In the past year alone, ransomware attackers have collected hundreds of millions of dollars from the companies they’ve attacked, and companies are realizing that these attacks represent a greater threat to them than traditional data breaches. Why? Because in traditional attacks, hackers ultimately harm consumers, not companies. But ransomware attacks hurt companies directly—which means they’re finally going to feel the need to get more serious about cybersecurity. The author offers a few recommendations for how to get started.
In early 2017, a data breach at the credit reporting agency Equifax resulted in the exposure of the private records of more than 40% of the American public. The breach occurred after Equifax neglected to patch a known vulnerability in their system, and it allowed hackers to access Social Security numbers, drivers’ licenses, addresses, dates of birth, financial records, and more. Equifax eventually reached a settlement with the United States Federal Trade Commission in 2019, but — as is so often the case with big data breaches — the settlement inflicted little real pain on the company. Individual consumers, meanwhile, paid a big price for the company’s inadequate security: their personal information was irreversibly exposed and disseminated.
In economics, this kind of situation is known as externality, wherein an action by one party hurts another party, but that second party has no recourse. Regulators have often attempted to address this externality and lessen the burden it places on consumers, but they’ve had only limited success, largely because companies have seemed happy to settle cases after the fact if that means they don’t have to make significant up-front investments in improved security.
But meaningful changes are likely to come soon, and in ways that will benefit consumers in the long term. That’s because the leaders of companies that store valuable private information are being forced to defend their companies against the growing threat of ransomware attacks.
Ransomware attacks — launched by hackers who use malicious software to seize and block access to company computer systems until a lot of money is paid for their release — have been in the news a lot lately. In the past year alone, ransomware attackers collected nearly $350 million from such companies as Kaseysa, the Colonial Pipeline, Microsoft Exchange, and JBS USA, a figure that represents a threefold increase from 2019.
What explains the increase? Some important factors include the increased use of remote networks and systems during the Covid-19 lockdown, and recent growth in the cryptocurrency sphere, which has made it easier for hackers to extract ransoms.
That said, it’s worth noting that ransomware attacks are no different from the typical security attacks that we’ve been reading about for years. There’s nothing novel about the technology they rely on. What is novel, though, is that they’re attacking companies rather than consumers, and that’s changing the economics of data security.
In a traditional data breach, such as the one suffered by Equifax, companies only suffer indirectly from the harms caused by their inadequate attention to security. That surely explains why, according to data from Experian, 35% of companies have not updated their security plans since they were first put in place. IBM has estimated that the average cost of a data breach in the United States is $8.64 million, a cost that is often hard for companies to recognize or account for. A breach may lead to a tarnished reputation and cause a company to lose some business, but those problems tend to be temporary — and the overall cost of such a breach will almost surely be too diffuse for management to make it a key area of focus. Ultimately, it’s a company’s customers who suffer the most from a traditional breach, because they’re the ones whose information gets exposed.
Ransomware attacks have changed the nature of the game by attacking companies rather than consumers. This change, which forces companies to pay a steep and direct price for lax security, means that managers at all sorts of companies are going to have to focus in a newly serious way on improving cybersecurity and protecting their networks.
If you’re a senior leader at a company that collects and uses customer data, here are a few basic steps you should take to make sure your company is protected against both ransomware attacks and traditional data breaches. Some of these steps are simple and inexpensive, and others are more involved and expensive. But they’re all the right thing to do, and they’ll benefit not only you, but also your customers.
Provide continuous training and reminders to employees about the threat of phishing attacks. Phishing has been around for a long time, of course, but it’s no longer primarily just a nuisance. Attackers are getting serious, and lot of money is now at stake. Firms have to ensure that their employees understand the dangers and know how to recognize the warning signs. In-house phishing simulations — in which IT sends realistic-looking phishing emails to employees and then monitors their responses — can be very helpful, because they train employees to be vigilant, help IT understand system vulnerabilities, and allow firms to think in a targeted way about improving their cybersecurity.
Allow employees only to download apps and software, and to use programs, that are required for work. Employees often don’t like this, because it’s so convenient to be able to use work devices for personal purposes, but firms and IT departments need to tighten up their controls on this front. Most have been too lax about this for years. It’s also important for managers to take the time to explain the need for this policy to everybody. Many third-party tools are available that can be installed on company computers and allow administrators to control which applications employees can install.
Make it a priority to patch vulnerabilities and keep systems up to date. Hackers can only execute ransomware attacks if they can get in your network. So make that as hard as possible, by applying patches as quickly and as effectively as you can, and by updating systems as soon as new versions become available. Patch management has always been part of IT services, but in the face of new dangers, firms need to make it a higher priority.
Back up your firm’s data. If potential attackers know you have the ability to recover your information, then you become a much less promising target for a ransomware attack. Even if you can’t back up all of your data, you can reduce the chance of attack by signaling that you have much of your information backed up. This can be an expensive and time-consuming job. CIOs have to carefully evaluate what data to backup, how frequently, what type of media to use for back up, and the cost to restore it if and when a ransomware attack takes place.
None of these practices is new, but many firms — assuming that the costs outweigh the benefits — have yet to adopt them. But with the threat of costly ransomware attacks rising rapidly, the time to get serious has arrived.