Out-Law / Your Daily Need-To-Know

Out-Law Analysis 4 min. read

Businesses must prepare for expected rise in ransomware attacks, say experts

FOCUS: Businesses must prepare themselves for an expected surge in the number of so-called 'ransomware' attacks.

Ransomware is a type of cyber attack that sees hackers install malicious software on to computer systems that prevent businesses carrying out everyday operations or accessing data or other assets. Businesses are prompted to make a payment to the hackers to bring about an end to the attack.

According to insurance market businesses Hiscox and Advisen businesses are, on average, asked to pay $10,000 to restore assets and systems targeted in ransomware attacks.

The companies have predicted that the number of ransomware attacks will increase by 300% this year compared to 2015. They noted that there have been 2,500 complaints about ransomware attacks in the first half of 2016 compared to 830 in the same period in 2015. More than a third of companies affected by ransomware (36%) suffer corporate loss of business income or services, they said.

Recent research (7-page / 545KB PDF) by IT security company Trend Micro revealed widespread acknowledgement of the threat of ransomware among UK companies. However, its August survey of 305 IT decision makers at UK organisations employing more than 1,000 people found that a fifth of respondents are "unsure how the malware actually works" and a further 11% have never heard of ransomware.

According to Trend Micro, the survey revealed that 69% of UK businesses expect to be the subject of a ransomware attack in the next year, with companies previously targeted by ransomware particularly fearful of a repeat attack.

In September Trend Micro said that 44% of UK businesses have been targeted by ransomware attacks in the past two years. At the time it said 65% of businesses confronted by such attacks end up paying the ransom, but that fewer than half of businesses that do pay a ransom never got their data returned to them. It is unclear from the Trend Micro report whether those businesses did get some but not all of their data returned.

The increasing connectivity of 'things' serves to increase the cyber risks businesses face. New vulnerabilities across the 'internet of things' will only provide further opportunities for hackers to initiate ransomware attacks.

With this in mind, it is imperative that businesses take action to prepare themselves for such attacks and minimise the risk they face. Trend Micro research indicates that some businesses have already got the message. However, it has also identified shortcomings in the approach taken by others.

Businesses must adopt a robust policy for backing up data. Businesses should aim to have recent back-ups in place, but should note the risk that back-up copies can also be overwritten with ransomware which can make recovery of the information impossible when the malware takes hold.

Some ransomware is able to encrypt mapped drives. To mitigate this risk, businesses should consider segregating their back-up copies from their main systems.

Trend Micro said that 97% of UK businesses "employ automated back-up and recovery of their critical files" and that 86% "keep an offline copy of the back-up file". However, its study found that many businesses do not keep recent back-up records – it said 41% of companies told it that they last backed-up their critical files more than two years ago.

Staff training on the risks posed by ransomware, and cyber attacks more generally, is also important to help raise awareness of the threats posed and what action to take when sent a suspicious email or attachment.

However, Trend Micro said its survey had revealed that a third of UK businesses "do not have a program to educate employees on the hazards and prevention of phishing attacks".

Technical security measures are also important. Businesses should deploy firewalls, anti-virus software and web-filtering measures to the extent they can afford. Businesses should also install security updates when prompted to do so and ensure that only staff that need such privileges have controls enabled to install new programs or access critical files.

The Trend Micro survey, however, showed that organisations face a challenge with the use of shadow IT by staff, which makes it difficult to mitigate cyber risk. Trend Micro said that nearly a third of UK IT decision makers do not "feel they have full control over the applications their users install on their devices".

The growing cyber threat and forthcoming new EU cybersecurity and data protection laws are set to provide a boost to the cyber insurance market. Businesses should consider taking out specific cover for cyber risk and allow them to transfer risks and potential costs from ransomware attacks to others.

Scenario planning is also increasingly important. Having a cyber incident response plan in place, which is tested regularly, can help businesses prepare for cyber attacks, including those involving ransomware.

An incident response plan will involve identifying go-to people inside the business, such as IT and PR staff, as well as external experts, such as legal advisers and forensic IT specialists, who will act in accordance with set procedures and protocols when a cyber attack hits. Each individual or agency will have different responsibilities, such as reporting data breaches internally or externally as may be required, taking steps to close any vulnerability, and gathering evidence on who may be behind the breach.

According to Trend Micro, 77% of UK businesses have created an incident response plan. However, it said that up to a third of UK businesses may not have tested those plans.

Being targeted by hackers is now almost inevitable for all businesses. Being cyber ready is therefore necessary to reduce risks such as regulatory fines and reputational damage that could stem from ransomware attacks.

Ian Birdsey and Philip Kemp are cyber risk experts at Pinsent Masons, the law firm behind Out-Law.com

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.