Here at Nelson Bostock, we’re talking cybersecurity week in, week out thanks to our mix of clients that tap into this sector. So, it doesn’t take Cybersecurity Awareness Month for us to indulge in the latest news, but it has been a particularly interesting few weeks in terms of industry news.
The US initially took the lead with some bold commitments
Biden’s administration took the lead early in the month by announcing a range of measures to help bolster the U.S. governments’ understanding of the ransomware threat and how cybercriminal enterprises operate.
In fact, he set his stall out early, by kicking-off Cybersecurity Awareness Month with an official statement on Oct 1st that outlined his commitment to “strengthening our cybersecurity by hardening our critical infrastructure against cyberattacks, disrupting ransomware networks, working to establish and promote clear rules of the road for all nations in cyberspace, and making clear we will hold accountable those that threaten our security.” What followed was a series of specific commitments against this pledge.
First off, a new law was proposed to compel U.S. businesses to disclose any ransomware payments made in the event of a cyberattack within 48hrs of the transaction taking place.
Following that, the Transportation Security Administration made a commitment to introduce regulations to compel high risk railroad and airport operators to improve their cybersecurity procedures by naming a chief cyber official, commit to disclosing attacks and ensure draft recovery plans are in place if an attack occurs.
And finally, it was the announced that Biden has committed to setting up a National Cryptocurrency Enforcement Team to crack down on the misuse of digital currencies, an act that feels directly related to the severity of the DarkSide ransomware attack on Colonial Pipeline in May, which shut down the major U.S. fuel pipeline that supplies an estimated 45% of diesel, gasoline and jet fuel to the East Coast, for several days.
I’m sure there is more to come before the month is out.
According to the recently launched CB Insights Cyber Defenders 2021 report, the U.S. is also leading the way when it comes to creating a healthy business environment for cybersecurity companies to thrive. CB Insights estimate that 75% of the 2021 Cyber Defenders are headquartered in the US — mostly in California.
U.S. and UK appear unified around Ransomware
It’s not just the U.S. that is concerned about the impact of cybercrime, specifically ransomware attacks, to impact critical infrastructure and cause real damage. Just this week Lindy Cameron, the head of the National Cyber Security Centre (NCSC), spoke at Chatham House’s Cyber 2021 Conference and in her speech, she claimed ransomware and Covid-related cybercrime to be one of the ‘biggest threats to UK security’, adding that cyberattacks linked to the Covid-19 pandemic were also likely to be prevalent for many years to come.
Echoing the narrative that it doesn’t pay to pay, she set out a clear warning to companies in the UK that there is no guarantee that paying a ransom will result in cybercriminals returning encrypted files or sensitive data and in fact, paying ransoms has the potential to embolden these criminal groups.
Something our client, Sophos, has been saying for a long time. Earlier this year, we launched the findings of Sophos’ 2021 State of Ransomware report, which revealed that of the companies that paid the ransom, on average, only 65% if their data was recovered. In fact, only 8% of companies managed to recover all their data, and 29% recovered less than half. One you’ve paid, you still have all the remediation work to address the damage of the attack and the associated disruption to the business to deal with.
We’re speaking to press every couple of days supporting Sophos’ mission to regularly engage with and add value to the security community, feeding journalists the highlights from SophosLabs to ensure business can stay protected against the latest threats and one thing is clear, Cybersecurity Awareness Month or not, ransomware is the biggest topic in the industry right now and has relevancy for every business.
Lindy Cameron’s call for businesses to be prepared, to build cyber resilience and make cybersecurity a board-level issue, has to resonate. Summarising her first year in the role, she states that “the vast majority […] of these high-profile cyber incidents can be prevented by following actionable steps that dramatically improve an organisations’ cyber resilience.”
Her revelation that many firms still have no incident response plans or processes in place to test their cyber defences, after the eventful year we’ve had, is hopefully the wake-up call those trailing behind need. With all the advice flying around from cybersecurity companies this month, let’s hope some of it sticks!