With WannaCry and the inevitable slew of attacks to follow, Ransomware has hit the mainstream in a way that can’t be denied by business leaders. Bitcoin has reached new heights as organizations scramble to descramble their files or get a cache of coins for a rainy day, and rarely a day goes by that we don’t hear about a hospital or small business suffering the ravages of this new threat.
In security we talk about something known as the CIA triad - the need to protect confidentiality of data, integrity of data and availability of data and systems.
Traditionally, most security failures have involved confidentiality - loss of personal information like credit card details or usernames and passwords, loss of corporate intellectual property. Similar to carbon pollution, the effects of these breaches is only minimally felt by the organization suffering the breach in terms of fines, brand damage, or loss of customer confidence - a great deal of the damage is an economic externality to the company in the forms of the cost to replace credit cards and deal with identity theft, the social embarrassment of nude pictures being shared, etc.
Because the loss of data is often an externality, in the same way governments are slowly seeking to regulate carbon pollution, regulations have arisen to deal with security weaknesses - standards like HIPAA, PCI, mandatory breach disclosure legislation, etc.
Also, traditionally, security controls have been so weak that the majority of breaches are not detected by the company themselves, but by interested third parties - law enforcement investigating other cases, credit card companies investigating fraud patters, or security researchers trawling the dark web.
But ransomware is different. Instead of hitting confidentiality, it hits availability. It can’t be ignored, it has to be dealt with. The economic loss, operational downtime is direct to the business and can be catastrophic. As a result, business leaders who previously downplayed the necessity of investing in information security to deal with an economic externality, are faced with business survival issues, and will be forced to pay more attention.
On the good side, the controls we put in place to help against Ransomware also help against other forms of attacks and reduce their risks. Many of the controls are basic hygiene - although traditional AV is a poor protector, next-gen AV solutions are often effective. Patching, although boring, becomes critical as Ransomware authors embed worm-like functionality into their delivery mechanisms.
Instead of everyone suffering quietly from the slow leak of personal data, Ransomware makes the threat real, immediate and business critical. And although it’s painful, the reaction to it should help businesses move forward on long lagging security programs.
If your organization needs help getting a handle on Ransomware, and you’d like to do a self-assessment of your readiness, you can download our Ransomware Readiness Assessment here. Feel free to contact us if we can be of any assistance in helping you mature your security program.