Boardrooms 'underestimate' ransomeware supply chain threat
It’s been five years since the WannaCry worm made headlines across the globe when, within a matter of days in May 2017, it had infected hundreds of thousands of computers in well over half the world’s nations.
Users of infected machines found they were locked out of their data and would have to meet a ransomware demand of US$300 if they wanted to regain access. Some paid, some didn’t. Those who met the demand didn’t necessarily get their data back, though, it was later revealed. Cyber criminals are not compelled to actually deliver what they promise, it appears, and global industries discovered this the hard way.
Today, cyber attacks continue to present an ongoing, ever-changing threat to businesses across all sectors, says Mark Atwood, Global Research and Advisory leader with Gartner. He points to research from NCC Group’s Annual Threat Monitor report, which indicated ransomware attacks almost doubled in 2021, rising 92.7% on the previous year.
“Ransomware attacks and other types of cyberthreats can have, and have had, crippling effects on supply chains,” says Atwood. “But, as important and ubiquitous as this topic is, it is fraught with complexity and confusion.”
Cybersecurity spending increases, but new tactics are required
In the Gartner report Combating Enterprise and Ecosystem Cybersecurity Threats, released in September, it was discovered 63% of the respondents expected to see a rise in spending on supply chain cybersecurity by at least 5%, and that the most popular technique for fighting supply chain cyber attacks is a straightforward audit of suppliers, manufacturers and logistics partners. But this is not enough.
“As encouraging as it is to see the positive steps the profession has taken over the last five years, our research shows that organisations have an inflated sense of their supply chain’s cybersecurity,” says Atwood. Respondents were asked how secure they thought their supply chains were on a scale of 1 to 7 – with 1 being not at all and 7 being completely protected – and 83% of respondents rated themselves a four or higher.
This false sense of security is dangerous given the state of global industry; last year saw manufacturing outpace financial services for the dubious honour of the sector most targeted by cyber criminals, according to Geert van der Linden, Cybersecurity Business Lead at Capgemini.
Legacy technology dating back to the days when cybersecurity wasn’t even a consideration has created opportunities for attackers to exploit. The sector’s transition to smart factories has also prompted complex cybersecurity questions that organisations need to address, explains van der Linden.
“Our recent research shows that 40% of organisations have been victim to a cyberattack that impacted their smart factories in the past year, and this is only going to become more common if organisations don’t react,” he says.
Improved visibility of networked devices is essential to detect when they have been compromised and regular system-risk assessments are useful in helping to prevent attacks, but a great deal more needs to be done if global business is to face down the threats of rampant ransomware and cyber attacks.
Zero Trust has reached “critical mass” for identity verification
Elsewhere, there are encouraging signs – Marc Rogers, Senior Director of Cybersecurity Strategy, Okta, says identity-first security has reached “critical mass” in the past year. “The trend is not going away,” he says. “Increasingly, identity-centric Zero Trust frameworks will be the best choice for any security-conscious organisation.”
The principle of Zero Trust architecture is straightforward enough, explains Rogers: all network traffic should be considered untrusted until validated. Using this “don’t trust, always verify” approach helps with the management of remote and hybrid workforces as the threat of ransomware continues to grow.
Okta’s recent State of Zero Trust report indicated that all financial services organisations, without exception, planned to have a Zero Trust initiative in development within the next 18 months. This comes after the sector has faced a 35% increase in ransomware attacks – more so than any other industry, according to the latest report by the Anti-Phishing Working Group (APWG).
But heightened awareness does not necessarily translate into action and preparation; C-suite executives must prioritise Zero Trust and other cybersecurity measures, explains Capgemini’s van der Linden. Today, there appears to be a lack of collaboration between cybersecurity teams and boardroom stakeholders, which has a knock-on effect for budget allocation and the speed with which organisations respond to a ransomware attack.
“Governance is a particular concern – this area demonstrates the lowest level of preparedness across multiple parameters,” says van der Linden, “Our research shows that response preparedness is just as low, with 54% of executives saying that they don’t have – or don’t know if they have – a team dedicated to preparing for and responding to cyberattacks at their organisations' smart factories.”
People are a problem, but cyber experts are vital for the fight
People are the first, but also the weakest, line of defence, claims van der Linden, so employees must be trained to spot early warning signs of a potential attack so that companies can mount a rapid response.
“Training experts who can oversee the implementation of comprehensive security measures are vital – and investment in this area will not be wasted,” he says. “Those that cannot get this off the ground quickly should consider partnering with an organisation equipped with expertise and end-to-end services to manage it.”
This is echoed by Okta’s research and Rogers, both of which agree that employee education is key. “Staff need to be empowered to understand all security threats and be aware of the risks created by remote and hybrid working, such as when a family shares passwords or corporate resources are accessed on personal machines.”
Employees must understand the dangers as well as the reasoning behind measures such as Zero Trust, so they’re not tempted to bypass security for the sake of convenience, he explains. “However, it's equally important that security is designed in such a way that it complements user behaviour and empowers them to do their jobs rather than just add additional, often unnecessary friction.”
Insurance helps offset ransomware attacks that get through
The insurance industry is another established sector that must change quickly in order to keep up with commercial pressures, says Okta’s Rogers, and combining cyber insurance with best-practice efforts to protect against attacks is “a sensible strategy”.
“Cyber insurance carriers increasingly consider strong identity controls as mitigating security risks, meaning that they will reduce premiums for companies who use them,” says Rogers. “If the worst happens, cyber insurance policies offer financial support for the many potential costs of a ransomware incident – from regulatory fines and recovery costs to media relations and incident response.”
In the past, the insurance industry has played a key role in the development of security and safety across global business, and Rogers hopes to see the same developments in the cybersecurity space.
“Companies will increasingly have little option but to adopt strong, identity-based security if they want to keep insurance premiums down,” says Rogers. “Risks are difficult to quantify, and this is leading to increased costs and more stringent underwriting requirements. Identity-based security will increasingly be the single best way to lower cyber insurance premiums.”