For most organisations, ransomware is likely their biggest cyber threat – with the door to their systems most often being opened courtesy of a team member falling for a ‘phishing attack’ (a process where they are tricked into giving away their password).
The impact of ransomware has increased in recent years. Initially ransomware attacks primarily concern was they often lead to loss of an organisations key data. Now, there is the added impact that any confidential data may be publicly released (likely on the dark web) if a ransom is not paid out.
Currently in New Zealand, we only occasionally hear about firms with a local presence having been hit by ransomware. This year that includes Travelex, Toll, Lion and Fisher & Paykel Appliances. However thousands of New Zealand organisations have likely been impacted such incidents and demands to pay a ransom. And with new privacy regulations coming into force in December, disclosure will immediately be mandatory for some cyber incidents.
The legality of paying a ransom is now in question. Whilst the ethics of encouraging cyber criminals by paying ransoms has long been a question, it’s now been indicated by the United States Treasury that organisations and their insurers risked violating regulations if they pay ransoms to cyber criminals.
Because cyber criminals may reside in countries which New Zealand (among other countries) have placed financial sanctions on this could put New Zealanders and their organisations at risk too if they pay out a cyber ransom. There is now a potential penalty of up to 1-year in jail if a ransom ultimately ends up in a country which has sanctions on it. It’s worth noting that New Zealand has sanctions in place against North Korea which is a state considered as a heavily focused on cyber attacks – with an estimated 7,000 operatives trained in cyber attack methods and cyber warfare.
The role of insurance companies may be changing too, as policies that have covered paying ransoms are expected to rise in line with the dramatic increase in ransom costs of some 10-time since early 2019. Either this – or such policies will no longer offer direct coverage of ransoms. Add to this the legal issues with paying a ransom and the option of having your insurance company provide this support may disappear – or what they offer at least diminished.
It’s my opinion organisations that don’t have informed confidence they can current withstand a cyber-attack should promptly have a cyber security audit carried out. If you don’t already have a favored partner to assist with cyber security matters, our team can help.