Cybercriminals have always been masters of evolving their threat. From changing techniques and finding new vulnerabilities to exploit, they force organisations to constantly be on the front foot to keep data safe.
This has been the same for ransomware. The traditional route of ransomware attacks was that criminals would gain access to the data, extracting it away and asking for exorbitant amounts of money to return it. The traditional defence against this was to ensure regular and siloed data backup. This however is no longer an effective as cybercriminals have once again moved the goalposts
Beyond the backup – the new era of ransomware extortion
The shift from traditional ‘encryption-based’ ransomware to data theft represents a fundamental evolution in cyber-criminal strategy.
In the public sector in particular the availability of data is no longer the primary leverage point for attackers. Instead, it is the confidentiality and reputational value of that data that is being held against the organisations that have been breached.
This has far-reaching consequences on the way organisations must now defend themselves.
If you liked this content…
UK Cyber Resilience Advice ‘Too Bland’, Says Northdoor
UK critical services facing catastrophic ransomware attack
Four layers of security: How best to tackle the public sector cybersecurity threat
Fourteen schools hit by ransomware attacks with highly confidential documents taken
Cyber resilience must be a priority with public sector under threat, warns Northdoor
Why backups alone are no longer a protection strategy
For years, the industry mantra was ‘backup, backup, backup.’ While robust backups are essential for business continuity and disaster recovery, they are a passive defence. In a modern data-theft attack, the criminal doesn’t need to lock your systems; they simply need to exfiltrate a copy of your sensitive information.
Restoring from a backup does nothing to mitigate the threat of that data being leaked on the dark web or used to blackmail your clients. Where sensitive data has been taken, simply restoring it will not save it from being used by bad actors; a backup is merely a recovery item, not a security shield.
How CISOs must reframe the conversation
CISOs need to stop talking about ransomware as a ‘disaster recovery’ event and start discussing it as a ’data governance’ and ’observability’ challenge. There are three key pivots:
- From recovery to resilience: It is no longer enough to have a copy of the data; you must have the ability to detect the movement of data. For example, if an attacker is siphoning off gigabytes of end-user records your infrastructure must be intelligent enough to flag that anomaly in real-time.
- Focus on data sovereignty & encryption: If data is stolen but it is effectively encrypted at rest and in transit with keys the attacker cannot access, the ‘theft’ is immediately neutralised. CISOs should focus on enterprise infrastructureprojects that embed security into the data layer itself, rather than just the perimeter.
- The regulatory & reputational stakeholder: CISOs must frame ransomware conversations around the cost of a data breach in terms of regulatory fines and lost client trust, rather than just the cost of downtime. In highly regulated sectors, the ‘ransom’ is often the smallest part of the total loss.
Ransomware has long been a favourite and effective tactic of cybercriminals. However, with so many organisations understanding the importance of back-up and the nature of much of the data held by public sector organisations has meant that they have once again moved on.
Organisations, particularly those in highly regulated sectors such as the public sector, must react. Standing still is not an option; cybercriminals are certainly not. Taking the three key pivots into consideration and changing the way the think and defend against ransomware will help to keep cybercriminals out and data safe.
