To pay or not to pay? When it comes to the growing threat of ransomware, company leaders need to be clear on how their organisation’s data and IT infrastructure is protected, writes Professor Kamal Bechkoum, head of the School of Computing and Engineering at the University of Gloucestershire.
Ransomware is one of the most debilitating forms of cyber-attack, often catching organisations unaware and ultimately causing them long-term financial and reputational harm. Unfortunately, in 2021 there has been a massive upsurge in companies of all sizes being targeted.
One example is the recent DarkSide attack against the Colonial Pipeline operator, the largest fuel pipeline in the US, resulting in a six cents per gallon price hike and forcing the American government to relax regulations on how long truckers can remain behind the wheel to improve fuel supply chain flexibility.
Once ransomware takes hold of a single device entire networks can quickly become infected. Ransomware will often make its way onto a system as a malicious weblink or email attachment. If a network is not properly protected an entire organisation’s IT infrastructure can be harmed.
There are two main types of ransomware: Crypto and locker. If an illegitimate application is opened crypto-ransomware will seek to encrypt all of the files, folders and hard drives, promising to reinstate data only after a ransom has been paid. As the name suggests, locker-ransomware poses a similar threat by locking users out of devices and systems.
Preparing the fight back against ransomware
One of the biggest challenges to confront is the ethical dilemma of whether an organisation should pay a ransom or not? This is no easy decision. Average ransom amounts are currently in the region of around £10,000, often with a 24-hour countdown attached to them before all data or access is irretrievably lost.
This means company leaders should debate whether or not to pay, long before an IT network is held hostage. At the same time transparency can be vital.
Be prepared to ask difficult questions of your IT team. If they believe they have the necessary expertise and software to deal with any ransomware threat, then put this to the test. Bring in a third-party company that is fully-qualified and capable of pushing process and practise with an unannounced attack.
Organisational culture matters
A culture of security should be fostered throughout the workplace. Staff need to be educated and trained to keep software applications and systems updated; backup files regularly; and segment networks to ensure sensitive data is only accessible as necessary.
If the organisation falls victim to cybercrime it is vital to act quickly. Wherever possible, ensure that the incident is contained while the business continues to operate. Then prepare to notify all relevant stakeholders, including insurers, regulators, lawyers, the police and clients as is necessary and practicable.
Training should prepare leaders for ‘what if?’ scenarios along with clear roles and responsibilities in case of a cyber-attack. How will an organisation respond to its networks being compromised or customers being unable to access online services?
The threat landscape is constantly moving and, while it may be unrealistic to ask executives to follow the details of every twist and turn that happens, they can encourage IT Managers to join external organisations and forums where information and good practice is regularly shared. They can also develop a corporate ransomware policy and turn the strategic principles agreed into a working tactical plan.
Worryingly, research indicates that one-third of companies believe that it has become more cost-effective for them to simply pay a ransom than invest in proper security systems and training.
Unfortunately this creates a catch-22 where businesses continue to pay, and ransomware grows as a popular money-making tactic for criminals and only encourages the problem further. It is up to the organisation’s leadership to decide where the line will be drawn.
How the University of Gloucestershire can support you
The University of Gloucestershire is a leading provider of cyber security programmes, offering qualifications at and undergraduate and postgraduate level.
In 2019 it became the first university in the country to offer the Cyber Security Degree Apprenticeship and the programme has since gone from strength to strength. This level 6 apprenticeship provides learners with the skills to identify and mitigate ever-evolving cyber security threats faced by organisations of every size, and in every sector. As learners are employed for the duration of their apprenticeship, they are able to make an immediate positive impact in their workplace.
From September, the University will also be adding two new degree apprenticeships to its portfolio: Data Scientist and Digital Technology Solutions Provider.
To find out more, visit www.glos.ac.uk/apprenticeships