Ransomware Attacks Are Testing Resolve of Cities Across America

I read this article in the New York Times with interest, because I am an information security auditor by trade, and we have been educating companies and regulators about the dangers of Ransomware for what seems like forever, but has probably only been four of five years now.

The part of the article I found most interesting, because I have worked in and for the insurance industry for the past twenty years, relates to cyberinsurance:

Fearing the worst, cities like Lake City, Fla., have bought cyberinsurance, and an insurer paid most of its ransom this summer. But some experts think that is only worsening the problem. “We see some evidence that there is specific targeting of organizations that have insurance,” said Kimberly Goody, a manager of financial crimes analysis for FireEye, a major cybersecurity firm, which says it has responded to twice as many ransomware attacks this year compared with 2018.

I have two main observations about this section:

First, it is galling that the typical fix for ransomware attacks is to pay the ransom, and rely on the good faith of the bad actor who locked away all the data to actually restore the encrypted data.

Second, that attackers are targeting companies that have done the fiscally responsible thing and obtained cyberinsurance to mitigate their ransomware risks is a perverse form of adverse selection. I am sure the cyberinsurance industry is working out ways to incentivize their customers to reduce their ransomware risks, because that is what insurance companies do, but organizational inertia and lack of funding will make it difficult and time-consuming to succeed.

Ideally, companies and municipalities would keep their systems up to date through regular software packaging and hardware upgrades, and would inventory and back up their data, so that ransomware attacks would be less likely to succeed, and so that data could be restored without paying the ransom. Organizations could also reduce their attack surface in other ways, such as replacing Microsoft Windows with ChromeOS for classes of workers, such as call center workers, whose job functions do not require Microsoft Windows. ChromeOS is less likely to be attacked than Microsoft Windows, and its use would encourage centralized data storage and software, which are easier to keep up-to-date and secure.

Beyond hardware and software upgrades, organizations need to train their employees to recognize social engineering attacks, as that is the number one or two attack vector every year. Having gone through that training every year for many years, and having been tested at random by a program at my company, I have learned that social engineering attacks can be almost impossible to discern from legitimate emails and instant messages. I think that no amount of social engineering training is going to be more than 80% effective at preventing phishing and/or ransomware attacks, but 80% is a good start.

The main reason organizations do not put these controls and practices into place is money. The second is organizational inertia. Both can be solved, but only through additional resources and external pressure. As citizens and as customers, we have to demand that the organizations, both public and private, that we interact with, protect their data and our data sufficiently.