The Continuing Saga
Even someone with a passing acquaintance of cyber security will be aware of the dramatic surge in ransomware over the past couple of years. Add to this the recent trend in the ransomware space: the two-pronged attack. Not only is data encrypted and a ransom demanded on the promise of decryption, but the data is often also exfiltrated. Stolen data acts as leverage for a second ransom demand, failing payment of which, data may be released into the public domain.
Whereas previously, a company might not been able to avoid payment of a ransom demand due to ability to recover data from back-ups, more organisations are being forced to confront the reality of paying a ransom to avoid the compromising publication of exfiltrated data.
The Risk to Small Business
Global headlines are peppered with stories of hacks, data breaches or ransomware attacks impacting large organisations. This creates the false impression that small firms are less at risk.
When large organisations like eBay, British Airways or Equifax suffer cyber breaches, the news quickly spreads around the world. This is understandable, of course, since such attacks can potentially affect the data of millions of individuals worldwide.
But our news feed doesn't highlight the story of the local accountant, unable to use her computer system for a week due to a destructive malware attack, nor the practitioner whose client details are being held to ransom. The fact that these attacks are largely out of public view and not reported in the mainstream media doesn't mean they're not happening.
Cyber-criminals often see smaller businesses as easier targets since they may have fewer resources to invest in IT security or top line cyber-security training for staff.
Supply Chain Collateral Damage
Businesses don't even need to be the “target” to be hit by a cyber-attack. The NotPetya malware affected thousands of computers worldwide in 2017 and while crippling multinational companies, the collateral damage to SMEs was indiscriminate. As one of the fastest propagating pieces of malware seen at the time, within hours of its first appearance NotPetya had spread to countless SME systems around the world.
We know that the fall-out from compromised supply chains does not differentiate between multinational companies and SMEs; the more recent attacks on supply chains (SolarWinds, Accellion, Microsoft Exchange) are further evidence.
In early 2019, an accounting firm in the UK was hit by ransomware which caused its data to become encrypted. The firm had been running a local back-up on a hard drive which had also become encrypted so access to client files was out of reach. The business received a demand for £2m in exchange for the decryption key and was threatened that in the event of the ransom not being met, some files would be destroyed, and others would be released into the public domain.
The business had a cyber insurance policy in place and as such, had immediate access to IT forensic consultants, public relations and crisis management specialists. Legal advisers were also appointed, guiding the management team through the process, identifying the extent of any privacy breach and analysing whether notifications to the ICO were necessary.
These costs were met under the breach event cost provisions of the policy (subject to payment of the excess). The firm decided to pay a reduced ransom (negotiated via a third-party consultant familiar with the particular cyber-gang) and as it had extortion cover within its policy, that cost was also met. After payment of the ransom, the business was provided with access to most of its files 9 days after the initial incident with the balance released 4 days later.
Stakes are high, with the potential for loss of income and reputational damage, as well as liability to third parties, particularly in relation to compromised customer data and ensuing UK GDPR implications. Factoring in additional expenses such as regulatory compliance, legal fees, technical investigations and loss of customer relationships, ancillary costs associated with cyber-attacks can quickly compound for a small business.
A market-leading standalone cyber policy will respond to the insured's own costs in managing a cyber-attack (including business interruption losses, and damage caused through reputational harm). A policy will also extend to coverage for ensuing third party liabilities. While regulatory fines are typically covered only to the extent insurable by law, investigation costs associated with dealing with such bodies will typically be covered.
How to Protect Your Business
- Appoint individuals with clear responsibility for cyber security and develop a clear plan of reporting through to the board/management.
- Invest in an Incident Response Plan and a Business Continuity Plan.
- Consider the transfer of risk to a market-leading cyber insurer.
- Invest in vulnerability assessments, including penetration testing.
- Ensure additional procedures are put in place to counter increased network weaknesses involved in having a remote workforce, including MFA, the operation of remote desktops or VPNs, separation of employee and work data, safe use of portable devices, limited use of public wi-fi, security controls for video-conferencing etc.
- Install software updates, especially critical updates on a regular and prioritised basis.
- Back-up data to secure platforms, preferably off-line. Generate multiple back-ups.
- Invest in employee education, including the publication and distribution of policies and procedures covering phishing, transfer of funds, information security etc.
- Operate a “safe” work environment where employees feel comfortable sharing information regarding possible compromised security.
In part 2 we will explore: the Ransomware Aftermath (incident response procedure, legality/morality of paying ransoms, whether cryptocurrencies promote ransomware).