Authored by: Ravi Rajendran, Vice President, Asia Pacific and Japan at Cohesity
Insurance by definition is ‘a financial agreement with a company where you pay regular amounts of money and they agree to pay the costs, if you are sick, suffer loss or damages’. Given the Singapore Police Force received over 16,100 cybercrime reports in 2020, and a ransomware attack happens globally every 11 seconds, it is little wonder that the global cyber insurance market is valued at over SGD 8 billion per year, with a compounding annual growth rate of 23.76% through 2027, according to Verified Market Research.
For many organisations ransomware insurance is simply a line item or cost in their cyber insurance policies, for others ransomware coverage may not have proactively sought it out when taking out cyber insurance, and for companies may not even have cyber insurance on their radar. However, many insurers are now automatically increasing cyber insurance premiums by upwards of 15% depending on their customers’ industry of operation, and others like multinational insurer AXA have announced their cyber insurance covering ransomware will no longer be sold. With IDC’s recent 2021 Ransomware Study: Where You Are Matters! report revealing more than one-third of organisations in the past 12 months have experienced a ransomware attack or breach that blocked access to data or systems, organisations are now faced with being held to ransom by their cyber insurance policy coverage - or lack thereof - not just malicious actors.
This same IDC report found only 13 percent of organisations who experienced a ransomware attack or breach in the last year did not pay the ransom, despite the average ransomware payment totalling almost USD$250,000, highlighting the dilemma organisations are faced with when hit by ransomware; whether they have insurance or not. This report also revealed the manufacturing and finance sectors reported the highest rates of ransomware incidents, while IBM has found the average cost of a data breach in the healthcare sector now totals USD$7.13 million. Organisations have several considerations to weigh up when hit by ransomware, with paying the ransom often seen as the only choice to ensure cybercriminals will unlock their files, with their reputation at stake, and customers at risk.
However, there is no guarantee that their data and usual business operations will return. In fact, ‘big game hunting’ is becoming a common ransomware strategy, where instead of a single endpoint being hit, multiple server-side elements of infrastructure are compromised to force victims’ compliance. These types of attacks are also resulting in more sensitive corporate data being extracted, so that their attackers can threaten victims with its sale or public release - essentially increasing the blast radius beyond the encryption of files and backups, to fully-fledged extortion or double-extortion.
The unfortunate reality is that paying ransoms often achieves the opposite result of remediation, with criminals often seeing companies who pay ransoms as weak. Earlier this year, the REvil ransomware group revealed they specifically target organisations with ransomware, even hacking insurers first to see their customer database. Darkside, the group behind the Colonial Pipeline attack, have revealed they typically search through a victim’s system looking for insurance coverage to determine how high they can raise the demands, especially if the victim is insured.
How to move from reaction to prevention
As the cost of ransomware remediation is set to rise more than 13-fold to over $265 billion annually and attacks increase from every 11 seconds to 2 seconds by 2031, what measures can organisations implement and insurers consider to ensure ransomware holds neither party to ransom? As with any situation’s remedy, the best approach is prevention. Similar to an insurer charging a lower premium for car insurance if a vehicle is housed in a garage and has an immobiliser, the right data management technology offers a prevention measure for organisations, and allows insurers to establish a technology mandate; allowing for ransomware insurance to continue being provided.
The first measure or technology mandate that should be considered is the adoption of a 3-2-1 rule for data backups, whereby organisations must have at least three copies of their data, stored on two types of media, with one backup copy kept offline or offsite. This simple data backup and recovery approach ensures that organisations will always have an available and usable backup of their data or systems. Offsite and offline backups not only limit the effects of ransomware, but when combined with the right security solutions and employee awareness training, can help prevent ransomware altogether.
Building on the role of backups, the second data management measure and technology mandate that should be implemented are immutable backups. In theory, immutable backups and their data cannot be modified, encrypted or deleted. This makes immutable file systems or backups one the purest ways to tackle ransomware threats, as they ensure the original backup job is kept inaccessible, which means that while ransomware may be able to delete files in a mounted or read-write backup, these files are not able to be mounted on an external system and the immutable snapshot is unaffected. Technology vendors now offer the ability to create and apply a “DataLock” policy to selected jobs and achieve a higher order of immutability for protected data, which security officers and admins aren’t even able to modify or delete. However, it is crucial to review your vendor's level of immutability, because some add it later like icing on the cake, and others, including Cohesity, bake immutability in by design or into the filling of the cake.
A third technology measure, or mandate, that is important to implement is multi-factor authentication. While this should be occurring across your technology stack, whether it’s an end-user employee logging into their email, company intranet or internal hub, and file system, or it’s your backup data that is being accessed. As much as strong passwords with multiple criteria are helpful, they do not offer guaranteed protection, which is why multi-factor authentication is the best way to mitigate against phishing and other password hacks or leaks.
Encryption is the fourth area for consideration when it comes to technology adoption and insurance mandates, whereby data that is backed up should always be encrypted either at rest or in transit over a network, with AES 256-bit encryption to secure data. Our customers benefit from encryption in flight, provided data is replicated to a Cohesity cluster and is tiered or achieved to the cloud from the Cohesity platform. On the flipside, the other consideration on encryption that the right data management will support is whether data ingested into backup solutions is changed, typically these are compressed or de-duplicated, however, when a change occurs this is usually a red flag to a malicious act. Changes to entropy or randomness of stored data may indicate outside encryption - a typical signature for ransomware. If this occurs, the right data management technology will help detect it and notify all the key stakeholders in the IT and security teams via multi-channel alerts including mobile, email, and UI or API.
As organisations continue to grapple with a threat landscape that grows daily and global ransomware proliferates to the point of occurring every few seconds, the right data management technology is paramount for organisations’ preventive efforts, and provides for insurers with an avenue to continue offering ransomware insurance. Proactivity not only helps organisations to protect their operations and critical data, it helps to ensure trust with customers and maintain revenue. Unfortunately, every organisation will be faced with a ransomware attack at some point, how they respond and get back online must be the focus. The capabilities of best-in-class data management such as immutable backups and encryption, combined with a 3-2-1 approach to backups, and the implementation of multi-factor authentication, offer a path to a positive ransomware response and support business continuity.