Over the past two years, we’ve seen a number of our clients’ security programs re-orient to prepare for potential ransomware incidents. Much of these preparations have focused on the controls and processes that would specifically help prevent and respond to a ransomware infection. While this is often effort well-spent, I’d like to suggest that many organizations need to rethink their larger security strategies to respond to the rise in opportunistic attacks.
Rising Opportunistic Attacks
Until recently an adage in the cybersecurity community posited that most organizations didn’t need to have perfect security; it just had to be better than the next organization. The thinking was that opportunistic attackers would quickly move on if they didn’t find something exploitable after a short time. It was the cybersecurity equivalent of “You don’t have to be faster than a bear, just faster than your slowest fellow hiker.”
The increasing prevalence of ransomware has changed that. Previously, monetizing a breach would require a significant time commitment from the attacker. They’d need to find a way to social engineer a monetary transfer or identify data that they could steal and then sell. In contrast, ransomware allows for the near-immediate monetization of a discovered vulnerability. No more W2 fraud. No more falsifying invoices.
At the same time as ransomware has proliferated, advances in Internet research tools have made scanning large swathes of the internet accessible at low cost. With tools like masscan an individual now can scan the entire internet in a search for a given vulnerability. Only a few years ago, this would have been considered a nation state capability.
Putting those two concepts together, it’s now feasible for an individual or small group to scan large swathes of the Internet for vulnerable services and then automate their exploitation and monetization via ransomware. In recent research, Palo Alto Networks demonstrated that 80% of honeypots were compromised within 24 hours of being exposed to the Internet. “Doing security better than average” is no longer sufficient to defend against this. In fact, consistent, flawless execution of security fundamentals is now more important than ever. Smaller or lower profile organizations can no longer assume they’ll fly under the radar of most attackers.
Security Debt Inflection Point
As these trends have developed, some organizations have sought to outsource the increased risk via cybersecurity insurance. In many cases, purchasing an insurance policy was less expensive and faster than addressing all security debt and perfecting processes. Increasingly, however, insurance companies are denying claims on the basis of inadequate security measures and processes. Put differently, purchasing cybersecurity insurance will prove to be more expensive than addressing security deficiencies if insurance coverage would be denied on the basis of those security deficiencies.
Consider also that ransomware attacks have the potential to be substantially more damaging than incidents involving a data breach. According to a study performed by IBM and the Ponemon Institute, in 2021 the average cost of a data breach was $4.24 million USD, but ransomware attacks tended to be more expensive, with an average cost of $4.62 million USD. In some cases, ransomware incidents can incur substantial collateral costs. The Colonial Pipeline incident affected travel on the US east coast, with significant secondary economic effects. The NotPetya attack cost Maersk shipping $300 million, but also disrupted international supply chains by taking one of the major providers offline.
Many organizations have not adapted their security strategies to this changing reality and instead continue to rely on insurance to address their known security gaps. My expectation is that this plan will become less and less viable over time. We will soon reach an inflection point where the upfront costs of reducing security debt and improving processes will be less expensive. The alternative will be shouldering both the costs of premiums and the out-of-pocket costs of incidents when a claim is denied.
And So, We Adapt
In the face of these converging trends, organizations should take a hard look at their current state. Many organizations have accepted a baseline level of risk because the costs of addressing all security debt was simply too high. I think this approach will quickly pass a threshold, though, at which failing to adequately address security fundamentals will become the more expensive strategy. These trends may also accelerate migration to the cloud, as organizations seek to reduce the problem set of security items for which they are responsible. Attacks will only become more frequent as it becomes easier for attackers to monetize a breach. Many organizations will need to re-think their approach to risk and plan strategic efforts to adapt their security programs.
This is the second article in a three part series looking at cybersecurity program strategy from a big picture perspective. View the previous installment here and check out the final post here.