Moving past the ransomware hype to focus on real solutions

Andrew Hay shares powerful insights on the reality of ransomware, where it could lead, and what we need to do about it today

ball chain large
Credit: Thinkstock

Ransomware is grabbing headlines as it impacts companies around the world.

Are you taking the right steps? How do you know?

Rob Gresham signaled the trend in our discussion Are you prepared to respond to ransomware the right way? It was an eye opener for most of us. 

And now the headlines continue. The debate rages on. Security companies are jumping on the trend. After all, once it makes the evening news, it’s likely to capture attention. That means a lot of hype mixed in with promising solutions.

Andrew Hay of DataGravity

(Devilishly Handsome) Andrew Hay of DataGravity

Andrew Hay (LinkedIn, @andrewsmhay, Chief Information Security Officer at DataGravity, knows how to sift the news and focus on what matters. With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy.

Devilishly handsome, Andrew has a wealth of experience. A friend, our conversation was nothing short of dynamic (perhaps I should start recording these?). He captured my attention with some of his insights and suggestions. It’s a treat to share some steps certain to benefit your efforts.

Ransomware has moved from nuisance to something to take seriously. What do you see as a potential evolution?

Ransomware may have been perceived as a nuisance as recently as last year, but now we’re seeing it hit – and cripple – hospitals, police stations, schools, and other critical organizations. One of the aspects driving the change is that many ransomware campaigns may be criminally backed, which means it’ll remain a serious threat for some time and will be highly organized and executed. Another is the fact that paying a ransom can validate the attacker’s already lucrative business model, encouraging him to launch campaigns in the future – and there’s no guarantee that he’ll actually release hostage data after the ransom has been paid.

As threats evolve, we might see changes in the ways approach preventative measures. Rather than warding off attacks, we’ll likely see efforts dedicated to understanding, backing up and protecting sensitive data. We’ll also see a shift in responses and negotiations with cybercriminals. Consider what will happen when they say, “You don’t have to pay to restore your data. But, I need you to do me a favor.” As an industry, we’ll need to think about what we can learn from hostage and terrorism negotiation in the real world.

Is the current reaction and overhyped approach flooding our inboxes helping or hurting our efforts?

The current approach, in which companies focus only on prevention is a total waste of time – and it distracts from the real danger of ransomware. The real challenge is the speed at which ransomware evolves – detecting it today doesn’t mean your defense will work tomorrow. The Tactics, Techniques and Procedures (TTPs) are constantly evolving and, moving forward, some attackers will take advantage of the growing trend of demanding payment with no intention of returning hostage data. This behavior is causing chaos in the industry.

At some point the price of ‘preventing’ the problem becomes cost prohibitive. Then what do we do?

Consider how cybercriminals strategize – they’re constantly evaluating the cost of security prevention and issue response before they calibrate attacks. They’re trying to operate in a landscape where people are more likely to pay to retrieve their data. On the vendor and end-user side, are we doing the same?

Calculate the cost of preventative costs at your organization. This critical step often gets avoided, and as a result, many enterprises – and even more midmarket and SMB companies – take risks without fully understanding them. As an industry, we need to band together, reconsider how we gauge risks and acknowledge how that process informs business decisions.

Perhaps a better approach is to think beyond prevention. What would that look like?

Organizations will always need to play defense against cyberattacks. However, the operative question is how we can make it harder for criminals to reach their goals – how do we change our systems and approaches and arrive at a point where there’s no need to pay?

There’s no definite answer to this question, and in some situations, the value and business impact of stolen data might make payment a logical solution. However, organizations should make it as easy as possible to recover operations and data in the event that prevention, defense and mitigation efforts fail. We’re seeing a lot of this in the medical industry, where hospitals and organizations are allocating spend to broad data protection and recovery efforts without letting the latest threat or scare drain resources. Another approach involves centralizing sensitive data, along with creating solid backups – in today’s IT climate, there’s no longer a reason to retain localized copies of files, as doing so can actually increase a company’s risk of ransomware attacks.

What steps can a security leader take to get going in the right direction here?

Ultimately, decisions concerning security risks are a numbers game. The amount a company is willing to pay for prevention, recovery or even a ransom differs between industries, organizations and individual situations. However, security leaders should consider how much their organizations are spending on security in relation to overall IT spending. There are no hard and fast rules for how much you should spend on security but, according to a SANS survey on 2016 IT Security Spending Trends (link: https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697), most organizations allocate between 3% and 9% of the total IT budget.

Security leaders should also remember to never say never when it comes to cyberattacks – every organization is at risk of a breach. It helps to know companies’ boundaries (and crunch the numbers) in terms of risk posture, prevention strategies in place and worst-case scenario responses. Additionally, security pros should constantly re-evaluate the solutions in use at their organizations, as well as the selection available on the market, to ensure their defense tactics are updated and in line with the industry climate.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.