United Kingdom

Mitigating the risk of ransomware

At a live webinar, Time for defence in depth: mitigating the risk of ransomware, held on the 27 September, 2021, Aon cyber specialists together with investigative journalist Geoff White, considered how the ransomware risk has evolved, the impact of this evolution on the insurance market, and how businesses should be looking to help build their resilience to both avoid and mitigate attacks, and work to improve their route to insurability.

“If you’ve got good back-ups, then a ransomware attack is survivable.” That has been the common perception for many businesses who thought back-ups were a cast iron way to deal with ransomware, said investigative journalist, author, broadcaster and technology specialist Geoff White, who claims this approach underplays several aspects. “Even if you have good backups the effort to reinstall those backups is something no organisation can go into lightly. And if you have a high volume of business, reinstalling those backups while running your business is difficult.”

Then there is the reality that the launch of the actual ransomware is often the last thing hackers do. “The bigger issue starts further up the chain when the intrusion happened that allowed the ransomware to be installed. The problem for the organisation is that if you’re installing from backups that were taken before the intrusion, then you’re not seeing the stuff that took place after the intrusion, so how can you be sure what happened to your data prior to the ransom attack? Ransomware is simply a red alert at the tail end of something that could have been caught very much earlier on,” warned White.

It reflects the evolution of ransomware over the last two years with a shift to a model where hackers break in, steal data, and drop the ransomware, then use the threat of leaking the stolen data as a “stiffener” to encourage people to pay the ransom. “We should start to distinguish between attacks that are hackers encrypting your data and charging you a ransom,” said White, “and extortion attacks where the hacker steals your data and then charges you a ransom to not leak your data – those are often two separate things.”

Supply chain a target

Another key change in ransomware has been the move by hackers to target the supply chain said White, with nation states often the culprits. “The problem you have is they have more time, more money and are often smarter and more disciplined. The SolarWinds attack has been attributed by various security researchers to computer hackers working on behalf of the Russian government.” And there are plenty of supply chain targets to go after with the added problem that many of these targets are often unknown to the general public. “It gets harder to make an issue of it when the targets are more obscure. The public aren’t going to engage with it in the same way as if, say, British Airways was hacked. This translates into less political pressure and less law enforcement pressure.” But there is a huge impact that these supply chain incidents can have such as the 2019 ransomware attack on a Colorado-based information technology provider, CTS that led to disruption for hundreds of US independent dental practices.

Insurers becoming more selective

Ransomware Attacks are disproportionately impacting SMEs and mid-market companies, said Mark Brannigan – UK Head of Aon Cyber Solutions, with the severity and resulting costs of attacks increasing. “There is a lot of press coverage around the size of the ransom, but the actual costs of recovering from a ransom attack are far greater than the ransom payment itself.” This has resulted in increased insurer scrutiny around what controls businesses have in place to reduce the severity and likelihood of these events happening. “Insurers are becoming much more selective, and much more detailed in the questions they are asking. A common example is if an organisation doesn’t have a robust reason for not having controls like multi-factor authentication in place, then getting insurance cover is increasingly difficult,” warned Brannigan.

Businesses lacking in cyber resilience

It is a mistake however to rely purely on insurance – valuable as it is – for protection against ransomware added Richard Hanlon, EMEA Chief Commercial Officer, Aon Cyber Solutions, who sees it as one key weapon in the armoury. “Yes, it will help you recover from a ransomware attack, but the real work is in identifying, protecting and detecting the threat up front.” And it’s apparent that many businesses don’t yet have the level of cyber resilience that they need. Aon’s 2021 Cyber Security Risk Report showed that less than a third (31%) of businesses who completed Aon’s own risk assessments had adequate business resilience measures in place to deal with a ransomware attack.

This unpreparedness, said Hanlon, is due to several myths such as companies believing they are not a target because of their size or industry and, echoing White’s assertion, have an over reliance on backups. “Sophisticated attackers are more interested in seizing personally identifiable information and customer information rather than only taking control of your network or damaging the data. The fact that you can restore backups may help with business interruption but it does not negate the fact that the data has been stolen.” There is also an over reliance on technology providing the answer. “Security software only provides adequate protection from ransomware attacks,” said Hanlon. “It is critical but it is not enough on its own.”

Assess, mitigate and transfer: the route to insurability

For businesses looking to help build their resilience to ransomware, avoid and mitigate attacks, and improve their ability to buy competitive cyber insurance cover, Hanlon recommends the use of a framework like the NIST Cyber Security Framework, which offers, “standards, guidelines and best practices to manage cybersecurity risk.….and gives tangible and practical recommendations that you can use to mitigate that risk,” as part of an adoption of a three phased approach of assessment, mitigation and transfer. The assessment phase can include access to Aon’s risk assessment methodology – CyQu* – which helps reveal vulnerabilities related to cyber security. “Aon will also provide a vulnerability scan into your network,” said Hanlon, “which together with the CyQu assessment provides an opportunity for you to sit down with our cyber security professionals to understand your red flags and look at measures and controls to mitigate the risk.” Aon also publishes a Recommended Practices for Ransomware Defence which can be used to help assess resilience, said Hanlon, and go through defence measures to be implemented in the mitigate phase.

Once these two phases have been completed, businesses can then use the results and information they have to look at risk transfer options, but they must have the controls in place to not only reduce their risk, but make them an attractive risk for insurers to take on.

It’s about having a holistic approach explained Hanlon. “Make sure that internally you’re having the conversation between risk management, finance and IT. Bring everyone together and help your IT colleagues understand that what they’re doing is defending the network from attack, but they’re also creating insurability of risk.”

Aon’s Ransomware Defence Bundle* offers a new solution to help mitigate vulnerabilities and strengthen the controls needed to manage the risk of ransomware, improve the route to insurability, and stay ahead of attackers. Click for more details.

Aon UK Limited is authorised and regulates by the Financial Conduct Authority in respect of insurance distribution services. FPNAT566.

*The following products or services are not regulated by the Financial Conduct Authority:

  • Cyber risk services provided by Aon UK Limited and its affiliates
  • Cyber security services provided by Stroz Friedberg Limited and its affiliates

Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. No one should act on any information contained in this article without appropriate professional advice after a thorough examination of the particular situation. In any case any recipient shall be entirely responsible for the use to which it puts this article.

This article has been compiled using information available to us up to 11/10/21.

© Copyright Aon UK Limited 2021. All rights reserved.

No part of this article may be reproduced, stored in a retrieval system, or transmitted in any way or by any means, including photocopying or recording, without the written permission of the copyright holder, application for which should be addressed to the copyright holder.