Holding companies hostage through ransomware is a thriving business. Three big assumptions about the practice that can prove fatal are detailed here. Truly, the only assumption companies should make concerning ransomware and other threats to cybersecurity is that the risks today are already far greater than they were yesterday.
Did you hear about the June ransomware attack on KQED TV and radio in San Francisco? The stations were still dealing with the fallout five weeks later. TV stations, just like any business that relies on web-connected technology, need to be prepared for the increasing likelihood of a cyberattack.
I guess it shouldn’t be a surprise that ransomware is a thriving business. Steve Ragan of CSO News recently reported that the industry mirrors that of legitimate software solutions. It’s composed of developers and sellers whose customers are the criminals who buy and deploy the malicious code. The more than 45,000 products available range from a basic $10 offering to customized code costing $1,400 or more.
Carbon Black, which did the research cited in the Ragan article, says some ransomware developers are making $100,000 or more annually. With businesses reported to have spent more than $1 billion on ransomware payments in 2016 alone, cybercrime appears to be a low overhead, highly profitable business. It’s no surprise that bad guys continue to buy and launch these crippling programs.
Patricia Kocsondy, a Chubb SVP of North America financial lines and a media professional liability product manager, says the recent wave of attacks including WannaCry, Goldeneye and NotPetya is making people rethink common assumptions about cyber risks and security. In the September-October 2017 article she wrote for MFM’s member magazine, The Financial Manager, Kocsondy identified “three big assumptions” that media companies need to rethink.
‘I’m Not a High-Risk Candidate’
The first is believing that only businesses that store information like credit card or health data that may be financially valuable to a cybercriminal need to be vigilant.
The reality, as Kocsondy points out, is that “valuable material such as content, newsgathering sources and information about employees (especially high-profile personalities) is susceptible to extortion tactics.”
There’s also a broader reason for any business to recognize it’s at risk: “Cybercriminals understand that for a company to succeed, it must operate and serve customers on a regular basis — without business interruptions.” For TV stations and other media companies dependent on advertising and/or subscriptions, having those revenue streams held hostage poses a significant financial risk.
‘I’m Too Small To Be A Target’
The second false assumption is that cyber criminals attack only large, high profile companies. Small businesses that aren’t well known frequently take comfort in the belief that they aren’t likely to be a target.
In reality, ransomware is indiscriminate; the virus or worm exploits vulnerabilities in all company networks — large, small and in-between. ScienceAlert.com found that WannaCry infected more than 230,000 computers in more than 150 countries in a single day.
Perversely, the size of the ransoms being demanded from smaller companies may actually be fueling the ransomware economy. A few hundred dollars, payable in an anonymous cryptocurrency like Bitcoin, can seem like a small price to pay to get back to business quickly.
While this may be the path of least resistance, it comes at a bigger price. As long as the cybercriminals who buy ransomware profit from using it, there’s financial incentive for suppliers to develop and sell those tools.
Kocsondy also points out that news reports tend to focus on large or well-known corporate victims rather than the “countless smaller businesses” that are regularly attacked. In addition, since smaller businesses typically lack the financial resources and expertise to implement high-level cybersecurity measures, they’re actually more susceptible.
‘My Business Has More Pressing Demands’
The third assumption is that delaying an investment is cybersecurity is good fiscal policy because it frees up cash for other, more pressing needs. Despite the numerous challenges requiring their immediate attention these days, midsize and smaller media companies literally cannot afford to postpone cybersecurity investments.
“Even a brief business interruption can cause brand and reputational damage,” is Kocsondy’s warning. “Advertisers or subscribers may think twice about doing business with a company that appears unable to stay on the air or go to press on time.” There’s good reason for concern. The State of Ransomware report sponsored by security firm Malwarebytes found that 20% of companies that had experienced a cyberattack ultimately went out of business.
Considering the issue from this perspective underscores the importance of taking certain precautions. They include adopting such best practices as keeping software current; effective patch management; firewalls; daily offsite data backup; and network segmentation.
In addition to these measures, organizations need to foster proper password hygiene (sophisticated passwords changed regularly) and train employees to recognize and report suspicious emails.
There’s No Easy Fix
Simply paying the ransom does not end the crisis and it compounds the problem. In some cases, the decryption software may unlock only a portion of the infected data, there may be no decryption key at all, or the unlocked data will be affected with more malware, it can be a time bomb programmed to inflict additional damage.
Additionally, as noted above, companies paying a ransom contribute to the growth of the ransomware market.
Once an organization suffers an attack, it must deal with a plethora of questions, including “How did the cybercriminals get into the network?” “Did they see or take confidential information?” “Are they still in the network?” “Could this happen again?” and “Must we inform advertisers, subscribers, customers, business partners and/or regulators about the attack?”
Kocsondy counsels that resolving these questions typically requires the assistance of forensic investigators, legal counsel, and crisis management consultants. These specialists help to determine which systems and files have been accessed or corrupted as well as the legal and financial reporting ramifications.
They are also skilled in providing public relations support and, as we have seen in higher profile cases, establishing call centers, credit monitoring, and identity restoration services.
Cyber insurance policies can help defray these costs. Insurance companies such as Chubb, the only casualty company to receive MFM’s endorsement, also offer resources to help companies assess their risks and prepare themselves to respond to a cyberattack.
TV stations should also become acquainted with the resources available from the NAB, which “has embarked on a cybersecurity evangelism and education program.” Resources include two publications: The Essential Guide to Broadcasting Cybersecurity and 35 Critical Cyber Security Activities All Broadcasters Should Know, which may be found on NAB’s website.
With so much at stake for media companies, and a lot of it financial, MFM is hosting a number of events to give media financial teams access to cybersecurity experts.
On Nov. 15, the association is offering a free local event in Boston featuring Chubb speakers Christopher O’Connell, VP of financial lines, and Lisa Ryder, AVP and claim manager for the firm’s media, cyber and lawyers E&O lines. They will be discussing examples of cyber claims involving media industry companies, including the causes of these breaches, how they were handled, the ultimate outcome, and lessons learned. These same topics are also on tap for local events planned for Washington and Los Angeles after the first of the year.
Additionally, John Graham, VP and cyber product manager for commercial insurance at Chubb, and Tony Dolce, VP of North American financial lines claims for Chubb, will share their experiences with cybersecurity issues affecting media organizations at the industry’s 2018 CFO Summit, being held March 8-9 in Fort Lauderdale, Fla.
Graham was a contributing member of the Insurance Services Office Cyber and eCommerce Panels, the American Insurance Association Cyber Working Group and the Department of Homeland Security Cyber Incident Data and Analysis Working Group.
And Dolce, who currently has North American claims responsibility for the cyber line of business, has also managed Chubb’s media line during his 16 years with the firm.
In the meantime, a copy of Patricia Kocsondy’s article will be available to non-members for a few more weeks on the MFM website. We hope you’ll take a few minutes to check it out, as well as the information available through the NAB, NIST and cyber insurance providers like Chubb.
Truly, the only assumption companies should make concerning ransomware and other threats to cybersecurity is that the risks today are already far greater than they were yesterday.
Mary M. Collins is president and CEO of the Media Financial Management Association and its BCCA subsidiary, the media industry’s credit association. She can be reached at [email protected] and via the association’s LinkedIn, Twitter, or Facebook sites.