Unpredictable and fast-moving, a ransomware attack will test business resilience

As we try to adjust to whatever the new normal looks like, Ransomware alongside Business Email Compromise and Phishing has continued to be one of the fastest growing cyber-crimes during this period and poses a significant risk to businesses in all industries and of all sizes.

Where many still seem to be sitting on the fence with regard to their exposure to cyber risk Criminals are taking advantage of this lack of preparedness, causing substantial disruption and damage, for financial gain.

Ransomware: What it is and how it can affect business

Ransomware is a type of malicious malware that can encrypt, delete or steal files, preventing the user from accessing their data or computer until a ransom payment is made. [1] The most common channels for how ransomware can infect your systems include the following:

• Unsolicited phishing emails containing malicious file attachments or links to malicious websites &/or messages in social networking sites.
• Drive-by downloading when unknowingly visiting infected websites.
• Unpatched software, apps, programs, operating systems and browser vulnerabilities being exploited;
• The use of infected USB memory sticks.

According to The Economist, data has become the world’s most valuable resource and the dependency on integrated technology systems for highly efficient operations make businesses vulnerable to a cyber-attack. [2] In the 2019 Cybercrime Report by Cybersecurity Ventures it predicts that ransomware damages will cost $20 billion globally by 2021 and that a business will fall victim to an attack every 11 seconds. [3] During a ransomware attack confidential commercial data and personal data held on employees and clients is exposed to uncontrolled risk – this is a key concern given the requirements surrounding the General Data Protection Regulation (GDPR) and the increasing contractual requirements relating to privacy, data processing and Cyber Insurance that we are seeing. The effect of a single successful cyberattack can have far –reaching implications, way beyond just financial losses.

Risks to surveyors

Awareness of ransomware and other cyber related threats has grown as a result of high-profile attacks across a number of industries. Surveyors are not immune to this threat and should be aware of the risks in terms of what they need to protect and their potential vulnerabilities.  It is also important for surveyors to be prepared due to the Data Handling and Prevention of Cybercrime Professional Statement, which will require all RICS professionals and regulated firms to comply with a set of obligations and best practices, in order to address data and cyber risks. [4]  

This statement will impact surveyors, particularly in terms of valuations as large quantities of data are analysed and recorded which must be stored securely. [5] As surveyors often handle high value transaction data and have access to client databases, third-party data, as well as a property’s security and management systems it is a risk that must be managed in the modern and evolving ways of working. Due to low investment into cyber-security infrastructure and a lack of training amongst employees, businesses are vulnerable to cybercrime. In addition, emerging technologies such as the use of drones and BIM (Building Information Modelling) also have the potential to be exploited just like any other computer systems. If such systems are being used on high value projects, a ransomware attack would cause maximum disruption. Where surveyors, Real Estate and mortgage lender practices come together, this enhances the severity of risk even further.

A Proactive approach to cyber risk as supported by RICS is not only important to maintain business resilience but it is also important for stakeholder management.

Risk Management: Steps to take

Cyber risk will be unique to each business and therefore risk management and awareness of what each surveyor or business has to protect is key.  In case of attack, it is important that an effective recovery and communications plan be in place, together with a comprehensive cyber insurance policy.

Other risk management steps include:

• Back up your data, if you are hit with Ransomware this could be a business saver.
• Use antivirus software and activate your firewalls.
• Regularly patch your operating systems and applications, without this there will always be vulnerabilities to be exploited.
• Control or block USB ports, Memory Cards and Bring your own devices (BYOD) use.
• Ensure mobile devices are encrypted.
• Ensure that the responsibility of cyber security is an enterprise risk and not just an IT department issue. Everyone has responsibilities for the protection of client and business data from the Board to individual employees.

We also outline in our cyber Security Guide the following additional steps:

• Ensure the use of strong passwords and where possible two-factor authentication. The NCSC suggests one tip for strong passwords is to use three random words for example ‘treephonemirror’ and insert symbols, numbers and capitals where required.
• Restricted user access and management of user privileges.
• Invest in the Government backed scheme Cyber Essentials Certification

And most importantly:-

• Employee training.

Recent figures show that 90% of data breaches are a result of human error. [6] 

Examples of cyber security threats caused by human factors include: poor password security, miss-delivery of sensitive information and accidentally clicking on malicious links and attachments in emails. Employees are a constant target of Phishing and other social engineering attacks and these attacks are becoming so sophisticated they are becoming harder and harder to spot.

The National Cyber Security Centre (NCSC) provides a number of free online training tools for businesses:

• Having plans in place should things go wrong: test and practice your business cyber incident response using the 'Exercise in a Box' tool. 
• Reducing cyber incidents caused by employee behaviours: educate your employees using the 'Top Tips for Staff' training tool.
• Managing third party cyber security risk: set out security measures for suppliers and partners, and train your staff in procurement roles on how best to protect commercially sensitive information using this online course. 

Cyber Risk Insurance

As the threat and regulatory landscape evolves and the cost of cyber claims increase both in terms of frequency and severity, a cyber-risk insurance policy is an important part of your risk management and resilience strategy.

Cyber Insurance is unique due to its service led proposition providing critical first party incident response services. The IT forensic, legal and PR expertise on hand is an invaluable service provided during high stress and time critical situations.

Whilst Cyber Insurance will not protect you from an attack, it allows for some of the financial risk to be transferred and assist with mitigating disruption.

For more information please visit our cyber insurance webpage

References:

[1] https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

[2] https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data

[3] https://www.herjavecgroup.com/wp-content/uploads/2018/12/CV-HG-2019-Official-Annual-Cybercrime-Report.pdf

[4] https://www.rics.org/uk/news-insight/future-of-surveying/data-technology/keeping-data-as-safe-as-houses/

[5] https://www.rics.org/uk/news-insight/future-of-surveying/data-technology/keeping-data-as-safe-as-houses/

[6] https://www.ncsc.gov.uk/report/weekly-threat-report-7th-february-2020