Can more be done to combat the rise and apparent success of ransomware attacks?

What is behind the rising ransomware threat, and what can businesses do to combat it?

The recent WannaCry and Petya-associated cyberattacks both highlighted the rise in ransomware and demonstrated the debilitating effect that attacks can have on organisations: by interrupting production and supply chains, resulting in financial losses, and causing reputational damage.

Within the recent Gowling WLG Digital Risk Calculator, which surveyed 999 European business leaders, two-thirds stated that external cyber risks are the most concerning category of digital threat for businesses. This risk is anticipated to grow even further, with 51 per cent of respondents believing that it will increase within the next three years. In particular, 76 per cent of businesses identified ransomware as a high risk to their business. At the other end of the scale, only seven per cent of businesses see ransomware as a low risk.

Ransomware attacks are not new. According to commentators, one reason behind the recent rise in ransomware is the increased availability of software packages to enable cyber criminals to launch attacks without the need for a certain threshold of technical knowledge or ability. Crucially, of course, ransomware attacks are meeting with success and cybercriminals are profiting from them, which is only likely to encourage further activity.

However, guidance regarding the measures that organisations can take to manage the risk is freely available and has been for some time. For example, the 10 Steps to Cyber Security guidance, now available from the NCSC - originally published by the government in 2012 and which remains largely the same - covers areas such as security, incident management, managing user privileges and, specifically, malware prevention.

Recommended steps to defend against ransomware include keeping an organisation's security patches up to date and using proper antivirus protection. Perhaps of some encouragement, 73 per cent of the businesses surveyed in the Digital Risk Calculator said that they have antivirus protection. On the other hand, that means that not all do!

Another of the steps that organisations can take to reduce the impact of successful attacks is to back up the data that matters to them. Whilst data back-ups do not by themselves prevent ransomware attacks, as the NCSC notes in its ransomware guidance, companies cannot be held to ransom for the data they hold somewhere else. However, only 62 per cent of the businesses that responded to the Digital Risk Calculator said they have regular data back-ups in place.

People can be the weakest link in an organisation's cyber security measures, and ransomware often aims to exploit this by getting individuals to download malicious software by pretending to be something innocent. User education and training, including maintaining awareness of cyber risks, is another of the security areas covered in the 10 Steps to Cyber Security. The Digital Risk Calculator found that only 42 per cent of the total number of businesses surveyed had employee digital security training in place. Whilst the potential impact of ransomware being downloaded can be mitigated by limiting user privileges and access, just over half (52 per cent) of the business surveyed said that they did not have any data access restrictions in place.

Overall, the results suggest that, whilst the majority of respondents perceive the risks of ransomware as high, businesses have not universally adopted cyber security guidance and recommended actions.

Within the businesses surveyed, and across organisations more widely, there will be some that do consider themselves fully prepared and also organisations that have made a thorough assessment of the particular threats that they face and have taken decisions accordingly. However, it is also likely there are many that are still failing to prepare sufficiently for the full extent of the cyber security threats that they may face, including potential ransomware attacks.

Helen is a director at Gowling WLG, with more than 15 years experience of advising suppliers and purchasers of technology, telecoms and outsourced services in both the public and private sector. Her practice spans advising on disputes arising from contracts (often complex and high value) for the design, build and implementation of IT systems and/or IT services, software licensing matters and also cyber security, including handling data loss and other cyber incidents.