A data breach at the credit reporting firm Equifax in early 2017 exposed the personal information of more than 40% of the US population. Equifax failed to fix a known vulnerability in their system, allowing hackers to obtain Social Security numbers, driver’s licenses, addresses, dates of birth, financial data, and other information. Equifax finally negotiated a settlement with the United States Federal Trade Commission in 2019, although the payment imposed little actual hardship on the firm, as is so frequently the case with major data breaches. Nevertheless, individual customers paid a high price for the company’s lax security: their personal information was irreparably exposed and distributed.
In economics, this kind of situation is known as an externality, wherein an action by one party hurts another party, but that second party has no recourse. Regulators have often attempted to address this externality and lessen the burden it places on consumers, but they´ve had only limited success, largely because companies have seemed happy to settle cases after the fact if that means they don´t have to make significant up-front investments in improved security.
But, significant changes are expected to occur shortly and in ways that will benefit consumers in the long run. This is due to the fact that the leaders of businesses who keep important private information are being obliged to protect their organizations against the rising danger of ransomware assaults.
Ransomware attacks – launched by hackers who use malicious software to seize and block access to company computer systems until a lot of money is paid for their release – have been in the news a lot lately. In the past year alone, ransomware attackers collected nearly 350$ million from such companies as Kaseysa, the Colonial Pipeline, Microsoft Exchange, and JBS USA, a figure that represents a threefold increase from 2019.
What explains the increase? Some important factors include the increased use of remote networks and systems during the Covid-19 lockdown, and recent growth in the cryptocurrency sphere, which has made it easier for hackers to extract ransoms.
That said, it´s worth nothing that ransomware attacks are no different from the typical security attacks that we´ve been reading about for years. There´s nothing novel about the technology they rely on. What is novel, though, is they´re attacking companies rather than consumers, and that´s changing the economics of data security.
Companies only suffer indirectly from the losses produced by their poor security attention in a classic data breach, such as the one suffered by Equifax. It explains why, according to Experian statistics, 35% of businesses have not updated their security strategies since they were implemented. According to IBM, the average cost of a data breach in the United States is $8.64 million, a cost that is frequently difficult for businesses to quantify or account for. A breach may ruin a company’s reputation and cause it to lose some revenue, although these are usually transient issues– and the overall cost of such a breach will almost surely be too diffuse for management to make it a key area of focus. Ultimately, a company´s customers suffer the most from a traditional breach because they´re the ones whose information gets exposed.
Ransomware attacks have changed the nature of the game by attacking companies rather than consumers. This change, which forces companies to pay a steep and direct price for lax security, means that managers at all sorts of companies are going to have to focus in a new serious way on improving cybersecurity and protecting their networks.
Provide continuous training and reminders to employees about the threat of phishing attacks. Of course, phishing has been around for a long time, but it is no longer just a nuisance. Attackers are becoming more serious, and a large sum of money is now at stake. Companies must guarantee that their staff understand the risks and can see warning indications. In-house phishing simulations, in which IT sends realistic-looking phishing emails to employees and then monitors their responses, can be extremely beneficial because they train employees to be vigilant, assist IT in understanding system vulnerabilities, and allow businesses to think strategically about improving their cybersecurity.
Allow employees only to download apps and software, and to use programs, that are required for work. Employees often don´t like this, because it´s so convenient to be able to use work devices for personal purposes, but firms and IT departments need to tighten up their controls on this front. Most have been too lax about this for years. It´s also important for managers to take the time to explain the need for this policy to everybody. Many third-party tools are available that can be installed on company computers and allow administrators to control which applications employees can install.
Make it a priority to patch vulnerabilities and keep systems up to date. Hackers can only execute ransomware attacks if they can get in your networks. So make that as hard as possible, by applying patches as quickly and as effectively as you can, and by updating systems as soon as new versions become available. Patch management has always been part of IT services, but in the face of new dangers, firms need to make it a higher priority.
Back up your firm´s data. If potential attackers know you can recover your information, then you become a much less promising target for a ransomware attack. Even if you can´t back up all your data, you can reduce the chance of attack by signalling that you have much of your information backed up. This can be an expensive and time-consuming job. CIOs must carefully evaluate what data to back up, how frequently, what type of media to use for backup, and the cost to restore it if and when a ransomware attack takes place.
None of these practices is new, but many firms – assuming that the costs outweigh the benefits – have yet to adopt them. But with the threat of costly ransomware attacks rising rapidly, the time to get serious has arrived.