Managing the Costly Risk of Ransomware
Published: March 28, 2022
As the threat of ransomware attacks grows each day, Mutual of Omaha is working on new ways to counter the risks. Check out this article for some easy steps you can implement at your company today to protect your data.
There’s an actuarial motto that states, “risk is opportunity.” That’s become obvious today as many companies have rolled out brand-new insurance products in response to the growing risk of ransomware. (Pricing these products must be scary!)
In this article, we’re going to take a closer look at ransomware and some ways companies can combat it. (Sorry, no insights on how Mutual of Omaha is ACTUALLY fighting it because ... you know ... it's intended to be a secret. And honestly, I don't know and really don't want to know how we do it.)
So, What is Ransomware?
A common scenario today often plays out something like this: A hacker accesses a company’s network. They then have the choice to a) start deleting files, b) start exfiltrating files that have personal or proprietary information, c) leave immediately, or d) start encrypting those files. For a while, most companies and people were concerned about b), but lately d) has been taking center stage. In addition, many times these hackers are doing hacker things for fun AND profit because after they have encrypted the files, they then demand a ransom.
Most of the time ransom is demanded in bitcoin, due to its pseudonymous anonymity and ease of transfer. Then, in many cases, the hacker actually turns out to be kind of nice and unencrypts the files after receiving the payment. Some may even tell you how they got in so you can protect your data from other hackers. Cybercrime is weird that way. It's like the pirate code or some sort of gentlemen's/ladies' agreement that applies only in cyberspace.
Ransomware is the software the hacker uses to encrypt the files. Generally, it’s difficult — if not impossible — to stop it from succeeding. Earlier this year, the Health Service Executive of Ireland (like U.S. Medicare) had to shut down its IT systems because of a ransomware attack. (To be fair to the hackers, they usually leave the health systems alone because they just want the money. They don't actually want people to die.)
Similarly, the Colonial Pipeline was also shut down because of a ransomware attack. It paid a ransom of 75 bitcoin. The government was able to recover about 64 of them.
Protection from Ransomware
Good news! Mutual of Omaha has an IT security team committed to protecting us from ransomware attacks. Even “gooder” news, they're regularly thinking up new ways of protecting us, communicating with their peers and having regular conversations with experts in the space. We're learning, literally daily, how other ransomware attacks have happened and how we might prevent them.
One way that seems to be effective is by training people not to be tricked into giving away their passwords (e.g., phishing training). Scanning attachments for known bad software is another way. Limiting system access is a third. Regularly creating backups (and testing the restoration of those backups!) is a fourth.
While not 100% effective, these four techniques used in concert can be useful for managing ransomware risk.
I mentioned earlier the actuarial motto, "Risk is opportunity." In the case of ransomware, the risk has created some new opportunities. Several companies have begun pricing and selling cyber insurance that assists with protecting a business, consulting if/when a ransomware attack occurs and paying insurance to cover the ransom demanded by the hacker group.
These options can be expensive, but are useful for outsourcing some cyber risk to a third party. As an actuary, pricing this makes me a bit nervous (low frequency, high severity, lack of a lot of historical data!).
So, next time a suspicious email comes through, you might want to hit that “Report Phishing” button in your inbox. You don't want to be responsible for having to negotiate with cyber terrorists.