Don’t cry over spilled milk, in fact maybe it will teach you to hold the carton tighter. A lesson well learned. This is why, despite the harsh headlines, the ransomware attack that struck the world in May, WannaCry, makes me smile.
If I was a white hat specialist intending to teach the public a massive lesson (for a greater benefit) this would have been the perfect approach: $300 is just enough to get attention and make a point without inflicting financial damage. I also would have donated the $50,000 to cyber education but that’s beside the fact.
Many are reporting this breach in an absolutely frightening manner. Scary? Sure, anything that affects the masses is disturbing. But I see it entirely differently. With the exception of the few organizations that were greatly affected, dare I say, this was a great breach! Here’s why:
The tone of reporting on this breach has been one of shock and doom-and-gloom. However there are a number of very positive points that are being overshadowed.
For one, despite the low demand of $300, a small percent of those infected actually paid the demand. There are a number of potential reasons for this such as the discovery of the killswitch and sharing of decryption codes, but the main thing we can hypothesize from this statistic is companies are employing regular backups. For companies to be unwilling to shell out $300, indicates both a lack of intimidation and a sense of security with your own controls. This is great news. Frequent and regular backups are the single most effective security measure against such attacks.
On another positive front, this breach has resulted in somewhat of a mass awakening to cyber threats (and importance of security) among the general public. Those that were not treating backups, encryption or system updates seriously have heard the message loud and clear.
The topics of backups and encryption are seeping into every day conversations – a change in tone for sure. So in some ways (although it may be wishful thinking) this may deal a blow to ransom attacks, and even cyber attacks in general. About as good of a response as a security specialist could hope for post-breach.
Lastly, it is largely expected that this breach will act as a catalyst to fuel adoption of cyber insurance in the small and mid-sized-business community. This is good news for the insurers as well as the companies purchasing cyber insurance, as many smaller companies do in fact need a small push when it comes to incentive for purchasing coverage.
I say this with one large caveat. Cyber insurance is a great product and should be more widely adopted, however, buyers should be very careful in understanding the policy’s limits. There are sub-limits and deductibles that apply, combined with conditions precedent to coverage, and policy exclusions that may result in limited or nonexistent coverage.
A recent case of an affected law firm only able to collect $25,000 of a $700,000 loss highlights this point well. A demand which seems like only $300 could actually result in $3,000 or $30,000 of damages when you add in the lost income, forensic investigation and asset restoration. As many have reported, the majority of damages from this breach are expected to come in the form of lost income that some expect are in the millions.
You also have to consider that payment of a demand can often result in your company being added to a whitelist, thus creating a soft target that increases the likelihood of being retargeted. Policies with low sub-limits can be maxed out quickly.
Coverage terms are also all over the board. Some policies only provide reimbursement of extortion demands but exclude any resulting third-party damages (and contractual penalties) and asset restoration costs. Costs related to asset replacement can balloon quickly when you consider the possibility of having to individually decrypt hundreds or thousands of individual files following a hand over of the data.
Broader policies, however, not only include coverage for such damages but also contain open definitions that allow for a wider range of claims such as threats to pharm or phish your own clients through impersonation, and defacement of a website. There are also a number of exclusions that have the potential of limiting coverage in poorly structured policies such as exclusions for self-propagating code/viruses.
In short, cyber insurance is important with ransomware proving a critical element of that coverage, but when placing cyber insurance, it is critical that the scope of coverage is assessed.
With all of the positives addressed, the main fear that has bloomed from this breach is a fear over the future of ransomware, and just how damaging they may evolve to become. Demands have long been expected to rise, but we didn’t see that here – for reasons we can only speculate. Either way, the demands will rise eventually. But it’s not larger demands that I fear most. As is the nature of malicious code, ransomware will only get smarter.
What might that look like? This code was rather unintelligent, but as ransomware becomes smarter, it may come with the intelligence to discern between the value and quantity of data in its possession which could pose a real danger. Imagine a “conscious” ransomware – one that was aware it was in possession of hundreds of thousands of medical records, and could set an appropriate ransom demand. Or, equally frightening, ransomware with an ability to infect, lay dormant, prevent backups and launch a future demand.
A recent survey by AIG indicates that most IT professionals believe blanket coordinated attacks are on the near horizon. Attacks that could simultaneously affect tens to hundreds of victims in a particular industry – likely through vulnerabilities contained within software of a common nexus. Combine that coordinated approach with an attack like this and it could spell disaster in more ways than one. Not to mention it would also likely cause surges in insurance premiums on those affected industries.
The larger point to be made here though, is, despite the low demand and unintelligent nature that may communicate a false sense of security to the public, it’s important to remember the way these attacks may evolve and improve and just how damaging they can be. Share this article with a colleague.