Commentary

Government can avoid the ransomware question with strong cyber policy

Whether or not to pay is a standing question facing ransomware victims, but the National Guard's Corye Douglas says the scenario can be avoided altogether with smart policy.

By Corye Douglas

July 30, 2020

(Getty Images)

As the number of coronavirus cases tops 4.4 million in the U.S., the shift to remote work has provided an opportunity for bad actors to more successfully conduct various types of cyberattacks, with ransomware representing one of the most devastating threats.

Unvetted computers and home networks are now relied upon to connect to an organization’s databases and applications. Remote work means fewer restrictions on an organization’s employees. At home, distractions can drive engagement in risky online behavior, such as clicking on links in phishing or spam emails.

The actor behind the Sodinokibi ransomware recently demanded that a Brazilian electrical company pay $14 million, using a special webpage to chat with their victims. The Mexican Ministry of Economy was asked to pay $5 million, while the University of California, San Francisco in June paid $1.14 million in ransom, after negotiating from $3 million.

The average ransom has doubled since 2018, while associated expenses like the loss of work due to downtime and data loss have shown an increase from $46,800 to $283,800, according to one estimate. And with the potential impact on consumer trust when people feel an organization is not capable of protecting their data, there is no question why organizations are paying the ransom: to save their reputations and their finances.

However, is paying ransom a sustainable solution?

Let us consider the seemingly easy option: pay the ransom and expect work to return to normal. Yet paying a ransom does not guarantee the return of data, and even when decryption keys are shared, regaining normalcy takes time and data is frequently lost, with only a 20-50% chance of its recovery, according to the cybersecurity reporter Brian Krebs. Doubling down even after the payment of ransom, bad actors sometimes hand over the data to other cybercriminals who then threaten the victim with a public release of the data if another ransom is not paid.

However, not paying a ransom puts organizations in another compromising position. Research from Veritas Technologies shows that only 29% of consumers want organizations to pay ransom for data, but 55% of consumers want a ransom paid when their own data is involved. On the other hand, the cities of Atlanta and Baltimore showed how costly it can be not to pay ransoms; the recovery costs in each city approached $20 million after they refused to pay ransoms of $55,000 and $76,000, respectively.

In the private sector, businesses are more openly paying ransoms, while the occurrence and sophistication of the attacks keeps increasing. Organizations may be unwittingly funding other criminal or terrorist activities. This is one of the reasons the FBI and the Department of Homeland Security both recommend against paying ransoms. Therefore, it is critical that organizations refuse to provide financial support to these bad actors.

So what is the solution? Organizations should design and implement a sound cybersecurity policy that establishes comprehensive security elements catering to all organizational functions. These policies should outline expectations for everyone with access to the organization’s devices, data, email accounts, file-sharing and, especially, remote access to databases and applications. The principle of least privilege, internet access restrictions and policies for removable media and mobile device management are prominent elements of a comprehensive cybersecurity policy that helps provide protection against intrusions.

The principle of least privilege limits exposure to a ransomware infection by granting select employees data privileges only as required to carry out their specific daily duties, while strong policies on internet access and removable media can mitigate other main attack vectors. According to one researcher, two-thirds of ransomware attacks originate from a phishing or spam email. Meanwhile, a quarter of malicious programs are transferred to systems through removable media such as USB drives. Lastly, a mobile device policy can safeguard sensitive data and inform the user how to protect against loss, theft, compromise and malware.

But composing a consistent cybersecurity policy is just the start. Frequent audits, whether internal or by an independent third-party, of compliance with the cybersecurity policy and guidelines by all users are essential. Moreover, appropriate and swift corrective action must be taken to prevent any lapses in practice. Finally, organizations must regularly re-examine and improve their policies as new proactive cybersecurity measures emerge.

As the bad actors scale their operations, it is evident that federal, state and local governments must take active steps to safeguard their agencies and businesses. But law enforcement merely advising against paying ransoms will not work until viable options are available, and today, prevention is the most effective protection against cyberattacks. Rather than waiting for ransomware to take your digital data systems and networks hostage, invest in a comprehensive cybersecurity policy, and update it regularly. By creating off-network backups and holistic business continuity plans, you can safeguard your data from cyberattacks and avoid ever needing to ask the question of whether you should pay a ransom.

Corye Douglas serves as a national guardsman for New York State. He holds a graduate degree with a focus in emergency management from John Jay College of Criminal Justice and is currently attending Utica College for a master’s degree in cyber policy and risk analysis.