In my articles in previous editions of Housing Technology, I focused on the issue of ransomware for housing providers’ IT teams, and with good reason. Sophos’ latest ‘State of Ransomware 2022’ report demonstrates why ransomware continues to be an ever-increasing threat and investing in anti-ransomware technology is preferable to dealing with the consequences of an attack, however good your cyber insurance might be!
The survey, carried out by independent research company Vanson Bourne at the start of 2022, involved over 5,000 respondents from 31 countries and across all sectors. All were mid-sized organisations, with 100 to 5,000 employees.
Increase in ransomware attacks
IT professionals were asked to reflect on their experience of ransomware during 2021; the responses revealed that compared with 2020, the number of attacks had increased by a staggering 78 per cent, ranging from impacts on single devices to more significant breaches. The UK fared better than some countries, with 57 per cent saying that they had been compromised vs. a global 66 per cent, but it still shows there is no room for complacency. We can’t drill down to the national figures for different business sectors, but if we look at the worldwide responses from ‘property and construction’, 63 per cent had reported being hit by ransomware.
What caused this surge in the number of attacks during 2021? A significant factor is likely to be the growth of the ‘ransomware as a service’ (RaaS) business model. Professional ransomware operators hire out their services and code to enable their affiliates (who often lack the necessary skills) to attack others. It’s unsettling to think that these tools can be bought like other legitimate services (and easily, too), except mainly through the ‘dark web’.
Not only are adversaries getting better at delivering ransomware, but they are also encrypting more data – 65 per cent of attacks resulted in data encryption in 2021 vs. 54 per cent in 2020, and nearly 60 per cent said that the complexity of attacks had increased.
Data retrieval
The findings weren’t all negative; the percentage of respondents that got some of their data back after a breach had increased by three per cent since the previous year. Organisations used various methods to do this, including back-ups and ransom payments, with the average UK ransom payment being around £127,000. However, a large caveat here – of those organisations who paid up, only four per cent got all their data back, and there are ethical considerations involved in this choice.
Even if your organisation does manage to retrieve a large proportion of its data, the consequences of a significant breach still have far-reaching effects. In the survey, 90 per cent of respondents said that the attack had affected their ability to operate – the average time to recover from a breach was one month and the average remediation cost was just over a million pounds.
Cyber insurance can mitigate some of these costs, and over three-quarters of UK respondents did have some form of insurance policy, yet it’s not perfect. The cost of the premiums is rising, and 94 per cent found it harder to secure over the last year. In addition, there are exclusions and limits as with any insurance policy (reading the fine print is essential) and some policies don’t even cover ransomware.
Cyber insurance
It’s wise to have cyber insurance but taking a proactive rather than reactive stance against ransomware pays dividends. Purchasing effective anti-ransomware security products and services will not only help you secure the best and most cost-effective cyber insurance cover (64 per cent of respondents had implemented new technologies/services to improve their insurance position), but this will protect against losses that insurance policies can’t mitigate against.
In addition, when you handle sensitive personal data within your housing organisation, it feels ethical to provide the maximum protection to your tenants to prevent their data from being published on the dark web. For example, in March 2022, the ‘Conti’ ransomware group stole data that compromised eight housing providers in the Netherlands, and approximately eight gigabytes of data was published online. Data included copies of tenants’ driving licences and passports as well as bank details, addresses and phone numbers, all of which are like gold dust for identity thieves.
Address the root causes
Although it’s understandable, organisations shouldn’t just focus on fixing the immediate problem – of getting their data back and business continuity. Using an analogy from the natural world, you can see an invasive weed in your garden, but you can’t usually see its root system. Even if you remove the visible part of the weed, the root system may remain underground for the plant to re-emerge, triumphant because it had never really gone away. Similarly, you can remove the ransomware and restore your services, but if you don’t spend time looking at the root cause of the attack, it leaves the door open for cybercriminals to return.
So how can you ensure that you have the optimal protection across your housing operations? Here are my eight tips:
- Make sure you have the best quality defences across your whole network, including firewalls, servers, endpoints and mobile devices, then continually assess whether they meet your needs.
- In today’s threat landscape, you must proactively hunt for threats to help stop the cybercriminals before they can execute their attack. You can no longer be passive, and if you don’t have the time or skills in-house to do this yourself, consider outsourcing to a managed detection and response (MDR) specialist. Sophos’ Managed Threat Response (MTR) is one such service.
- Concentrate on hardening your environment by identifying and eliminating gaps in your security, such as unpatched devices, unprotected machines and open RDP ports. Extended Detection and Response (XDR) helps with this.
- It is wise to prepare for how your organisation would respond to a cyber incident, so having a well-rehearsed incident response plan is crucial.
- Make regular backups and practice restoring from them, including offline copies. In the event of an attack, your aim is to get up and running quickly, with minimal disruption.
- Use multi-factor authentication (MFA).
- Use complex passwords managed through a password manager.
- Limit access rights – give end-users and administrators only the access rights they need and nothing more.
If you’d like more information, we’ve a plethora of resources about ransomware and how to protect against it at sophos.com/ransomware.
Jonathan Lee is the director of public sector relations at Sophos.