According to a report by the UK’s National Cyber Security Centre, almost half of all recorded UK cyber incidents between September 2020 and August 2021 targeted the public sector. Public sector cybersecurity is being put to the test and it’s imperative that public sector organizations properly protect the sensitive data that is in their possession.
Back in October 2020, Hackney Borough Council in London suffered a serious ransomware attack which took many of its services and IT systems offline. The attack cost the council millions of pounds and today, more than 18 months later, data is still missing across many services. In February 2022, the Information Commissioner’s Office ordered Hackney Borough Council to disclose information regarding what cybersecurity training its staff had received prior to the attack, when they were required to work from home due to the Covid-19 pandemic.
Ransomware brings with it a risk of reputational damage, productivity losses, as well as the cost of paying the ransom. But for an organization such as a borough council, the risk of large volumes of sensitive personal data falling into the wrong hands means that it could also face huge UK GDPR related fines as a result.
Furthermore, the knock-on effect on the general public has wide-reaching repercussions. Attacks can seriously harm the provision of essential public services to residents and put pressure on already underfunded local governments.
A recent Freedom of Information request from ProLion revealed that over half of London’s borough councils don’t have a cyber insurance policy in place, in the event that they are hit by a cyber-attack. Negligence on this scale could be costly.
Navigating the cyber insurance market
The increase in ransomware attacks in recent years has made navigating cyber insurance for business more complex. New tools and tactics by hackers have created new situations and scenarios that fall outside of rigid cyber insurance policies. Insurers are therefore having to continually refresh existing policies to stay ahead of the rapidly changing cyber landscape.
As part of this, the insurance sector has been applying considerable pressure on corporate clients to get their cyber security act in order. Nothing gets the attention of the CFO more than a spike in premiums. This alone is surely helping drive cultural change within companies.
There’s no guarantee insurance policies will cover every claim either. A June 2021 report by the Royal United Services Institute (RUSI) think tank highlighted how the nascent cyber insurance industry still has much to do to ensure policies are properly constructed and underwritten. It recommends insurers do more to incentivize good cyber practices among customers.
Ransomware is impacting the day-to-day operational costs of doing business in unexpected ways. These include loss of business and revenue, damage of reputation, loss of customers and the bigger cost of remediation, not to mention the high price charged by consultancy firms to assess the damage, put a plan in place and then implement the solution itself.
What to look for in a cyber insurance policy
Cybersecurity awareness training has quickly emerged as a constant across all good cyber insurance policies. This will mean not only that you’re covered, but that your employees are more aware to the threats they face every day. Employees that can spot a risk before it does damage are invaluable to your business.
The best policies should also include compensation in case of a data breach that results in loss of income. This includes coverage on costs incurred for recovering, recollecting and replacing lost data. It would also look to cover any increased costs in working day to day and cover loss of income from network interruptions.
Finally, businesses should look to a policy that covers you in case of a GDPR breach and you need to carry out investigation work. GDPR should be specifically noted in privacy regulatory actions within your policy so that it provides cover privacy breaches caused by a loss of data.
The payment question
There is a growing consensus among governments, law enforcement agencies and insurance companies that ransoms should not be paid under any circumstances, as it not only encourages cybercriminals but there is no guarantee of ever getting the data back. There is also no assurance that the criminals won’t ask for a second ransom. Recent comments by UK government officials have also recommended not paying the ransom as it encourages criminal behavior.
The data bears this out. Research from Unit 42 has revealed that 14 percent of organizations paid cyber criminals more than once. Other data from Sophos also found that just 8 percent of companies who pay a ransom are able to recover all of their data and 29 percent, could recover no more than half the encrypted data.
Businesses should adopt a ‘defense-in-depth’ approach. This means using layers of defense with several mitigations at each layer. Organizations will then have more opportunities to detect an attack, and stop it before it causes real harm.
Image credit: Koldunov/depositphotos.com
Steve Arlin is VP EMEA and US at ProLion, a developer of ransomware protection and data integrity software solutions for any ONTAP focused storage environment and high-availability solutions for SAP and MetroCluster environments. Founded in Austria, ProLion’s best-of-breed CryptoSpike solution eliminates system downtime and data loss risk ensures that an organizations’ data remains secure, compliant, manageable and accessible.