"Ransomware is apparently more profitable than cocaine trafficking in the '90s, according to Coveware's recent report," said Beazley's Mark Singer. "It's also become just so easy to carry out. Ransomware as a Service (RaaS) has made it accessible to a much wider audience."
"I guess everyone's entitled to one good scare," said Sheriff Leigh Brackett in the original Halloween. However, even in the run-up to the traditional night of horror movies and candy, cyberthreats are arguably more frightening than the return of Michael Myers.
Lately, the news is sobering and scary indeed: A new survey from The Identity Theft Resource Center revealed that almost 60% of small business owners have had data compromised, a security breach or both. Furthermore, three-quarters of those owners reported having more than one event and a third of them had at least three. Following one of these events, more than 40% of businesses needed one or two years to return to normal, while over 25% said it took three to five years to recover.
Aimed at allaying fears and arming agents for the fight, PropertyCasualty360 hosted a Halloween-themed Twitter chat, "All Treats, No Tricks: Sweet Advice for Mitigating Cyber Threats," on Tuesday, October 26. The chat featured experts from across the industry and covered subjects from ransomware and "cyber gangs" to the role of independent agents in stemming these threats.
"Modern ransomware is now the most reliable way to transform network access into money," said Chris Hendricks, head of incident response at Coalition. "Threats of systemic downtime and leaked data are a powerful motivator, and the extortionists know it."
"Ransomware is apparently more profitable than cocaine trafficking in the '90s, according to Coveware's recent report," said Beazley's Mark Singer. "It's also become just so easy to carry out. Ransomware as a Service (RaaS) has made it accessible to a much wider audience."
And RaaS attacks are only increasing, the panel agreed.
"With a low barrier to entry due to RaaS, many new threat actors have entered the fold," remarked Jason Rebholz of Corvus Insurance. "Additional specialization and outsourcing has created an ecosystem for ransomware attacks to thrive."
Bill Haber of TEKRiSQ corroborated this, elaborating: "RaaS is bringing more unsophisticated criminals to the game targeting supply chain and companies with low tolerance for downtime."
At-Bay's Rotem Iram also agreed, with the wrinkle that "it is still the big groups that do the most damage. And those groups should be targeted by our government, just like Revil last week — a great example, sadly an exception."
The chat wasn't all dire predictions, as the panel also offered some practical advice.
"Treat all new and change of payment requests as suspect. Before making a payment on a new payment request or a change in payment, use a second form of authentication. That second form should be a phone call to the last known phone number for the requestor," said Catherine Lyle, head of claims at Coalition.
"Multi-factor authentication (MFA) everywhere is a huge step, along with well-tested backups and multi-step verification for financial transactions," said Hendricks. "Commit to never changing payment details with just an email. The classics work well."
"The basics are so often glossed over for the fancier tech. If you can build a foundation built on the basics, you can go so much further to securing your organization," agreed Rebholz.
"I generally feel that the best network setup is such where logging in from home and work is exactly the same," said Iram. "This way, no new behaviors are needed. Not every organization can do that, so using VPN and MFA are key."
"Enable the individuals to understand how and why to do this, and do so quickly and affordably … this can be a reality. That's our belief," seconded Haber.
And as far as "the classics" were concerned, Singer (presumably) jokingly suggested, "Don't use 'Password123' as your password."
See highlights from the conversation below. You can also get a full recap here and continue the conversation on Twitter by using the hashtag #NightmareOnCyberStreet.
Related:
- Why is underwriting ransomware risk so difficult?
- 5 cybersecurity tips for employers with remote workers
- Is cyber insurance a worthwhile investment?
Q1: What makes ransomware such a popular tool among cybercriminals? #NightmareOnCyberStreet pic.twitter.com/1brOpj5Ufh
— PropertyCasualty360 (@PC_360) October 26, 2021
Ransomware is an immediate monetization of a crime. In the past, criminals had to sell what they stole. Now they lock up the company's systems and wait for the pay day. #NightmareOnCyberStreet – Catherine Lyle, Head of Claims
— Coalition (@SolveCyberRisk) October 26, 2021
Big money + attack specialization = Quick profit + little fear of retribution. #NightmareOnCyberStreet
— Jason Rebholz (@jason_rebholz) October 26, 2021
Q2: What are some of the biggest misconceptions around ransomware that might be leaving companies and individuals vulnerable? #NightmareOnCyberStreet pic.twitter.com/vRsyeLvPBi
— PropertyCasualty360 (@PC_360) October 26, 2021
Agreed and I certainly don't think this has disappeared. @BeazleyGroup has some buyers of cyber insurance only after they've been hit #NightmareOnCyberStreet
— Mark Singer (@marksingercyber) October 26, 2021
Scary misconceptions exist around attack ease & frequency, they can hit ANYONE. It boils down to 2 evils: Overconfidence & Complacency. Independent expertise provides an objective & impartial view of vulnerability. See blog on this https://t.co/lowXBcC05r #NightmareOnCyberStreet
— T͏E͏K͏RiSQ (@TEKRiSQ) October 26, 2021
Q4: What are the benefits or downfalls of paying cyber ransoms? #NightmareOnCyberStreet pic.twitter.com/u8wNpO5jYF
— PropertyCasualty360 (@PC_360) October 26, 2021
Paying the ransom can haunt you beyond joining a dark web Suckers Lists. Now the @USDOJ_Intl @CommerceGov and even consumers are responding negatively. #NightmareOnCyberStreet https://t.co/JvhxRPDe3k
— T͏E͏K͏RiSQ (@TEKRiSQ) October 26, 2021
The speed to rebuild is a great benefit to paying ransom. It allows a company to rebuild faster & avoid further biz interruption. There are many downsides, one being that you are rewarding a criminal and essentially paying for future attacks. #NightmareOnCyberStreet – Catherine
— Coalition (@SolveCyberRisk) October 26, 2021
Q5: What do insurance clients need to understand about the emergence of 'cyber gangs'? #NightmareOnCyberStreet pic.twitter.com/f9XDsgDVQG
— PropertyCasualty360 (@PC_360) October 26, 2021
The Internet is a beautiful but dangerous place with no boundaries.
— Jason Rebholz (@jason_rebholz) October 26, 2021
The "cyber gang" element highlights the power of financial motivation: the tools are new, but the approaches (extortion, theft) are as old as time. Hopefully it helps insurance customers shape defenses to reduce the monetary value of a breach. #NightmareOnCyberStreet – Chris
— Coalition (@SolveCyberRisk) October 26, 2021
Q6: What are the elements of effective anti-phishing and anti-ransomware employee training programs? #NightmareOnCyberStreet pic.twitter.com/T4C5K4C7op
— PropertyCasualty360 (@PC_360) October 26, 2021
Yes, slowing down is key. Who is actually sending you this email? Check that email address as the misspelling is likely to be discreet.
— Mark Singer (@marksingercyber) October 26, 2021
Frightful annual employee training is real. More effective are short, relevant courses & frequent phishing tests that change behavior, we like what some do to address psychology, change status quo #NightmareOnCyberStreet https://t.co/A6pU5B2C0O
— T͏E͏K͏RiSQ (@TEKRiSQ) October 26, 2021
Q7: What are some basic steps any business owner can take to better limit their exposure, including security issues related to technology products and services? #NightmareOnCyberStreet pic.twitter.com/UHawQI9vq9
— PropertyCasualty360 (@PC_360) October 26, 2021
Engaging regularly with clients proves one thing… there's a lot of BS and belief in stories about where risk lives. Get the experts involved. pic.twitter.com/3qquJJHOXf
— T͏E͏K͏RiSQ (@TEKRiSQ) October 26, 2021
Security best practices transfer to home. Use a password management tool to store unique passwords. Put multi-factor authentication on all of your accounts that support it. @CorvusInsurance has a helpful guide to implementation: https://t.co/PoxKs3dGx6 #NightmareOnCyberStreet
— Jason Rebholz (@jason_rebholz) October 26, 2021
Great concept of zero behavior changes between work and home. Best practices can and should transfer. Let's just make sure we're starting off with best practices!
— Jason Rebholz (@jason_rebholz) October 26, 2021
Q9: What role does an independent agent play in this ever-evolving market? #NightmareOnCyberStreet pic.twitter.com/z6QU7rO9yI
— PropertyCasualty360 (@PC_360) October 26, 2021
The broker/independent agent has the long standing trusted relationship with the company. Advising the company about their risk in the cyber space and walking through risk transfer is necessary to this discussion of how to solve cyber risk. #NightmareOnCyberStreet – Catherine
— Coalition (@SolveCyberRisk) October 26, 2021
After Halloween, ditch that IT mask unless qualified. Agents are a conduit between clients & experts, but don't try to BE the expert. Far too much risk for your client, your agency and yourself to get it wrong. Some don't listen. #NightmareOnCyberStreet https://t.co/m66gjSHTVx
— T͏E͏K͏RiSQ (@TEKRiSQ) October 26, 2021
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.