In 2021, crypto analysis firm Chainalysis estimated that victims of ransomware paid over $692 million in extortion payments. This marked a 70% increase from the previous worst year on record (2020), and it only tells a small part of the story.
Analysis from cyber insurance claims shows that, as frustrating as it is to pay criminals to restore critical data, the cost to the business is significantly worse. Data from insurance broker AON projected that the business costs from ransomware attacks in 2021 would top $20 billion.
70% of ransomware victims are small to midsized enterprises (SMEs) with fewer than 500 employees. This is a sweet spot for criminals because these organizations – many of which are cities, hospitals and school districts – can’t afford to shut down but also can't afford to compete for expertise, given the 700,000 open cybersecurity positions across the U.S.
At Resilience, we are laser-focused on these middle-market organizations and see firsthand the pain enacted by this menacingly profitable form of cyber crime. The school district that not only struggles to restore teachers’ computers but also worries about criminals leaking student personal data. The manufacturer that missed a critical patch and now wonders how long it can afford to delay orders. The city with thousands of civilians that has to choose between funding more crime fighting or keeping critical services running. Organizations must build resilience in their digital systems that allows them to defend against ransomware attacks and recover in a manner that doesn’t necessitate paying a ransom.
Our drive to build cyber resilience in our customers led us to join our partners on the Ransomware Task Force to launch a tool specifically focused on supporting SMEs, the Blueprint for Ransomware Defense.
From the start, we wanted to move past the various vendor-sponsored “top 10 lists” for how one product or another could protect against ransomware attacks. This type of FUD (fear, uncertainty and doubt) marketing promises that a specific product or solution will make a company completely secure against attacks. As cybersecurity and insurance specialists, we know the hard truth: no system is completely safe from a determined adversary, and success relies on an organization’s ability to take a punch and maintain operations.
Instead, the blueprint begins with data-backed security control recommendations from the non-profit Center for Internet Security. With their assistance, task force members prioritized security measures based on:
a) what has been proven to be most effective at stopping attacks; and
b) what is reasonable for an SME with minimal staff and funding to accomplish.
As an insurance provider, Resilience was also able to offer insight into which controls had the greatest effect on lowering the damage of successful attacks and helping companies recover without paying a ransom.
See also: Ransomware Grows More Pernicious
The blueprint prioritizes these controls along seven categories:
- Secure Configurations
- Account and Access Management
- Vulnerability Management Planning
- Malware Defense
- Security Awareness and Skill Training
- Data Recovery and Incident Response
While none of this is earth-shattering to security professionals, we believe that the core value of the blueprint lies in its ease of implantation by the partners that serve this highly targeted group of SMEs, including cloud providers, consultants and managed service providers. As these organizations look to defend their clients from ransomware, we will continue to maintain this list as a prioritized “building code” for what is currently working best to build resilience against attacks.
As noted in the report, the ransomware blueprint also provides two critical elements for the cyber insurance industry’s fight against the rise in criminal ransomware attacks.
First, the blueprint provides a practical, data-driven guide specifically for middle market and small businesses, which often struggle the most with defending their systems. Starting with the CIS Implementation Group 1 control set, the task force selected these security measures as the most critical defenses against ransomware. Underwriting and claims professionals have also reviewed these measures to ensure they match with what is being seen to help lower the likelihood of attacks.
Second, the blueprint helps the insurance industry better understand what signals to look for when underwriting accounts. In other lines of insurance, engineering-based loss data drives underwriting and risk mitigation efforts by carriers and reinsurers. Because of its human adversarial element and highly technical nature, cyber insurance has often relied on data breach litigation data to drive actuarial pricing and determine underwriting guidelines. The rise in ransomware has dramatically shown the need for a greater focus on security controls that can stop attacks and speed recovery so that insureds are not forced to pay extortion to recover their critical systems quickly.
As a newer cyber insurance provider, Resilience believes in sharing insights we’ve gained as security practitioners with the broader insurance community. A unique feature of the insurance industry is that many firms provide capital for insuring a single organization. This process is called building an insurance “tower," meaning that competing insurance providers may share the risk on the same account. We believe that sharing public resources like the blueprint can help less technical underwriters better understand the risks they are underwriting, which benefits the industry.
Some of these best practices from the blueprint that Resilience considers when underwriting against ransomware risk include:
- Implementation of strong backups;
- Security awareness and incident response training;
- E-mail security deployed across the entire enterprise;
- Advanced endpoint protection against malware; and
- Network visibility and security.
Building cyber resilient companies is about more than setting up strong defenses or paying insurance claims. The ambitious nature of ransomware actors has led to consistently evolving tactics that thwart common defensive measures. Focusing solely on prevention is a risky endeavor if an organization has not also thought about how to maintain operations during a disruption.
Coming back from a successful attack without resorting to extortion payments or a complete overhaul of critical systems is the other half of a cyber resilient mindset. Resilience believes the traditional cyber insurance market has to evolve from simply transferring financial burden of an incident toward using data and knowledge to increase the safety of customers. At Resilience, this virtuous cycle of security and insurance has been shown to reduce claims costs, increase patching cadence and drive executive attention across our customer base.
We feel bold enough to say the cyber resilience model must be the next insurance market evolution for this product. With the Ransomware Task Force Blueprint launch, we believe this is a concrete first step down that path and encourage you to join us.
Access the blueprint for yourself at: https://securityandtechnology.org/ransomwaretaskforce/blueprint-for-ransomware-defense/