Hello everyone and welcome back to the Cognixia podcast. Every week, we get together to talk about the latest happenings, bust some myths, discuss new concepts, and a lot more from the world of digital emerging technologies. From cloud computing to DevOps, containers to ChatGPT, and Project management to IT service management, we cover a little bit of everything week after week, to inspire our listeners to learn something new, sharpen their skills, and move ahead in their careers.
The renowned UK security think tank, the Royal United Services Institute has published new research detailing the possible effects of ransomware attacks on businesses and staff, society, the economy as well as national security. Interestingly, it also highlights an impact that not a lot of us usually consider when we talk about the cost and effects of ransomware – the impact on physical and mental health. In today’s episode, we talk about these hidden costs of ransomware attacks, so stay tuned.
Who is the Royal United Services Institute?
The Royal United Services Institute or RUSI is the world’s oldest and the UK’s leading defence and security think tank. Its mission is to inform, influence, and enhance the public debate on a safer and more stable world. It is a research-led institute, that produces independent, practical, and innovative analysis to address today’s complex challenges.
Ransomware incidents are a scourge in our society globally. A ransomware attack takes a visible toll on organizations, individuals, the economy, and even national security. But there are some intangible and not so easily visible impacts of ransomware attacks too. These include physical, financial, reputational, psychological, and social harms. Ransomware is a risk to everyone, whether you are an organization or an individual, whether you are a small startup or a gigantic corporation. The financial costs and losses resulting from a ransomware attack can threaten the entire existence of the organization. Besides, it damages the reputation of the individual or organization too, making them look unprofessional or incapable and exposing sensitive data to vulnerabilities and exploitation.
The threat from ransomware shows no signs of abating, especially because of its innovative and profitable business model, insufficient importance given to security by individuals and organizations, poor cybersecurity practices in many organizations, and permissive law enforcement environments in some countries, like say Russia. Unfortunately, no sector is off limits as threat actors continue to target public and private sector organizations, schools, hospitals, and even local governments. Despite their frequent occurrence globally, not many victims are open to sharing their experience with ransomware attacks, maybe because of legal reasons, reputational concerns, maybe even out of fear of more attacks or possible ramifications of sharing the experience. Very few ransomware attacks are reported to law enforcement and cybersecurity authorities. All these factors have led to there being a very scant understanding of the range of harms experienced by the victims of ransomware during and after the attacks.
Most of the global understanding of the impact of ransomware attacks is about the financial burden the attack inflicts on the victims. It is, undoubtedly, a highly relevant and major impact. However, there are macroeconomic impacts of ransomware attacks that go beyond the cost to the individual or the organization. Moreover, there are also indirect victims of ransomware attacks, apart from the direct victim who was attacked.
The RUSI Report classifies the harm caused by ransomware attacks in three categories.
First-order harms are the harms to organizations and their staff, such as data loss, reputational harm, and heart attacks.
Second-order harms are the indirect harms to organizations & individuals like making clients and customers vulnerable to attacks, disruption of patient treatments in hospitals, etc.
And, third-order harms are the ones that harm society, economy, and the national security at large.
Ransomware threats don’t usually have a fixed business model but there are three broad models that most threat actors follow. The first is the ‘buy-a-build’ model commonly has less experienced cybercriminals who obtain existing ransomware code. Second is the in-house business model where the ransomware is developed, operated, and managed in-house. The third is the Ransomware-as-a-Service model that calls for collaboration to develop, maintain, and operate the ransomware. The common extortion methods followed by most ransomware threat actors are encryption, data theft, data leak sites also commonly called ‘name-and-shame’ sites, harassment of employees and/or customers, and DDoS attacks.
While the direct impact of ransomware attacks in terms of financial losses, damage to reputation, disruption of services, etc. is widely acknowledged and accounted for, the psychological impact of ransomware attacks is significantly overlooked. The RUSI report is eye-opening when it says that currently, no one has a full understanding of the economic impact of ransomware attacks, such that the cost of long-term and indirect financial harms is likely to be missing from the current estimates of the economic harm caused by ransomware attacks. It also says that while the reputational harm stemming from a ransomware attack is a valid concern for some companies, especially those whose clients expect a higher level of privacy, the danger of reputational harm is often overestimated by victims. From spiked anxiety to PTSD, the aspects considered to be the ‘softer’ aspects of the impact of ransomware attacks are rampantly ignored and never accounted for. To illustrate this point better, imagine how many people have given up using UPI payments or net banking services afraid of falling victim to financial scams and frauds, and how many of us are afraid of spam calls. While these examples do to associate with ransomware attacks in any way, they do help us understand what fear can make us do. We all know UPI payments make life easier, but it is also true that many have given up on them or never even tried to get started, out of fear of losing their hard-earned money.
So, where does this end? What can we do differently? Can ransomware attacks really be prevented? The RUSI Report shares insights never explored about ransomware attacks. It offers a critical baseline understanding for taking effective steps to mitigate the harms caused by them – both for responding and preparing for individual instances but also when designing policy interventions to tackle the rising ransomware threats. This framework, we believe, is an excellent starting point for future analysis and data gathering, so there is a long way to go and a lot more research is needed.
As for what you can do in your organization, a good starting point for you would be to hire cybersecurity experts who will have the knowledge and experience required to put in place the processes, infrastructure, SOPs, build awareness, manage incidents, etc. But how do you gauge this knowledge and experience? Is there a global standard or guideline? Yes, of course, there is! The CISSP certification. The CISSP certification by (ISC)2 validates an individual’s skills, knowledge, and experience in information security and it is a globally recognized as well a highly valued & sought-after certification. So, what are you waiting for? Get CISSP certified or nominate your team for the CISSP certification today! Talk to Cognixia to get started. Visit our website – www.cognixia.com for more information.
With that, we come to the end of this week’s episode of the Cognixia podcast. We will be back again next week with another interesting and exciting episode. Until then, happy learning!
