In May 2021, the United States was stunned by a ransomware attack on the Colonial Pipeline that brought fuel delivery on the East Coast to a standstill. While this attack shed light on the long-standing digital vulnerabilities in the country’s critical infrastructure, ransomware has always been quietly pummeling small and midsize American businesses.
In 2021, crypto analysis firm Chainalysis estimated that victims of ransomware paid over $692 million dollars in extortion payments. This marked a 70% increase from the previous worst year on record (2020), and it only tells half the story. Analysis from cyber insurance claims shows that as frustrating as it is to pay criminals to restore critical data, the cost to the business is significantly worse.
Data from insurance broker AON projected that business costs from ransomware attacks in 2021 would top $20 billion. Worse, 70% of ransomware victims are small to midsize enterprises (SMEs) with less than 500 employees. This is a sweet spot for criminals because these organizations—many of which are cities, hospitals, and school districts—can’t afford to shut down, but they also suffer the worst because they can’t afford the estimated 700,000 cybersecurity positions we see in other industries.
At Resilience, we are laser focused on these middle market organizations and see firsthand the pain enacted by this menacingly profitable form of cyber crime. For this reason, Resilience worked with over 40 partners—including Microsoft, the Cyber Threat Alliance, and the U.S. Department of Homeland Security—to launch the Ransomware Task Force in April 2021.
In its first report, the Ransomware Task Force called for the cybersecurity community to “develop a clear, actionable framework for ransomware mitigation, response, and recovery.” This call was the driving force for the newly released Blueprint for Ransomware Defense, a set of well-regarded and widely used best practices that help enterprises focus their resources on the critical actions needed to defend against most common cyberattacks.
The Task Force built the Blueprint to advise the SMEs that comprise most of the targeted organizations. It prioritizes security controls that help build resilience to ransomware and are affordable and accessible for SMEs.
The Task Force also designed the Blueprint to equip security leaders with language they can use with non-technical executives, templates for incident response planning, and common vendor examples for each control.
Resilience contributed its firsthand experience in technical analysis of ransomware incidents from its underwriting experience and modeling of which security controls were most effective at reducing overall response costs. When underwriting accounts for ransomware risk exposure, some of the controls considered include:
- Implementation of strong backups;
- Security awareness and incident response training;
- Email security deployed across the entire enterprise;
- Advanced endpoint protection against malware; and
- Network visibility and security.
While none of this is earth-shattering to security professionals, we believe that the core value of the Blueprint lies in its ease of implantation by the partners that serve this highly targeted group of SMEs, including cloud providers, consultants, and managed service providers.
For those looking to support SMEs either internally or as a partner, the Blueprint prioritizes these controls along seven categories:
Know your environment: This includes Foundational Safeguards designed to help identify what systems are core to your business’ critical operations.
Secure Configurations: Protecting your environment begins with a strong configuration management process that determines how networks are architectured and governed.
Account & Access Management: Protects user accounts from being leveraged by a ransomware actor to gain access to critical or sensitive business data.
Vulnerability Management Planning: Protects by staying up to date with the nearly 18,000 vulnerabilities security researchers find every year.
Malware Defense: Protects endpoints from attacks that can give ransomware criminals access to users’ accounts and network privileges.
Security Awareness and Skill Training: Protects against human vulnerabilities to social engineering and phishing attacks.
Data Recovery & Incident Response: The last line of defense is the ability to recover from an attack by backing up critical data and practicing incident response efforts that restore data promptly.
Coming back from a successful attack without resorting to extortion payments or a complete overhaul of critical systems is the other half of a cyber-resilient mindset. Resilience believes the traditional cyber insurance market has to evolve from simply transferring financial burden of an incident toward using data and knowledge to increase the safety of customers. This virtuous cycle of security and insurance has been shown to reduce claims costs, increase patching cadence, and drive executive attention.
We feel bold enough to say the cyber resilience model must be the next insurance market evolution for this product. With the Ransomware Task Force Blueprint launch, we believe this is a concrete first step down that path and encourage you to join us.
Access the Blueprint for yourself here.
Davis Hake is the Co-Founder and Vice President of policy at Resilience. Prior to co-founding Resilience in 2017, Hake managed cybersecurity strategy for Palo Alto Networks, served on the National Security Council, and was a lead author of cybersecurity legislation in the U.S. Congress. Hake is an adjunct professor of risk management at the University of California, Berkeley, and is a term member of the Council on Foreign Relations. He holds a master’s in strategic security studies from the National Defense University and a bachelor’s in international relations and economics from the University of California, Davis.