Countering the Ransomware Menace: Busting 5 Big Cyber Myths
Vishal Salvi, SVP & CISO at Infosys discusses the impact of the current wave of ransomware attacks and what Infosys is doing not only to protect its clients but also to protect its own systems in an interview with Bill Mew, Digital Ethics Campaigner and CEO of CrisisTeam.co.uk. Along the way, they busted a few cyber myths.
Organizations of all sizes are facing a major challenge. We are seeing rapid innovation in data collection with IoT devices and 5G connectivity as well as rapid advances in data management with big data analytics and AI. High adoption of cloud has made cloud services and applications critical to businesses. Together these are increasing organizations’ ability to manage all aspects of their operations with ever greater sophistication and efficiency. However, while this means data is rapidly becoming their greatest business asset, a new breed of ransomware attacks that are targeting even the cloud and SaaS data, is simultaneously becoming their greatest business risk.
Myth 1: It’s OK. It will never happen to us
We have never been so technology-dependent or so interconnected and therefore never been as vulnerable to cyberattacks as we are today.
Cybercrime will cost companies worldwide an estimated $10.5 trillion annually by 2025, up from $3 trillion in 2015. And ransomware attacks are becoming more frequent and prevalent, with a new victim falling prey to a ransomware attack every 40 seconds. This is expected to rise to every 11 seconds in 2021, according to a report by Cybersecurity Ventures, which has also claimed that cybercrime represents the greatest transfer of economic wealth in history.
It is not just large enterprises that are targeted. 66% of small to medium-sized businesses (SMBs) have experienced a cyber-attack in the past 12 months. And while 43% of cyberattacks are aimed at SMBs, only 14% are prepared to defend themselves.
So it is probably not a question of ‘if’ you are going to experience a cyber incident, but ‘when’ and indeed it may already have happened - as a report by IBM claims that it currently takes a company 197 days to even discover a breach and up to 69 days to then contain it.
Salvi argues that risk awareness and culture are critical here: “All too often people see it as ‘not their problem’ when in reality it is everybody’s problem. You need a company-wide culture that takes cybersecurity and cyber hygiene seriously and this needs to start at the very top. The board needs to make cybersecurity a priority and to resource the CISO appropriately. The IT department needs to build security by default. And staff need to be trained to spot phishing and to set up multi-factor authentication (MFA) as standard.”
Whereas security was once seen as a reason not to move to the cloud, cloud systems can now be as secure, if not more secure, than on-prem systems. The challenge, especially in hybrid or multi-cloud environments, is overcoming the complexity in order to protect the entire estate.
Myth 2: There’s nothing we can do against sophisticated hackers
At present, Salvi believes, hackers don’t actually need to be all that sophisticated: “While we have seen some particularly sophisticated and complex attacks, most cyber incidents result either from known vulnerabilities or from foolish mistakes.”
He points to the role that automation can play in configuring cloud instances correctly and managing them effectively as well as in providing the first line of defense for attacks and alerting you to know vulnerabilities or required patches.
And as we become better at automating the basics, attackers will inevitably need to become more sophisticated, meaning that automation will play an increasingly critical role in the future. He likens it to an arms race in which: “both sides use AI, but the attackers use it in a race to identify and exploit vulnerabilities, while IT teams use AI in a race to identify and patch them.”
Myth 3: There’s no way we can hold back the cyber storm
The rising volume of attacks may appear overwhelming, but this is all part of the AI arms race. The massive attack volume is down to the fact that attackers are increasingly taking a scattergun approach, seeing where they can draw blood. Salvi explains that: “You need to ensure that your ability to automate things is better than theirs. With cybersecurity and AI talent in short supply and often at a premium, the right skills may be beyond the reach of all but the very largest organizations. This is where clients may well need a strategic cybersecurity partner.”
Salvi points to the fact that few organizations these days write their own software and most not only use packaged applications but are increasingly turning to SaaS (Software as a Service) and indeed AI to maximize the value of their data and leverage the potential for process automation. Salvi believes that we will see the same in cybersecurity. As organizations face the challenge of automating significant aspects of cybersecurity, they will turn to strategic partners like Infosys with the skills to manage things on their behalf - from leveraging automation effectively and fine-tuning the tools and algorithms, to spotting anomalies and identifying threats and then applying the skilled resources and tactics to deal with them promptly and effectively.
Myth 4: It’s OK. We’ve got cyber insurance
The temptation for many organizations is to seek to take out cyber insurance and having done so to relax their focus on cybersecurity, as they are now covered. While risk is easy to measure in many other areas and therefore cover is relatively straightforward, cyber risk is exceedingly complex and hard to quantify. The very largest organizations can conduct comprehensive cyber audits that can help identify potential vulnerabilities, assess risk accurately and allow insurers to price policies effectively. Most organizations cannot afford such audits, and the alternative methods of assessing risk are notoriously crude, making policies exceedingly hard to price effectively. Many cyber policies, therefore, include numerous exclusion clauses, making them of little value for all but a few potential threats. Cyber insurance should therefore only ever be seen as supplementary to cybersecurity and incident response, and never a substitute for either of them.
As Salvi explains: “There is no substitute for effective cyber security, but it does not need to cost the earth either. Embedding the right culture throughout your organization - one that values data, appreciates risk, and prioritizes cyber hygiene - is an absolute necessity. The right organizational behavior will not only complement your active cyber defense strategy, but it will make it cheaper and more effective.”
The kind of automation that Salvi envisages will not only allow enhanced security and cloud management but is also the only way to gain an accurate real-time view of your overall risk position across complex hybrid environments. It will also allow CIOs and CISOs to balance their security resources with their risk appetite while being able to prioritize key risks and possibly even negotiate a reduced cyber insurance premium.
Myth 5: If we get prevention right, we won’t have to focus on the rest
As much as organizations would all like to be 100% secure, the reality is that almost all software will have vulnerabilities that will need patching at some stage, and then the moment that you add users there is a risk of mistakes being made as well. Particularly, when many users come on to a single ecosystem supported by cloud services. As Douglas Adams once said: “A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.”
Rather than focusing all your resources on just prevention or indeed either on just detection or incident response, Salvi recommends having a broad perspective and seeking to maintain a focus on all of these areas. He maintains that: “It may sound boring, but focusing on all of these areas is the best way to limit the business risk. It is all too tempting to focus on the latest, ‘shiniest’ technology, but the boring stuff is often more important.” Therefore, best practices such as continuous monitoring of third-party apps and the SaaS environment, using cloud-to-cloud backup, and building security awareness become imperative.
In addition, you cannot assume that software is 100% secure either. Following a spate of recent supply chain incidents, Salvi has led an initiative at Infosys to write to the CISOs at all of its top security and non-security software vendors to get assurance from them that they were doing the right thing and for any that have appeared opaque on their strategy and investment plan, he has started looking at a potential exit strategy. With API integration common between SaaS apps and other cloud-based systems, the need for assured supply chain integrity is greater than ever.
Conclusion
In the future, Salvi believes that all but the very largest organizations will struggle to keep up when it comes to maintaining the skills and capabilities required and that most will need to partner strategically, especially as AI and complex automation start playing an increasing role. One observation that he makes is that the way that clients work with strategic cybersecurity partners can vary widely: “Our ability to improve the maturity of a given client infrastructure is completely a function of how the client reciprocates and collaborates with us. We have seen clients who have made us fully accountable to deliver the very highest level of cybersecurity services and then there are places where, however hard we try, it is a struggle to push the client to focus on the basics. We are the common factor here, but [in security terms] our quality of service is entirely a function of how we are able to collaborate and how mature the client’s orientation is.”
Overall, Salvi is an optimist. He believes that the white hats far outnumber the black hats and that if we all work together, we should be able to counter the cyber menace. This collaboration, however, needs to be between vendors in sharing threat and vulnerability alerts, between governments in greater geopolitical cooperation, and of course in the collaborative relationship that most clients will need to have in the future with their strategic cybersecurity partner.