visibility over applications, security teams are better able to monitor which apps are being used and block those that pose a risk to organisational defences.