Written by Vishal Salvi, Chief Information Security Officer & Head of Cyber Security Practice – Infosys
2022 was the year of ransomware attacks. As the world moved to work from home, cybersecurity teams all over faced a never-before challenge of managing secure access to their respective organisations’ data through thousands of remote access points.
How much did ransomware attacks cost companies in India?
Even as IT teams around the world struggled to keep up, hackers made hay. In India, specifically, few were spared. As many as 78 per cent of Indian organisations were victims of malware attacks in 2021. This was up by 10 per cent in the previous year when the move to WFH happened. The cybersecurity firm Sophos, which released this report, recently also revealed that Indian organisations paid an average ransom of $1.2 million to hackers to get their data decrypted. More than 10 per cent of these victimised organisations coughed up more than $1 million or more as ransom.
To be sure, according to Sophos, all these organisations that paid to get their data back did so despite having other ways to recover the data such as backups. If there was one thing 2022 taught us about ransomware attacks was that they were as inevitable as death and taxes.
What kind of attacks can you expect today?
While the tactics of hackers haven’t changed drastically, today, more hackers leverage built-in commands for malicious purposes instead of exploiting any vulnerability in the systems as they used to earlier. This type of attack is called a living-off-the-land attack. Case in point, the SolarWinds software supply-chain attack was facilitated through a routine global update. Similarly, the Log4j vulnerability was one that allowed hackers to execute code on targeted devices remotely.
What did 2022 teach us about ransomware attacks?
The Year of Ransomware Attacks also offered us some lessons:
1. Every organisation is a potential target
Today, you don’t need to be a target to be a victim. Cybersecurity risks have become indiscriminate and nearly every person and organisation are vulnerable to cyberattacks because of being tech-dependent and interconnected. It is a misconception that hackers only target large organisations with small and medium-sized businesses largely being spared. In fact, studies have revealed that it is SMBs that are targeted more than large enterprises since fewer of them have the resources to defend themselves. It is thus crucial that all organisations, no matter the size, be prepared for the inevitable.
2. Not all attacks are sophisticated
While malware attacks are indeed getting progressively sophisticated, most attacks come from existing vulnerabilities that are not being remediated or from amateur mistakes. It is easy to become a hacker as several of the cyberattacks do not require specialised skills. Malware can be easily bought from the dark net allowing threat actors to develop attacks that are working at scale.
3. Insurance is no substitute for cybersecurity
Ignoring cybersecurity because you’ve paid for hefty cyber insurance is like giving up exercising and going on an unhealthy diet because you’ve landed a great medical cover. Cyber insurance covers, like most other types of insurance covers, are subject to a lot of fine print. Large organisations conduct audits to identify potential vulnerabilities and are hence able to pay appropriate prices for relevant policies. Smaller businesses can’t afford expensive audits and therefore several cyber insurance policies aren’t always effective. Investing in cybersecurity is more crucial for them. Whenever there is a breach of cybersecurity walls in a business, customers always view it as a breach of their trust and even the most robust cyber insurance can only cover your damages but not your reputational loss.
4. Incident response is just as important as protection and prevention
Every mountain is insurmountable till someone climbs it. The Titanic was considered unsinkable until it met an iceberg. Even if you’ve ticked all the boxes, dotted all the i’s, and crossed all the t’s, assuming that you are smarter than every hacker on the planet is foolhardy. A wise thing to do is to be prepared for incident response. A July 2022 IBM report finds that those businesses (from their study) that did not implement security practices across their cloud environments required an average of 108 more days to identify and contain a data breach than those consistently applying security practices across all their domains. A good strategy to stay ahead of the hackers is to always assume breach and bring controls as per the assumption.
Even as cybersecurity grows in importance, threats will grow in severity and often outpace defences. In such a world, the success of cybersecurity will depend not just on how much organisations are willing to spend and what tools they deploy but rather on clear policies defined against the risk posture of the organisation and a strong bias towards consistent implementation and enforcement.