The Ransomware Threat & Other Security Challenges to Resilience Management in the Post-COVID Era
The state of ransomware attacks
While organizations were trying to keep the doors open, rates of cyberattacks skyrocketed[i] in the first months of the COVID crisis. Attackers sensed the opportunity unleased by a broad new attack vector which was the remote workplace, replete with unsuspecting, untrained victims.
The extended new normal which followed these first lockdown months didn’t offer much succor, either. Ransomware, particularly, became a keen threat, with the potential to cripple organizations.
In too many instances, this potential became reality. High-profile attacks shut down the Colonial Pipeline, JBS USA, Kronos workforce management services, and many, many, more.
Now, as we come into the post-COVID era, there’s hope that ransomware attacks themselves have abated.
In 2022, for instance, analysts reported a steep decline of 24 per cent in ransomware detections from early 2021.[ii]
Problem solved? Resilience assured? Not quite.
Sure, some experts might concede a reduction in the number of ransomware attacks. The post-COVID security and resilience picture, they caution, is likely to be marked by an increase in attack sophistication.
Cybercrime is becoming a big business, often bigger than resilience
Indeed, cybercrime is becoming a business – a big business at that. The World Economic Forum in its Global Risks Report puts the cost of cybercrime in the trillions. And that price tag will only grow as hackers refine techniques to extract maximal pain from targets.
One such technique is already being honed. Analysts have noted a change in business model towards “extortion without encryption,” i.e., simply exfiltrating sensitive data and demanding ransoms to keep that data private.
Meanwhile, ransomware as a service (RaaS) is also becoming increasingly popular. For those who aren’t aware of this keen resilience challenge, RaaS is the offering of pay-for-use malware.
How does it work?
Well, the author of the ransomware makes that software available to customers dubbed affiliates. These affiliates, themselves often lacking technical skill, can use the software to hold business data hostage.[iii]
The financial advantage, here, goes to the malware author who can scale earnings from the purchased software while off-loading personal risk to those who perpetrate the final crime. Of course, those who score financial windfalls from victimized companies also benefit.
Indeed, it’s the scaling of potential criminals that’s of greatest concern to organizations in the post-COVID era.
Nor are private criminals the only threats to resilience, either. For some time now, cyberattacks have been conducted on critical targets by state-backed actors, as well, with sharp increases accompanying moments of geopolitical turmoil, such as the war in Ukraine.[iv]
Cyber compliance grows more complex
The rise in cybercrime, particularly ransomware attacks on critical targets, has predictably provoked backlash from policymakers and regulators, who have stepped up efforts to keep sensitive data safe.
Of course, many data privacy regimes predate the pandemic. These regulatory regimes, however, are becoming more sophisticated (i.e., onerous for firms), while more and more organizations are falling under their sway. To quantify: if Gartner’s forecast bears out, we are likely to soon see two thirds of the world’s population covered by data privacy regulations.[v]
Just in the U.S., five states will roll out comprehensive consumer privacy laws this year alone.[vi] In 2022, at least 40 states and the commonwealth of Puerto Rico introduced or considered more than 250 bills or resolutions dealing significantly with cybersecurity, according to the National Conference of State Legislatures.[vii] And of those, 24 states enacted at least 41 bills in 2022.
National regulators, particularly in the financial services sectors, like the Securities and Exchange Commission (SEC), are also proposing a bevy of new disclosure requirements on the entities they regulate.[viii]
Overstretched cybersecurity personnel
Sure, some of the requirements will likely be simple to adhere to, such as disclosing policies and procedures to identify and manage cybersecurity risks.
However, others will be more challenging. The timely reporting of material cybersecurity incidents and follow-up reporting come to mind.
Many organizations, after all, don’t know when they’ve been breached. This lack of manpower among overstretched security teams is another resilience challenge in the post-COVID era.
Complicating resilience efforts further is the sharp rise in cyber-attacks, which has produced an even sharper rise in the data alerts that overstretched security personnel must triage.
More than half (56 per cent) of large companies handle at least 1,000 alerts per day.[ix] The increasing pace of automatic notifications has created alert fatigue among overworked personnel.
How bad has the issue become?
Surveyed staff reported spending more time (32 minutes) on alerts that turned out to be false leads than on actionable alerts.[x]
As a result, more than a quarter (27 per cent) of all alerts were ignored or not investigated in mid-sized corporations.[xi] Slightly larger organizations (1,500 to 4,999 employees) saw personnel ignore nearly a third of all alerts.
Finally, with the security risk picture such as it is, companies can ill afford complacency in their post-COVID resilience efforts.
Mitigating the challenge, however, will take a policy shift away from preparing exclusively for short-term security incidents and towards complex, compounding, and often concurrent disruptions.
Here, though, companies can’t afford to wait. As too many companies have learned, the resilience threat waits for no one.
Managing complex risk, therefore, calls for integrated resilience best practices. To learn more on what best-practice approaches yield the highest ROI, download Noggin’s guide to Best-Practice Strategies to Maintain Resilience amidst Complex Disruptions.
[i] Fintech News: The 2020 Cybersecurity stats you need to know. Available at https://www.fintechnews.org/the-2020-cybersecurity-stats-you-need-to-know/.
[ii] ESET Guest Blogger, Informa: The Ransomware Threat: Is It Decreasing — Or Retargeting?. Available at https://www.channelfutures.com/from-the-industry/the-ransomware-threat-is-it-decreasing-or-retargeting#.
[iii] Sean Michael Kerner, Tech Target: Definition: ransomware as a service. Available at https://www.techtarget.com/whatis/definition/ransomware-as-a-service-RaaS.
[iv] Madeline Lauver, Security Magazine: Security budgets may double or triple in 2022. Available at https://www.securitymagazine.com/articles/96802-security-budgets-may-double-or-triple-in-2022.
[v] Gartner: Gartner Says By 2023, 65% of the World’s Population Will Have Its Personal Data Covered Under Modern Privacy Regulations. Available at https://www.gartner.com/en/newsroom/press-releases/2020-09-14-gartner-says-by-2023--65--of-the-world-s-population-w.
[vi] Gary Kibel, Reuters: New privacy laws in 2023 — considering draft regulations. Available at https://www.reuters.com/legal/legalindustry/new-privacy-laws-2023-considering-draft-regulations-2022-11-16/#:~:text=November%2016%2C%202022%20%2D%20There%20are,%2C%20Colorado%2C%20Utah%20and%20Connecticut.
[vii] National Conference of State Legislatures: Cybersecurity Legislation 2022. Available at https://www.ncsl.org/technology-and-communication/cybersecurity-legislation-2022.
[viii] U.S. Securities and Exchange Commission, SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. Available at https://www.sec.gov/news/press-release/2022-39.
[ix] Staff, Dark Reading: 56% of Large Companies Handle 1,000+ Security Alerts Each Day. Available at https://www.darkreading.com/risk/56-of-large-companies-handle-1-000-security-alerts-each-day.
[x] Edward Segal, Deloitte: Impact of COVID-19 on Cybersecurity. Available at