Enterprises are accelerating their adoption of digitalisation and agile methodologies, dramatically changing their risk profiles. According to Gartner, many organisations continue to add layers of defence, which in turn increases the complexity of defending against the continued onslaught of increasingly advanced attacks.
The 2022 State of the Threat from Secureworks noted that in 2022, ransomware, loaders, stealers, zero-day exploits and cyberwarfare and espionage just keep coming. What is just as troubling is that threat actors are growing in skill and stealth.
Alex Tilley, head of intelligence research for Asia-Pacific at Secureworks, observes that the cyber threat activities that occurred in 2021 continued to be active in 2022. He also acknowledged that threat actors are getting better, they are more successful in penetrating networks.
“As an industry, we have not fixed the problem as it were. It is a case that ransomware is still a thing. We are seeing various families of malware coming back and disappearing. We are seeing a lot more attacks based on Internet-facing vulnerabilities,” he called out.
Getting right and wrong
Tilley says across the Asian region, including Australia, there is a lack of investment in security. This covers not just the financial investment but resources, including staff, to perform security-related tasks.
He cites the process of patching software as an example. “There is a lack of understanding that we need to invest some of that time in these less flashy tasks, such as log management and patching,” he countered.
On a more positive note, he says there is an acceptance that visibility is important.
“We cannot rely on security controls to be 100% complete and effective. We need to be able to see when something gets through. Visibility is something that people are investing in heavily now. I also think some of the more boring aspects of cybersecurity need to be invested in a bit heavier,” he commented.
Why ransomware is a CISO concern
In the Proofpoint, Voice of the CISO survey and report, only 28% of CISOs surveyed ranked ransomware a concern, ranking it in sixth place behind insider threat (31%), DDOS (30%), BEC (30%), cloud account compromise (30%) and malware (29%).
Despite this, Tilley believes that the CISO still has accountability for explaining why a ransomware attack happened.
“It falls on the CISO to make the decisions up front – to say this is the direction we are going to go in. Oftentimes that have been difficult conversations between the department heads, the executive teams and businesses about what's the most important part of the business.
Alex Tilley
“To have those discussions up front to decide how things are going to come back… it will not calm people down, because it is a terrible day, but it will help people at least understand how they are going to move forward.
Tilley says the board is looking to the CISO for guidance on how the organisation is a progression towards recovery.
To pay or not to pay
Statista estimates that in 2022 71% of companies globally were affected by ransomware. Sophos estimates that 65% of surveyed Singaporean businesses were hit with ransomware attacks in 2021, up 25% from 2010.
The same report revealed that 48% of the organisations that had data encrypted paid the ransom to get their data back, even if they had other means of data recovery, such as backups.
So, should you pay a ransom? Tilley is of the opinion that the decision comes down to each business making its own decision, based on its own set of circumstances.
“What we would hope is that a business has done the preparedness steps upfront so that they don't have to pay. They can move directly to recovery,” he continued.
He stressed that “just because you pay (the ransom), it doesn't mean that the problem is fixed overnight. It takes time. Even if you pay (the ransom) it still potentially take weeks to get back to full functionality, if you ever can,” he cautioned.
“You can find yourself in a situation where you pay, and you get the keys, but you're still offline for weeks because it's hard to deploy the keys to get the data decrypted,” cautioned Tilley.
He reiterated that paying the ransom is no magic bullet. It will not necessarily fix the problem.
Insurance is not the answer
MarketsandMarkets forecasts the global cybersecurity insurance market to reach US$11.9 billion in 2022 and US$29.2 billion by 2027. In Asia-Pacific, growth will come from the rising demand for cybersecurity solutions and cyber insurance in the region.
But getting insurance to cover one’s cybersecurity vulnerabilities and mishaps is no longer as easy as calling your agent. Marsh’s The State of Cyber Resilience – Asia and Global Insights revealed that insurers are mandating that companies implement cybersecurity risk controls as a requirement for insurance programs.
Tilley says insurers have learned their lesson from earlier vendors in providing cyber insurance. He opined that insurers discovered they must pay a lot more than previously thought. Tilley says when considering cyber insurance coverage, companies need to check with their insurance company what the coverage will pay out for.
He cautions things may have changed in the last five years.
“You might not notice that update in terms of service, so I think definitely one thing people can do straightaway is, a contract that your insurance and see what you're covered for,” he cautioned.
Recommendations to help CISOs in 2023
For Tilley, the key is preparedness. He believes that CISOs need to get on with discussions and have the planning done before the bad day happens.
“Don't wait until the bad day and then try and make decisions then. I think spend the time now, and deploy some resources now, to help the business understand where they are going to sit and how they are going to respond to, not just a ransomware event but a straight-up hacking event, or a data breach event or something of that ilk.”
“Having that time spent now, to make those decisions and have that preparedness chat, will save a lot of hassle down the line,” concluded Tilley.
