Ransomware is a very popular heist among cyber-criminals. By comparison, the old model of breaking in, stealing data and selling it elsewhere feels like a lot of work. Ransomware attacks are effective and terrifying for one simple reason: the higher the stakes, the more likely it is that a perpetrator will get paid — it's a great business model.
Ransomware is appearing in headlines so often now that it's almost become cyber white noise, and the issue has gotten so bad that it's with governments and lawmakers to take action.
The targets of ransomware attacks have also changed. Essential infrastructure like Colonial Pipeline in the US has been targeted, as well as organisations that have a massive impact upon our daily lives — like JBS Meats or The Waikato District Health Board in New Zealand. The more critical an organisation is in keeping society functioning, the more attractive they are as a target.
The debate about whether to pay a ransom will rage on. But choosing whether to pay a ransom to recover data is a business decision. For that reason, there has been increased discussion about legislation to make the reporting of ransomware payments mandatory and new laws that will hold boards and company directors personally accountable for cyber-risk. These two discussions might conflict with one another — disclose the attack, report the payment, go to jail, or cop a hefty fine.
A step in the right direction
In Australia, we have the first bill of its kind that forces the disclosure of ransomware payments to cyber-criminals. The Ransomware Payments Bill 2021 is an important first step in tackling the continued proliferation of these attacks and helping to mitigate the impact they are having on the economy and society.
The information Australian companies disclose is essential in building a greater threat intelligence pool and is a forward-looking initiative that will better inform law enforcement, organisations and the cybersecurity community.
Significantly, the Bill doesn't penalise an organisation for paying a ransom — rather, it requires them to share this information so that the wider community is aware and can look to prevent this particular instance from repeating itself.
What organisations can do now
The focus must remain on making organisations more resilient to attacks. Continuing to rely on perimeter security in the hope of stopping all breaches from happening is failing us. Each headline shows this approach has its limits and misses attacks repeatedly. Breaking this cycle begins with the adoption of a new security model — a zero trust model.
A zero trust security architecture is built on the premise of 'never trust, always verify' and to 'assume breach'. Specifically, zero trust segmentation, used in concert with traditional data center firewalls, allows businesses to isolate systems and prevent attackers (or malware) from moving around once the perimeter has been breached.
The 'hard outer but soft centre' approach to security must be challenged. Zero trust technologies allow organisations to be much more resilient, but organisations must also think differently about cybersecurity and move away from legacy approaches.
By segmenting operational technology networks from IT networks, the latter remains protected if the former is hacked (and vice versa), thus protecting the critical data held on each network and throughout the organisation.
The same level of resilience can be applied to environments (test from prod.), sites (campus A from B), or applications (e.g., PCI or Swift) without introducing hardware or re-architecting the network. Zero trust architecture cannot be achieved with one technology alone — a comprehensive strategy requires a more holistic approach. However, a zero trust architecture cannot be fully achieved without segmentation.
Attackers are persistent. Legislation can help in the long run, but zero trust technologies will make our organisations more resilient to attacks today.
Organisations can't stop breaches, but they can prevent them from spreading and becoming catastrophic incidents.