The Identity Theft Resource Center (ITRC) tracked 3 205 data compromises affecting 353 027 892 individuals in 2023, representing a 72% increase in total compromises from an all-time high in 2021.
The hackers are getting in. Which means companies need a strategy to get them out. It is time to pay attention to the “what happens next” part of cybersecurity, giving it the same level of investment as traditional security technology.
There are two aspects to ransomware. The first is encryption, which completely severs your ability to access your data; the second is a malware exfiltrating the data. With the latter, you don’t realise you’ve been hacked until you are sent you a sample of your data a ransom demand is made.
The first option open to the organisation is to pay and hope the attackers will provide the encryption keys and return your data. However, this is a risky move – attackers may not honour their side of the bargain, leaving you without your data and your money. There is also the risk that they have left something behind in your environment that will reinfect your business at a designated time in the future. For the hackers, the fact that you were willing to pay the first time means you’re probably willing to pay the second time, so they set your environment up for a fall.
Invariably, a ransom demand aims to get an immediate payment from a customer. If you’ve been hit by crypto-ransomware, it’s a case of pay and pray. If they exfiltrated and then encrypted, while you are fixing your machines, they are selling your data to the highest bidder. You are now in a position where you have to advise the regulatory authority and the market in a way that will limit the impact on your reputation.
This is the next option for the business – find a smart way of managing the situation that ensures customers are protected and the damage of the compromise is as limited as possible. The way in which your organisation communicates the incident goes a long way towards shaping how those impacted by the breach react.
If you don’t opt into paying the hackers, your first choice should be to bring in a digital forensics team to help you remove the ransomware and recover the data. This is the best option as payment isn’t going to guarantee your data is returned or hasn’t already been sold. With the right team on-site, you can establish the extent of the damage and determine how the attack took place. This then allows you to address unexpected vulnerabilities and potentially prevent it from happening again.
Prevention in cybersecurity, as in health, is better than the cure. Having cyber-insurance or a cyber-warranty in place is a good investment as the policy provider will help you to resolve the attack. However, if you don’t have cyber-insurance or a cyber-warranty, you will need to work with a professional cybersecurity organisation to help you manage the situation as they will know how to navigate the demands and the fall-out of the incident.
Discovering that your business has fallen victim to a successful attack is an intensely stressful experience, particularly in the current regulatory landscape. Attacks are no longer a maybe, they are as much guaranteed as potholes in Johannesburg and power outages at meal times.
The goal for the company is to build a resilient strategy from within and from outside so that a hack is a manageable event rather than an expensive crisis that also causes reputation damage. By not doing your best to protect your data, you are opening yourself up to negligent findings by the regulator, which could mean fines, jail time or a complete business closure due to customers moving their business elsewhere.
Put a plan in place, collaborate with a team of security experts to fortify your systems, invest in cyber-insurance or a cyber-warranty — which are invaluable backups — and establish a policy that will help you minimise the impact of a breach.
Richard Frost is Head of Consulting at Armata.
