Back in July, the UK government announced its intention to ban ransomware payments for all public sector bodies, including local government, as well as for owners and operators of critical national infrastructure. Going forward, private sector organisations will also have to inform the UK government of any ransom they intend to pay in the event of a cyber-attack.
Described in the media at the time as a “bold step” and a “strategic win”, many feel the move is long overdue, especially given these organisations have become such frequent targets of “spray-and-pray” ransomware campaigns. From a policy perspective, clearly, something had to give.
While the long-term impact and value of the ban remains to be seen, it has already highlighted just how many organisations still lack the resilience and preparedness needed to withstand a ransomware attack.
The realities of resilience
Consider the overall situation faced by the public sector. Clearly, the ban is right in principle – the government doesn’t pay ransoms to hostage-takers and other methods of extortion, so at the very least, the new policy is a logical alignment. The problem here, however, is that the public sector is least equipped to cope with the practicalities associated with outlawing payments to (hopefully) get systems running again.
The problem isn’t one of awareness; CISOs across the public sector know exactly what needs to be done, but they lack the budget, personnel, and time to do it. In particular, a great many public sector departments, and particularly the NHS, still depend heavily on legacy infrastructure, including software products that their vendors no longer support. This technical debt is the result of chronic underfunding by successive governments and is a situation that plays into the hands of threat actors who look for weak links in security to deliver malicious payloads.
Even when patching is possible, updating large, complex environments is slow and risky, sometimes causing service interruptions. In these circumstances, unless additional government funding and support are forthcoming, many will struggle to address their underlying resilience challenges, making ransomware breaches more likely.
Generally speaking, the private sector faces different pressures, especially around how the ransomware payment ban will impact cyber insurance. Once ransom payments are outlawed or excluded from cover, insurers are likely to redefine their products to focus on forensics, legal, PR, and recovery support. This complicates the picture for organisations that might otherwise have relied on their insurer.
In addition, resilience, or the lack of it, extends way beyond the potential cost of paying a ransom. The recent experiences at Marks & Spencer, the Co-Op and Jaguar Land Rover (JLR) illustrate the point, where post-attack losses (around £300 million in the case of M&S) offer proof that resilience failures, not just ransom costs, carry the heaviest price. For JLR, the situation became so acute that the government stepped in to underwrite a £1.5bn loan guarantee to help the business recover from its prolonged shutdown.
The underlying point here is that across the entire economy, organisations must abandon the fallacy of impregnability and redouble their efforts to dramatically improve resilience and recovery.
People, processes and technology
With ransom payments off the table, every organisation needs to know, in detail, how effectively it can withstand, respond to, and recover from an attack. At a high level, this can be broken down into three core components: people, processes, and technology.
Addressing the issues associated with people first, human errors remain the dominant factor in whether security breaches occur or not. Yes, technology has a big role in minimising the scope for making mistakes, but like it or not, awareness training and education should be used to build security into organisational culture. At the same time, businesses should avoid the blame game because, although we all have the capacity to overlook a security risk, we are also the strongest line of defence.
Effective security behaviours go hand-in-hand with effective processes, and organisations should align their approach to recognised frameworks such as NIST Cyber Security Framework 2.0, the NCSC’s Cyber Assessment Framework, ISO 27001, and ISO 22301. This approach is at its most effective when supported by regular incident response and business continuity testing to ensure processes are robust enough to address emergency cyber security risks. The most secure organisations also extend their resilience strategies to the wider supply chain to understand supplier dependencies and not leave themselves vulnerable to an external weak link.
Then there are the various technology priorities, which, from a resilience and recovery perspective, should include the use of immutable or air-gapped backups, especially since backups are an area that attackers often target first. Resilience is also about good housekeeping, particularly the use of disciplined patching regimes, even when legacy systems complicate updates.
From a security infrastructure perspective, managed detection and response services provide all-important real-time visibility and rapid containment capabilities that can limit the scope of a potential breach before it has gone too far. Bring all these elements together, and organisations can put themselves in a much stronger position to close the window of opportunity that threat actors have to mount a successful ransomware attack. With the option to pay removed, better resilience is the only logical way forward to meet the challenge head-on.
Join our LinkedIn group Information Security Community!
