What if operations in your organisation could continue running smoothly, even when you’re facing cyber attacks? With effective cyber security measures, you can ensure your data stays secure and your business runs without interruptions.
By implementing proactive cyber security strategies, you can protect your organisation from ransomware attacks and prevent financial losses far beyond the initial investment. It doesn’t mean the attacks won’t happen, but you’ll be much better prepared to tackle them.
We've talked to Caroline Wong, the Chief Strategy Officer at Cobalt, to gain insight into the threat of ransomware attacks and the difference between a reactive and proactive approach to cyber security, including how a certification like ISO 27001 can help.
Watch the full conversation with Caroline Wong: Video | What’s cheaper: paying the ransom or investing in cyber security? (dataguard.uk)
This article covers:
What makes ransomware so effective?
In 2023, 72.2% of organisations worldwide were affected by ransomware attacks, the highest number ever reported. The healthcare and manufacturing industries are especially affected, leading to data loss, operational downtime, and recovery efforts. Besides the successful attacks, even more were attempted last year. Over 300 million ransomware attempts worldwide were reported, making it a growing concern for organisations of all industries.
According to Caroline Wong, software's biggest value is allowing people to share information and connect with each other. Still, she states, “Software is created by humans. And software is inherently insecure.”
It's always a security versus profit discussion
Modern software offers many opportunities for bad actors. Therefore, it must be shaped so that it's resistant to exploitation. But what's standing in the way of doing that?
Software developers often create software under time pressure. On their long list of software bugs, including security vulnerabilities, some remain unfixed by the time it goes live. “It's always a security versus profit discussion,” says Caroline Wong.
Like any other budgeting decision, the question is how to spend the money available in an organisation. It can be spent on an engineer, a salesperson, a marketing campaign—or fixing a security bug.
“That's a challenging decision to make, and this is risk management,” concludes Caroline Wong. The NIS2 policy will cover these considerations in the EU, obliging organisations operating in the EU of essential and important sectors to secure their assets by regulation.
Watch video: How to prepare for NIS2
How likely is it to be targeted by ransomware?
Thinking that your company won’t be affected can lead to severe consequences. Today's cyber climate demands a realistic approach to the likelihood of ransomware attacks.
Ransomware is a common threat
As Caroline Wong states, “The most common belief, particularly amongst folks who may not be working in cyber security, is that hacks are uncommon and that they're rare.” In reality, people and organisations are getting hacked all the time. “Everyone's vulnerable, whether we are consumers or representatives of the organisations that we work with,” Wong adds.
For the ones deploying the ransomware attacks, it's a business model. They calculate the probability that a share of their targets will be vulnerable to the attack and try to take advantage of this.
Cyber threats have advanced over the years
The Ransomware as a Service (RaaS) business model has existed for over a decade. This system includes hackers and affiliates. Hackers create ransomware models and sell them to affiliates, who then use these models to target victims independently.
The hacker who designed the RaaS earns a fee for each ransom collected. In the first quarter of 2022, there were 31 Ransomware as a Service (RaaS) groups globally. This number is expected to be even higher now, showing the advanced tactics of cyber threats.
You might also be interested: Don't take the email bait: How to identify and prevent phishing
Is cyber insurance the answer to ransomware threats?
Nowadays, significant controls must be in place instead of just providing insurance with a certificate or test report. Customers are struggling to renew their contracts and get coverage in case of an attack. At this point, the question is whether getting cyber insurance to protect your organisation from ransomware threats makes sense.
Cyber insurance isn't enough
The concept of insurance appears promising when navigating advanced cyber threats like ransomware attacks. Still, it isn't as simple as it might seem.
“I do think that cyber insurance is an important control for organisations to have. I don't think, however, that it is reasonable to have cyber insurance and nothing else,” argues Caroline Wong. But why is that?
Cyber insurance differs from other types of insurance
Whether health insurance, car insurance or home insurance, most insurance types have something in common: questionnaires. The results of these questionnaires determine your rates.
What makes cyber security different from these insurance types is that it's changing so quickly. “In 2023, the average ransomware payment was 400,000 dollars, and in the first half of 2024, the average was already 2 million dollars”, says Caroline Wong. Insurance providers must keep their own businesses profitable. This is why they strictly define the security controls and evidence that must be provided to ensure a claim is granted.
View cyber insurance as a strategic partner
You shouldn't view cyber insurance as something you buy for your organisation. Instead, view it as a strategic partnership. Know when insurance will and won't pay out.
With this information in mind, you can make strategic decisions on what you need to cover yourself and take action. Protect your most valuable assets first. Find out what can harm your organisation most—and start there.
Paying ransom fuels criminal activities
What would you do if you fell victim to a ransomware attack? If an attacker urges you to pay ransom in exchange for your data or access to your systems, it might seem like a quick solution to the problem. But which consequences does this have?
Ransomware as a Service
One of the actors benefitting from the ransom payment is the person creating the ransom. With Ransomware as a Service, these people earn money by deploying the hacking tools. However, they aren't the only ones benefitting from individuals and organisations paying ransom.
Ethics of other criminal activities
Ransom payments also finance criminal activities on the dark web, terrorism, trafficking, and other criminal acts you and your organisation wouldn't otherwise want to be associated with.
"We have choices in terms of where our money goes, and it is our responsibility to think about what happens to our money," says Caroline Wong, while recognising the ethical dilemma you can face if people's lives depend on your systems running.
Engaging in this sort of transaction encourages more criminal behaviour. Also, nothing prevents an attack from happening again after paying the ransom. Knowing this, it’s never a good idea to pay the ransom.
How can frameworks like ISO 27001 protect your organisation from ransomware attacks?
ISO 27001 allows companies to manage risks and operationalise security within their organisation. Therefore, it can also be a puzzle piece in your efforts to protect your organisation from ransomware.
A transparent starting point
Your security team is busy and does its best to protect your organisation from threats. But how do you know that you’re focusing on the right topics? “This is one of the things about security that makes it so complicated. It seems as though there is an infinite and endless list of things to do,” explains Caroline Wong.
Especially with a limited budget, it can be challenging to decide which priorities to focus on. Using a framework like ISO 27001 helps you explain to stakeholders why you chose certain investments and security controls.
Focus on what's important
When implementing the ISO 27001 guidelines, you should focus on what's most important to your organisation. Think about your most critical operations and assets first. If they were otherwise unavailable due to threats like a ransomware attack, they're the ones you should start thinking about. It's impossible to secure every asset in a day. So, look at the critical revenue streams and assets and focus on protecting them first.
Security is more than a certification
While the ISO 27001 certification is a comprehensive and straightforward starting point for operationalising your security efforts and showing your engagement to customers, it shouldn't be the end goal.
The principles stated in the framework need to be deeply embedded into your company's culture and daily operations. To ensure your company's long-term success, you need to go beyond certifications. Securing your organisation is an ongoing task that protects your information assets against the latest threats.
Frequently Asked Questions
Why is cyber insurance not enough?
Cyber insurance doesn't prevent attacks. Attackers adapt quickly, making insurance a reactive measure. Without defences, insurance claims may fail. Use insurance as a strategic tool, not a sole solution. Invest in proactive security to protect critical assets and reduce reliance on insurance claims.
Why shouldn't you pay the ransom?
Paying ransom funds criminal activities and encourages further attacks. It doesn't guarantee data recovery or prevent future incidents. Avoid paying ransom, strengthen your security, and prepare for potential attacks using prevention strategies instead.
Can ISO 27001 help prevent cyber attacks?
Yes, ISO 27001 helps manage risks and implement security controls, providing a structured approach to protect your organisation against cyber attacks. It offers a clear starting point for security efforts, allowing you to focus on critical assets and explain security investments to stakeholders. Use it to build a strong security foundation.
Why is ISO 27001 not enough for security?
ISO 27001 provides a framework but isn't a complete solution. Security requires ongoing efforts and continuous improvement beyond certification. Embed security practices into your company's culture and daily operations to foster a proactive approach. Continuously adapt to new threats to ensure the long-term protection of your information assets.