The Parliamentary Joint Committee on National Security Strategy met on the 3rd March to hear expert evidence on the threat posed to UK economic prosperity and national security by ransomware. The panel consisted of an executive from an insurance company, a researcher from the Royal United Services Institute and a senior academic from the University of Oxford. The session was a follow up to two earlier published reports on ransomware in 2023 and most recently March last year.
Online organised crime, particularly the use of ransomware, continues to grow despite the increased efforts of law enforcement to disrupt groups and their activities. In the last couple of years there has been a marked shift in tactics. With larger more wealthy organisations having invested and upgraded their cyber defences, the SMB sector has seen a rise in successful attacks as well as a surge in attacks against the supply chain.
Fragmentation of the cyber eco-system
Whilst tactics have changed, threat actors have largely remained the same since 2021. The actual threat and business model of threat groups has not really altered, although the cybercrime eco-system has become more fragmented. This has largely been due to law enforcement activity which has yielded some arrests, and the implosion of groups as suspicions are roused and the lack of trust amongst thieves ensues. In the early days of the ransomware era, it was possible to predict criminal behaviour. This is increasingly not the case. There are arguably fewer rules governing their behaviour, a growth in lone wolf actors has been noticed with few morals – the targeting of hospitals, schools and other public services a prime indication of this change in stance. A fragmented eco-system proving to be far more dangerous than one that was relatively well contained and understood.
Ban on ransom payments
In terms of combating ransomware, there has been much talk politically of implementing and enforcing a ban on ransom payments, particularly where targets are in the public sector or those businesses in the private sector who offer regulated CNI services. The view of those being interviewed was that a payment ban would not deter attacks against the UK as the use of ransomware is opportunistic by nature, preying on the vulnerable, of which there are numerous targets. Whilst paying a ransom is not a desirable outcome, the banning of payments to ransomware operators is unlikely to reduce ransomware attacks. Even if a ban somehow removed the threat of ransomware, it would not necessarily remove the threat actors who, due to their ‘entrepreneurial’ nature, are likely to pursue alternative means of generating illicit revenues, and the process starts again. Of course, a payment ban also prevents the impacted organisation from operating and it still needs to recover from the attack.
Supply chain vulnerability
The panel then considered the supply chain, the fact that it remains, despite numerous high-profile breaches and business impacting attacks, as vulnerable as it ever was. Returning to the ban, it was noted that a ban on ransomware payments might force organisations to take security seriously and invest more heavily in their ability to detect and withstand an attack. The question nobody was prepared to answer is “how would a ban be enforced?”. Whilst the public sector would need to follow central government guidelines, these are not necessarily relevant in the private sector. It becomes a business decision for purely economic and operational reason, to recover and get on with the business of serving customers.
Improving overall resilience
Moving on, the panel considered how organisations can make themselves more resilient. Ransomware is one thing, but increasingly extortion and threats of different kinds are driving businesses to pay the ransom. There is an increasing threat of physical sabotage if demands are not met.
Insurance is no substitute for investment in security
The topic of cyber insurance was also covered and developments within the insurance industry to make access and uptake more accessible. The uptake of cyber specific insurance policies for businesses of all sizes has increased year on year. In the early days it was extremely hard to gain access but barriers to entry are dropping, as noted in the evidence. Many organisations are seeking insurance and using the application process as a security health check to better understand their posture in relation to industry relevant governance benchmarks provided by their insurer. However, whilst accessible to the larger enterprises, the uptake of insurance by SMB’s remains low. What did come out of the questioning was that having a dedicated cyber insurance policy should not be used to reduce the overall business investment in security. Your insurance policy covers you for when things happen, the unexpected cost of incident response, recovery, and business disruption. It covers the costs of external consultants, legal fees, and potential regulatory fines if found liable. It is what it says it is, insurance, it does not stop the threat actors targeting your vulnerabilities.
Our advice and how we can help
So what can you do? For most businesses starting out on their cyber security journey, we would recommend reviewing your security posture against the NCSC sponsored Cyber Essentials framework and certifying to that standard as a minimum. For many organisations, particularly those supporting the supply chain, extending this certification to the Plus standard would be more appropriate.
Redcentric can help you achieve this; we are a Cyber Essentials Certification body and are able to advise you on how to implement controls and the certification process. Additionally, we can provide you with a range of security, risk and resilience advisory services including threat intelligence, vulnerability management and more general security consulting and testing to support you in enhancing your defences against the ever-growing threat of ransomware.
We also work with a leading cyber insurance broker who can tailor policies and obtain preferential premiums for Redcentric customers who able to meet their assessment standards. Get in touch today for your initial free consultation with one of our cyber advisors to see how working with Redcentric can enhance your security posture.
