First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

New information about cyber risk is alarming

Every organization should plan for a ransom attack and cyber risk in general, and then assess whether the preparations are adequate.

cyber risk


As a member of the Institute of Risk Management, I receive a copy of the excellent Enterprise Risk magazine. The Summer 2018 issue includes a summary of the results of the 2018 Sentinel One Global Ransomware Report. Here are some key excerpts:

  • Six in ten (56%) report that their organisation has suffered a ransomware attack in the last 12 months, compared to under half (48%) who said the same in 2016. Of those whose organisation has suffered a ransomware attack in the last 12 months, they have had to defend against five ransomware attacks during this period, on average.
  • Of those whose organisation has suffered a ransomware attack in the last 12 months, 69% say that the ransomware attacker was able to gain access to their organisation’s network by phishing via email or social media network. Around two in five report that access was gained by a drive-by-download caused by clicking on a compromised website (44%) and/or an infection via a computer that was part of a botnet (42%). The type of devices/systems most likely to be impacted by the ransomware attack(s) are desktop PCs (80%), servers (57%) and mobile devices (38%), while the types of data that are most likely to have been affected in the past 12 months were employee (45%), customer (38%) and product (37%) information.
  • According to around half of respondents whose organisation has suffered a ransomware attack in the last 12 months, the ransomware attack was successful because an employee was careless (51%) and/or anti-virus was in place but it did not stop the ransomware attack (45%). Almost all (94%) cite that there has been some impact on their organisation because of ransomware attacks in the past 12 months, with the greatest impacts being an increased spending on IT security (67%) and a change of IT security strategy, to focus on mitigation (44%). Furthermore, more than one in ten report that their organisation has received negative press/bad publicity (14%) and/or seen senior IT staff lose their jobs (14%).
  • Of those whose organisation has suffered a ransomware attack in the last 12 months, the average estimated business cost as a result of the ransomware attack(s) is £591,238. Furthermore, only around a third (34%) of respondents report that their organisation’s third party suppliers or partners were not affected by the attack, while 40% suffered downtime as a result.
  • When considering all the ransomware attacks that their organisation has experienced in the last 12 months, less than half (46%) of respondents say that their organisation did not pay a ransom because they decrypted the data themselves/had backups. In contrast, around one in five (19%) admit that their organisation paid the ransom demanded by the attacker every time.
  • According to respondents whose organisation/the organisation’s insurer has paid some or all of the ransom(s) demanded by ransomware attackers for an attack in the last 12 months, the total value of the ransoms paid in this period is £34,845, on average and the largest value that their organisation has ever paid is £34,514, on average.
  • Nearly six in ten (58%) report that even though their organisation paid the ransom, the extortionist tried to extort a second ransom after receiving the first payment and around four in ten (42%) say that the extortionist did not decrypt the affected files despite receiving the payment.
  • Over three in four (76%) respondents whose organisation has suffered a ransomware attack in the last 12 months have been able to determine the identity of the attacker(s) involved, with the most likely attacker being organised cyber-criminals (53%).

I find the frequency of attacks to be surprisingly high and the extent of damage surprisingly low. Since it looks like the hackers are encrypting the organization’s files and demanding a ransom for decryption, having a reliable back-up is critical. But, even so, the cost to recover and restore is expensive and the process is disruptive.

Every organization should plan for a ransom attack and assess whether it is adequately prepared.

The second useful piece of information comes from Black Hat. In their 2018 report, Where Cybersecurity Stands, they say:

  • Now more than ever cybersecurity professionals are questioning the future of privacy and the safety of personal identity as a result of the recent Facebook investigation, development of GDPR and various data breach reports. Influenced by these factors, only 26% of respondents said they believe it will be possible for individuals to protect their online identity and privacy in the future – a frightening opinion as it comes from experts in the field, who in many cases are professionally tasked with protecting such data. They’ve also reconsidered their Facebook usage – with 55% advising internal users and customers to rethink the data they are sharing on the platform, and 75% confessing they are limiting their own use or avoiding it entirely.
  • IT security professionals have very little confidence in the federal government’s ability to understand and respond to critical cybersecurity issues. Only 13% of respondents said they believe that Congress and the White House understand cyber threats and will take steps for future defenses. Respondents also cite foreign affairs as an issue – 71% said that recent activity emanating from Russia, China, and North Korea has made U.S. enterprise data less secure.
  • 60% of security professionals expected a successful attack on U.S. critical infrastructure – that data point has risen almost 10% in 2018. Who do they think will likely be behind such an attack? More than 40% of those surveyed believe that the greatest threat is by a large nation-state such as Russia or China. The thought that such an attack will be successful, again, stems from the industry’s lack of confidence in the current administration – only 15% of respondents said they believe that U.S. government and private industry are adequately prepared to respond to a major breach of critical infrastructure.
  • Staying consistent over the past five years and across the U.S., Europe and Asia – nearly 60% believe they will have to respond to a major security breach in their own organization in the coming year; most still do not believe they have the staffing or budget to defend adequately against current and emerging threats.

I keep coming back to the same points in my writing and speaking:

  • Do you understand how a cyber breach would affect the achievement of your enterprise objectives? Assessing the ‘risk’ to an information asset simply is not enough IMHO to help those holding the budget strings know how much to invest in cyber security.
  • Is it realistic to expect your in-house staff to provide sufficient prevention and detection?
  • How long would it take you to detect a breach and know what damage is being done?

I welcome your thoughts.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, ,

Comments are currently closed.