Lessons learned from 633 destructive ransomware events

The threat landscape continues to see rapid evolution, especially as the digital world grows increasingly connected and more organizations outsource business services. Adversaries are getting smarter, and their techniques are getting more advanced by the day. This has put a spotlight on the security of our global supply chain and how unstable and unprotected it is.

In fact, software supply chain attacks have tripled in 2021. The potential ripple effects of risks and disruptions within an organization’s supply chain that could ultimately impact their business are immense. Research shows that a data breach affecting multiple parties causes 26X the financial damage of the worst single-party breach.

While there are many business benefits to outsourcing work, there are also new security challenges that can arise when doing business with outside parties. Organizations that collaborate with third- and fourth-party vendors to do business need to have a robust third-party risk management plan in place to keep their sensitive data protected. 

Despite supply chain risk being a well-known threat by now, many organizations are struggling with staffing shortages and do not have the time or experience necessary to handle complex supply chain security. In addition, traditional cyber risk assessments are static and only account for a specific point-in-time. Today’s dynamic, complex digital world requires continuous, integrated risk information on multiple tiers, which is essential to identifying supply chain vulnerabilities and enables proactive detection, remediation, and prevention.

So, how do you minimize the likelihood of your key vendors falling victim to a ransomware attack? Do business with vendors that practice good cybersecurity hygiene. But, how do you know which vendors don’t have good cybersecurity hygiene?

The RiskRecon team recently analyzed 633 publicly disclosed ransomware events occurring between 2017 and 2021 in an effort to learn from the past. Here are the top five takeaways based and practical tips to mitigate your supply chain risk and third-party risk. Let’s dive in.

Insight 1: Your suppliers must have good cybersecurity hygiene  

This is a given, but it’s worth noting that some of your suppliers may not have good best practices in place when it comes to protecting their data.

Based on RiskRecon’s comparison population of cybersecurity ratings and assessments of over 100,000 entities, companies that RiskRecon observes to have very poor cybersecurity hygiene in their Internet-facing systems (a ‘D’ or ‘F’ rating) have about a 40 times higher rate of destructive ransomware events in comparison with companies that have clean cybersecurity hygiene. In fact, only 0.03 percent of ‘A-rated’ companies were victims of a destructive ransomware attack, compared with 1.08 percent of ‘D-rated’ and 0.91 percent of ‘F-rated’ companies.

It’s important to know who you’re working with, and that you trust working with them. Otherwise, you are voluntarily opening your organization up to an attack.

Insight 2: Criminals are targeting everyone — Assess your supplier inherent risk ratings

From 2017 through 2021, criminals successfully detonated ransomware in companies across 54 different industries, with healthcare and education being the most targeted sectors.

It’s important to update your supplier inherent risk rating model to factor in operational dependency and apply the new model to every vendor. And when factoring in the threat of ransomware to supplier operations, you will notice a slew of additional suppliers that will now be listed as critical or high tier. It’s essential to uncover everything you can about the various suppliers in your supply chain.

Insight 3: Confirm your suppliers have around the clock security operations

Cybercriminals are working seven days a week, with no day of the week having less than 12 percent of the total events of ransomware. The data shows that criminals lean a bit towards detonating ransomware on the weekend, with 30 percent of all ransomware being detonated on Saturday or Sunday. It makes sense that weekends are seeing a bigger jump. This is because cybersecurity and IT teams of many organizations are understaffed, causing suppliers to not have 24/7 security operations and measures in place.

It’s better to be safe than sorry. Rapid response to a ransomware event is essential to limiting data and getting on with recovering systems. Security is not a 9-5 job. No matter what day of the week, or time of day, your organization is always at-risk of getting breached. 24/7 security is key to protecting your organization. Continue to hire and expand your teams accordingly.

Insight 4: Don’t assume your vendors will harden their systems after a ransomware event

On average, a year after a ransomware event, many of the same critical vulnerabilities are present in victim environments, unsafe network services remain open to be compromised, and the communications encryption of many sensitive systems remains insecurely configured. Don’t assume that a recent victim of ransomware is getting their cybersecurity house in order – because research shows the opposite.

Insight 5: Ransomware attacks aren’t going anywhere

The threat of ransomware is here to stay. According to stats from the U.S. Treasury Department, U.S. victims of ransomware paid $590 million in ransom to ransomware criminals in the first half of 2021. That hefty price tag has piqued the interest of many ransomware gangs. Reporters covering the ransomware beat identified 59 different criminal groups behind the attacks over the last three years.

Organizations should update the foundations of their program to account for the threat of ransomware. Those foundations are your risk models, information security standards, policies, and procedures. Most of the capabilities for managing ransomware in the supply chain are likely already in your program, as they are the basics of managing IT and cybersecurity well. It is just that it is now more important to ensure your suppliers are doing the basics well.

Let’s get one thing straight — no organization within the supply chain is completely safe against ransomware attacks. Ransomware threatens the operations of nearly every vendor in a supply chain. Fortunately, successfully managing the risk of ransomware requires doing the basics of IT and cybersecurity well. Unfortunately, so many organizations do not. Organizations should look to follow best practices of good cyber hygiene, prioritize assessments, and determine if a new supplier or partner is needed within the chain.

While you can outsource your systems and services, you can’t outsource your risk.

Image credit: Andrey_Popov/ Shutterstock

Kelly White is Founder of RiskRecon, a Mastercard Company

Author: Martha Meyer