Maksim Kabakou - Fotolia

To fight ransomware, we must treat digital infrastructure as critical

Ransomware defence is failing because we don’t view our digital infrastructure in the same way as our physical infrastructure, argues Elastic’s Mandy Andress

While ransomware remains one of the top cyber security concerns for organisations today, the state of ransomware defence is failing.

Historically, organisations have relied on a combination of people, process and technology to thwart cyber threats – from regular software patches and backups to threat modelling and password awareness – but these tactics alone are not enough to successfully mitigate increasingly sophisticated ransomware attacks.

Ransomware defence is failing because it is viewed as a technical or organisational problem when, in fact, it is an economic one. The world’s economies are largely dependent on the movement and distribution of data, so our digital infrastructure should be scrutinised with the same urgency as our critical physical infrastructure.

It’s all interconnected – the same ransomware attacks that have caused fuel shortages and transportation delays have also affected people’s ability to receive access to healthcare or find what they are looking for at the grocery store.

By recognising ransomware as an economic problem, we have the opportunity to mobilise a more effective response. Here is where to start.

Security should not be a luxury

The security industry must acknowledge the existence of a security poverty line and the growing collection of companies that don’t have the budget or resources to properly secure their environments. This security poverty line is causing an ever-shrinking “middle class” that has separated organisations into two groups – those that can afford to implement critical security measures and those that cannot.

At its foundation, the cause of the problem is the multitude of software suppliers that charge a premium for fundamental – yet necessary – security features such as encryption, single sign-on (SSO) and multifactor authentication (MFA). Companies unable to pay the premium for these capabilities are naturally more exposed to cyber security threats such as ransomware and are ill-equipped to respond when they suffer an attack.

Fundamental security features can no longer remain a luxury; they must be commodities. As consumers, when we drive up to a petrol station, we expect fuel to flow from the pump and into our vehicles. Access to critical security features should be no different for every company in the world. Just like the minimum standards we have for critical infrastructure, software suppliers need to support minimum and universal standards that raise all organisations above the security poverty line.

De-stigmatise ransomware shame

There is a strong culture of shame within organisations around ransomware, and companies are often too afraid or embarrassed to admit they have been the victim of an attack for fear that it will damage their reputation, result in hefty fines, or cause panic among customers and other stakeholders. In fact, some ransomware attackers will even use this to their advantage by employing “name and shame” tactics with their victims in an effort to force them to pay a ransom.

Also, some of the largest and most successful ransomware attacks have been orchestrated by powerful nation states, which makes it nearly impossible for a single organisation to protect itself effectively. During the pandemic, for example, the healthcare industry was overwhelmed with ransomware attacks driven by nation states trying to obtain data and research on Covid-19 vaccines, and many small, independent labs didn’t have the proper resources or skills to mitigate these attacks.  

However, increased ransomware risk doesn’t only apply to organisations below the security poverty line. Operation Aurora in 2009-10 was a series of cyber attacks targeting private sector companies and successfully compromised the networks of Yahoo, Adobe, Dow Chemical, Morgan Stanley, Google and others to obtain intellectual property. If major corporations with ample security resources can fall victim to ransomware, organisations should recognise that shame is unwarranted. All companies are at risk.

Normalise information-sharing about ransomware

Because many companies don’t report ransomware attacks when they happen, one of the major challenges to combating ransomware is knowing how, when and where attacks occur. Security teams can only react and respond to what they know, so this lack of transparency and awareness has, in turn, given attackers an advantage. To overcome this, we need to normalise information-sharing about ransomware.

Government agencies such as the National Cyber Security Centre (NCSC) or the Cybersecurity and Infrastructure Security Agency (CISA) have been established to enable information-sharing between government and private industry. Mechanisms for distributing valuable information (collective databases) exist in most countries, and organisations should leverage them.

Normalising information-sharing about ransomware can create more trust between private industry and government, and motivate organisations to be transparent without fearing negative consequences. Importantly, collectively sharing information allows organisations and their security teams to better identify and understand threat trends and patterns while creating opportunities to mobilise a national or global response.

When it comes to ransomware, we know we can’t afford a failure of imagination. The increasing rate of ransomware attacks surpasses even the rate at which data volumes are growing. Mounting an effective defence requires treating our digital infrastructure like critical infrastructure and making a coordinated response across government and private industry.

Mandy Andress is chief information security officer at Elastic.

Read more from the Security Think Tank

Read more on Hackers and cybercrime prevention