Perhaps the biggest vice in my life is music. This is both a good and bad thing. Good, in that music can be a wonderful way of relaxing, bad in that I have to listen to it on headphones as not everybody in my family agrees with my musical tastes. My wife, in particular, refuses to countenance folk, rock and heavy metal (my particular poisons) as music, preferring to describe it as noise. My stock response, to quote the great Louis Armstrong, is that “all music is folk music as I ain’t never heard a horse sing” usually just inflames matters…
As Joni Mitchell once sang, “you don’t know what you’ve got till it’s gone”. For most companies, when thinking of their cyber risk, minimal thought has been given to the data that they hold, how this is used and the value it has to the organisation. If anything, employees and senior management probably take it for granted that IT will always work and company data will always be available.
One of the comments that companies regularly repeat when it comes to the hacker threat is “why are we a target? We don’t have any data that would be of interest to a third party”. If this were true, then why are so many commentators referring to the significant rise in ransomware as being an epidemic? If company data is of no value to a hacker, why is it being targeted so?
Hackers, however, are “one step beyond” this school of thought. They know that a company’s data is of minimal value to them, but they also know that the data is highly valuable to the company as, without it, the company is unable to operate. The value of the data to the company, therefore, is the economic loss that will result during the period that the company is unable to trade.
It is for this reason that hackers continue to target companies – they know that, if enough mayhem is created, then this increases the chance of them getting a pay-out, precisely because of the economic loss that the target is suffering. It only needs a small number of victims to pay the ransom to justify the hackers time investment and therefore sustain their economic model.
Some of the same commentators have also observed that the existence of cyber insurance policies, which may provide cover for the ransom demand, merely adds fuel to the epidemic. This is incorrect because it ignores the reason why the ransom needs to be paid.
The simple reason why ransoms continue to be paid is that companies have no other option. Invariably, ransoms are paid when data backups have also been encrypted in the attack or have been irreversibly damaged. Alternatively, the backups are not encrypted, but have never been properly tested such that when they are actually needed, the victim company establishes that they are incomplete, contain errors or simply cannot be used.
The solution to this is therefore pretty obvious – ensure that backups are not stored on a platform that is connected to the network, ensure that steps are taken to verify that backups are complete and regularly test backup files to ensure that they can be used to fully restore the network.
However, it is likely that companies have not considered that their value of data can increase and decrease due to supply and demand. As we start to emerge from the COVID lockdown, that demand, and hence value, increases. Companies need the data to help them restart production, communicate with customers and start making sales, all of which is necessary to start generating cash so that bills, which will have mounted up, can start to be paid.
However, if a ransom attack occurs at this time, then the ransom demand is likely to be significantly higher than it would have been pre-COVID, meaning that an attack could have existential consequences. Just at the point in time when the business is able to, and wanting to, start generating cash, it is unable to do so because its network and data are encrypted. This will create further pressure on any borrowing facility limit, as well as meaning that the victim company is at a competitive disadvantage, given that its rivals will have restarted trading. It is the hackers hope that this additional stress will increase the likelihood of them being paid.
While lockdown restrictions may make it difficult for companies to assess the quality and security of their backups, this is an exercise that should be treated with the utmost urgency. Failure to do this and then finding themselves unlucky enough to be the victim of an attack will prove that, from the hacker’s perspective, Messrs Jagger and Richards were wrong in that you can always get what you want and that Dire Straits were right – you can get “money for nothing”.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.