In 2021, we observed a resurgence of enterprise ransomware with a shift towards larger organizations. By attacking enterprises with a larger reach, threat actors are looking to increase their financial gains without increasing effort. The rise of ransomware attacks on supply-chain and third parties is resulting in ‘one-to-many’ compromise.
On average, enterprises have approximately 5800 vendors they depend on for business functionality, and 20% of these pose a high risk. Since third-party (and fourth party) cybersecurity is often not up to the mark, and there is a lack of visibility of real-time cyber risk the third parties pose to a business, cybercriminals are targeting third-party vendors to laterally breach multiple larger organizations simultaneously. Examples of such tactics include the SolarWinds (News - Alert) attack, which will reportedly cause a cumulative loss of over $100 billion.
In 2022, ransomware is evolving; sensitive credentials will be stolen and leaked without any waiting period, customers’ data will be exposed and customers will be directly threatened. Therefore, reactive techniques and reliance on data backups alone wouldn’t help. Organizations will have to proactively prepare for ransomware attacks and have dedicated playbooks in place to manage and mitigate them.
Proactive Cybersecurity through Cyber Insurance
With the costs to manage and mitigate cyber risks rising - from the first half of 2020 to 2021, the average ransom demand increased by 170% - businesses are looking to ‘transfer’ their cyber risk through insurance. Last year alone, there was an increase in claims frequency by 46% for IT, and 53% for professional services, and 263% for industrials, according to a report by Coalition.
Cyber insurance plays a significant role in influencing proactive cybersecurity initiatives. The way insurers do not cover risky drivers under auto insurances, cyber insurers are liable to reject coverage if businesses do not have a certain standard of cybersecurity. A deliberate shift from both parties to adopt a standardized means to measure, manage, and mitigate cyber risks in real-time through breach-likelihood prediction will have the benefit of knowing. It will enable cyber insurance providers to have a dynamic view of who they’re covering and the risk they’re underwriting. Given the number of dynamic parts in businesses, including people, third parties, technology, and cybersecurity products, that can be targeted for initiating ransomware attacks, cyber risk quantification can be a game-changer for insurers and businesses alike.
Managing ransomware proactively
Firstly, an organization should define what financial risk they are facing as a result of ransomware attacks; it varies depending on the geography, industry, and size of the business. Once they have calculated this value, they must build a strategy to accept, reduce or transfer the risk.
If the damage is within acceptable limits, the business should focus its efforts on other facets of its cybersecurity strategy. However, to reduce the financial impact, they can either purchase cybersecurity products/services to improve their cyber risk posture or patch identified vulnerabilities. The problem is that in today’s dynamic and digitally native businesses, there are over 40-50 cybersecurity products/services; each with its dashboard, warnings, and priorities. Cybersecurity teams are often overwhelmed and miss important SOC alerts that could potentially warn about ransomware attacks. Businesses should understand that more cybersecurity products does not mean better security. A shift in mindset will enable businesses to move towards a predictive approach where signals - from various cybersecurity services - are unified and integrated in real-time, using ML-enabled risk assessment techniques to quantify the cyber risk posture across all vectors (people, processes, and technology for 1st and third-party). A single dashboard approach that helps businesses measure, manage and mitigate threats such as ransomware and others will aid CISOs and security teams to have a proactive view of what's going right and what can be better; with a contextual understanding of the direct financial impact of every cybersecurity initiative undertaken to reduce the risks.
Lastly, a part of the cyber risk can be transferred via cyber insurance and in 2022, we will see a rise in mandatory cyber insurance to have a baseline level of protection, especially for businesses in critical sectors such as FinServ, Healthcare, Power, etc. No organization can be 100% secure but they can be 100% prepared. Cyber risk quantification makes cybersecurity simple, de-jargoned, and contextual by improving visibility of cyber risk.