Somebody recently asked me “Don’t we have cyber insurance to pay ransoms?”
Technically, yes. I have an issue paying ransoms, by doing so we’re increasing the availability of tools, advancing their sophistication, making the people behind the attacks stronger. This accelerates the pace and effectiveness of attacks. So by paying ransoms, we’re adding to the problem. When an organisation gets owned, they have been caught out, and they need to own it. It’s hard, but it’s that simple.
Why do we get compromised?
RDP servers facing the internet. Users with weak passwords and no MFA. Privileged access is poorly managed. Weak web servers… The attacker establishes a foothold through a compromised credential, lateral traversal and privilege escalation takes place, the keys to the kingdom are lost. There are not many truly sophisticated attacks these days, Solorigate is an obvious example. But the organisation involved, and the funding behind bad actors has reached an industrial scale. So where we leave gaps, the likelihood of being taken out increases.
Over time this will increase the cost of insurance as the frequency of attacks rises. So the best thing an organisation can do is own their mess, restore their services, and come back stronger. Insurance can help here but in some cases, you can never fully recover trust without a complete rebuild. And depending on what the business does, in some cases, this could be fatal. For some, just having lost trust at all would be enough.
It is far better to plan and be fully prepared for recovery, but to place resources into managing our assets, control privilege, and ensure identity integrity is intact. Make it as hard as possible for attackers to take us down in the first place. This doesn’t need to use all the AI blockchain machine learning wizard magic under the sun, but some basic principles followed consistently will go a very long way.
Get basics done
Decide what good looks like, draw a line in the sand, start building all new services to that, and block the ability to build outside of those guardrails. Start to remediate or replace any older kit that remains a threat.