Data for ransom: Yours

How should organisations respond after their cybersecurity has been compromised and the attackers are now holding their information for ransom?

The highest number of data compromises tracked by the Identity Theft Resource Center (ITRC) was 1,860, impacting around 300 million people in 2021. Until 2023. The ITRC tracked 3,205 data compromises affecting 353,027,892 individuals at a 72% increase on 2021’s numbers. The hackers are getting in. Which means companies need a strategy to get them out. As Richard Frost, Head of Consulting at Armata, explains, it is time to pay attention to the ‘what happens next’ part of cybersecurity, giving it the same level of investment as security technology.

“Having cyber-insurance or a cyber-warranty in place is a good investment as the policy provider will then help you to resolve the attack,” he continues. “However, if you don’t have cyber-insurance or a cyber-warranty, you will need to work with a professional cybersecurity organisation to help you manage the situation as they will know how to navigate the demands and the fall-out of the incident.”

There are two aspects to ransomware. The first is encryption which completely severs your ability to access your data, the second is a malware exfiltrating the data. With the latter, you don’t realise you’ve been hacked until they send you a sample of your data and then make a ransom demand. Now, companies are faced with some tough choices.

The first option open to the organisation is to pay and hope the attackers will provide the encryption keys and return your data. However, this is a risky move – attackers may not honour their side of the bargain, leaving you without your data and your money.

There is also the risk that they have left something behind in your environment that will reinfect your business at a designated time in the future. For the hackers, the fact that you were willing to pay the first time means you’re probably willing to pay the second time and so they set your environment up for a fall.

“Invariably, a ransom demand aims to get an immediate payment from a customer,” says Frost. “If you’ve been hit by crypto-ransomware, it’s a case of pay and pray. If they exfiltrated and then encrypted, while you’re fixing your machines, they’re selling your data to the highest bidder. You’re now in a position where you have to advise the regulatory and the market in a way that will limit the impact on your reputation as much as possible.”

This is the next option for the business – find a smart way of managing the situation that ensures customers are protected and the damage of the compromise is as limited as possible. The way in which your organisation communicates the incident goes a long way towards shaping how those impacted by the breach react.

“If you don’t opt into paying the hackers, your first choice should be to bring in a digital forensics team to help you remove the ransomware and recover the data,” says Frost. “This is the best option as payment isn’t going to guarantee your data is returned or hasn’t already been sold. With the right team on-site, you can establish the extent of the damage and determine how the attack took place. This then allows you to address unexpected vulnerabilities and potentially prevent it from happening again.”

Prevention in cybersecurity as in health, is better than the cure.

Discovering that your business has fallen victim to a successful attack is an intensely stressful experience, particularly in the current regulatory landscape. Attacks are no longer a maybe, they are as much guaranteed as potholes in Johannesburg and power outages at meal times. The goal for the company is to build a resilient strategy from within and without so that a hack is a manageable event rather than an expensive, reputationally damaging crisis. Adding to this by not doing your best to protect your data, you are opening yourself up to negligent finding by the regulator which now could mean fines, jail time or a complete business closure due to customers moving their business elsewhere.

“Put a plan in place, collaborate with a team of security experts to fortify your systems, invest in cyber-insurance or a cyber-warranty as it’s an invaluable backup, and establish a policy that will help you minimise the impact of a breach,” concludes Frost.