Other parts of this series:
In this blog series exploring details from Accenture’s 2019 “Cost of Cybercrime” report, I’ve looked at research findings for the financial services industry in general, and then homed in on banking and capital markets and on insurance in subsequent blogs.
Here, I’d like to explore some general themes coming out of the research—especially about how cybercrime is evolving and what companies can do to keep up.
One way to understand the changing face of cybercrime is to look at the topic of ransomware. Our research found that the number of these attacks is up 5% and the days needed to resolve a ransomware incident is up 30%, to almost 34 days. What’s the cost of a 34-day business disruption while your data is being held ransom? Well, you do the math.
It’s easier to extort than to sell
These increases reflect new methods that cybercriminals are using to monetize the data they access through a breach. Traditionally, criminals would break in, steal some data, and then try to sell it to a third party online. Things didn’t always go well with that method, however. Buyers eventually became quite choosy about what data they were interested in—social security and credit card numbers mostly—and the buyer sometimes turned out to be an FBI agent.
What the criminals ultimately figured out is that data is most valuable to the person or organization that owns it. So, freeze the data and hold it hostage until system owners pay up. That new approach turned out to be a much easier way to monetize the stolen (ransomed) data. Companies are generally highly incented to pay for a fix because the ransomware disruption is costing them millions or even billions per day. (For more, see below, “The rise of ransomware.”)
The rise of ransomware
Ransomware incidents accelerated when criminals figured out that data is most valuable to the person or organization that owns it. Historically, ransomware has been distributed as malware in email attachments or from malicious online sites, sometimes also visited from a malicious email. The ransomware virus would encrypt the computer on which they were run and demand a ransom in crypto currency. Those attacks are a nuisance to corporations but nothing more. The target machine is quarantined and rebuilt by the security organization.
Holding you hostage. The modern variant is much more costly and difficult to deal with. Criminals break into the IT systems through phishing emails, physical access to the network or vulnerabilities in the infrastructure. They execute an attack just as they would if the intention was to steal sensitive data. The attack can take weeks or months to stealthily execute. Once the criminal gang has sufficient access, they encrypt and hold hostage a vast amount of sensitive data together with the backup systems.
Should you pay? Many firms hold cyber insurance, which covers the cost of the ransom. However, paying the criminals is compounding the issue because ransoming data has become an extremely profitable business with billions of dollars in revenue. Furthermore, some criminal teams have specialized in producing multiple releases of ransomware code that is designed to evade the most sophisticated security protection solutions. They then sell the ransomware to other attackers.
Related risks and challenges
So, let’s say you’ve weighed all the factors—cost to restore your systems versus cost of continued business downtime—and have made the decision to pay the ransom. The problem is far from over. First, what assurance do you have that the cybercriminals will actually unlock your system after you pay? One report from 2018 found that only 26% of U.S. companies that paid a ransom had their files unlocked.
Whom are you paying? Second, how do you know whom you’re paying? What if the entity sitting behind the extortion attempt is Iran, or North Korea, or ISIS? The identity of the criminal may come out later in an FBI investigation, and then you could be in violation of laws pertaining to sanctions, anti-money laundering or terrorist financing. One recent development is a set of new laws being considered in places like New York State which would make it illegal for municipalities to pay ransoms. Under the proposed law, a fund would simultaneously be created to help victims recover quickly.
Scrubbing systems and backups. Finally, let’s say you’ve got your infrastructure running again. All is well, right? Not hardly. Now you need to go into all your systems and backups and scrub out every trace of the “bad guys.” That cost can easily run into millions.
You might be one of those lucky enough to have made an offsite backup copy, but those copies might be a week old, requiring a major effort to recover all business transactions made since that point.
How to protect yourself more effectively from ransomware attacks
In addition to exploring new technologies and defenses, companies should be working on modernizing their disaster recovery plans. Historically, disasters have usually referred to natural events, to power grid outages, or to things like political and social upheaval, but ransomware is something different. Are you prepared, for example, to bounce back quickly from a cyberattack that takes down your primary data center and its backup? That’s what we call “operational resilience,” and it’s going to be a massive focus for companies over the coming year.
Your backups need separate security solutions. The key investment therefore is the ability to recover your data without paying the ransom. That means that backups should be in place with separate security solutions. You should make it twice as hard to access both the primary and backup systems. If the adversary cannot also bring down your backups, then there is much less incentive to hold you hostage. But improving every single backup system is costly, so financial services companies are prioritizing their investments in critical systems.
Hold disaster drills. An essential part of improving your defenses is to hold mock disaster drills—exercises where you are tested about whether you can recover against a determined adversary who’s holding you hostage. The key test here is whether the system can perform its business function after it is recovered. It is not enough just to perform simple tests that make sure a database can be recovered, or that files are copied to a backup.
Involve people from the business. Be sure to involve business people in the test and confirm that they can continue providing critical services to clients if the system is recovered. Not every system needs to be fully brought back up. Many companies plan manual work-arounds or test whether staff from other business locations can take over if disaster strikes.
Conclusion: Balance your defense and recovery investments
The cybercrime environment is evolving rapidly as attacks become increasingly sophisticated. Numbers of attacks and breaches continue to grow. As a group, banks, capital market firms and insurers grapple with a per-firm average of $18.5 million annually to combat cybercrime, over 40 percent more than the average cost ($13 million per firm) across all industries surveyed. Ransomware has arisen as a serious threat and, already, the time needed to remediate a ransomware event is up an astounding 30%. In light of these developments, here are some last thoughts about actions to take.
Shore up employee vulnerabilities. Remember that ransomware largely targets human (employee) vulnerabilities, so focused training, followed by periodic reinforcement exercises, are essential. Our cybercrime study found that companies are underspending on the human layer of security compared to the application and network layers.
At Accenture, for example our employees are periodically sent realistic-looking emails that are (fake) phishing or ransomware attacks. The proper response is to click the “Report Phishing” button. Those who continue to have trouble with these exercises are offered additional training opportunities to recognize threats to our network.
How resilient are you? Finally, remember that protection only takes you so far. Companies can take it as a given that they’ll suffer at some point from a serious security breach. The question then is about how quickly you can recover. How resilient are you? It’s important to balance investments across defense and recovery activities. It’s also important to remember that recovery investments are only useful if they are regularly tested and drilled.
About Accenture’s “Cost of Cybercrime” study
Accenture’s “Cost of Cybercrime” study, conducted by the Ponemon Institute, LLC on behalf of Accenture, analyzes a variety of costs associated with cyberattacks to IT infrastructure, economic cyber espionage, business disruption, ex-filtration of intellectual property and revenue losses. Data was collected from 2,647 interviews conducted over a seven-month period from a benchmark sample of 355 organizations in 11 countries. The financial services industry data was collected from 537 interviews from a benchmark sample of 72 financial services companies in Australia, Brazil, Canada, France, Germany, Italy, Japan, Singapore, Spain, the UK and the U.S.