Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

October 30, 2023 Focus: CyberSecurity

Ransomware attacks become predominant employer cyber-risk because ‘they are really profitable’

PHOTO | CONTRIBUTED John Menefee is the cyber-risk product manager for property and casualty insurer Travelers Cos.

The Connecticut attorney general’s office has received an average of 1,382 annual data breach notifications from employers and other organizations over the last three years.

That’s up significantly from 805 annual notices averaged in the previous three-year period, from 2017 to 2019.

Not all of those data breaches were related to bad actor-led cyberattacks, the attorney general’s office said, but it’s no secret that cybersecurity remains a growing area of concern for employers of all sizes.

In fact, the 1,200 small, midsize and large companies that recently responded to the Travelers Cos. risk index survey said cyberthreats were one of their top three business concerns, behind medical cost inflation and broad economic uncertainty.

Connecticut this year has seen several high-profile cyber events, headlined by the ransomware attack that paralyzed the operations of three Connecticut hospitals — Manchester Memorial, Rockville General and Waterbury hospitals — for nearly six weeks.

Not only did the attack force the financially ailing hospitals to temporarily close their ERs and cancel elective procedures, but it also put at risk their proposed acquisition by Yale New Haven Health.

Ransomware, phishing and social engineering fraud are the biggest cybersecurity threats facing businesses today, according to John Menefee, the cyber-risk product manager for property and casualty insurer Travelers Cos., which has major operations in Hartford.

Travelers is an underwriter of cyber liability insurance, so it has an incentive to curb the threat of online attacks.

Menefee said it’s crucial for businesses to adopt a cybersecurity framework, identify weaknesses, and address those issues as quickly as possible.

Simple steps, Menefee said, like downloading software and operating system updates that address security vulnerabilities, and adopting multifactor authentication can go a long way in thwarting bad actors, who surf the internet looking for weak targets.

Menefee is responsible for underwriting strategy, product development, and strategic initiatives related to cyber-risk. Here’s what else he had to say about the cybersecurity threats facing employers.

The Q&A was edited for length and clarity.

Q. What are the biggest cybersecurity threats employers face right now?

A. The claims that we’ve seen recently, and over the last couple of years, are driven mostly by ransomware attacks, which have become a lot more frequent and a lot more severe.

Four or five years ago, ransomware existed, but the threat actors were less sophisticated and less organized. When we had a ransomware event, maybe one or two computers were impacted, the extortion demand was a couple hundred dollars.

Now, that has evolved to an entire network being encrypted and unavailable, and businesses seeing their operations ground to a halt. Instead of demanding a couple hundred dollars, threat actors demand a couple million dollars.

Threat actors are also changing their tactics to increase the odds of a ransom payment.

A couple years ago, they would lock up your system and demand a million dollars. Now it’s, ‘we’ve got your system locked up, give us a million dollars, and we also stole data from all your customers and employees, and unless you pay us in 24 hours, we’re going to release all that information on the internet.’

They’re also threatening to call your customers and employees to tell them what happened.

Q. What types of organizations are being impacted the most by cyberattacks?

A. You read a lot that it’s impacting hospitals, schools and government entities. But it’s impacting really any organization that does business using the internet.

Threat actors are not choosing their victims based on any particular sector. They’re choosing victims based on the existence of vulnerabilities, certain open ports that they target.

Q. Why have ransomware attacks increased in popularity among cybercriminals?

A. Ransomware is happening a lot more frequently because it’s really profitable.

Prior to ransomware, the way threat actors could cash in on a cyberattack was to steal data, like health or credit card information, and then sell it on the dark web, or use the credit cards to buy stuff.

Now, threat actors realize that if you can restrict an organization’s access to their own data, they’re willing to pay a lot for it.

Q. Who are these bad actors doing ransomware attacks?

A. Most of them are not domestic, they are cybercrime groups in Russia, Ukraine, Iran, China, and other places.

They’re highly organized — they have a business model that looks very much like any type of organization. They have different types of roles, different types of specialties.

They have offices with break rooms and lunchrooms, and HR policies and all those types of things. So, it’s mostly foreign, criminal-based organizations.

(The Rhysida ransomware group claimed responsibility for the cyberattack that impacted Connecticut hospitals.)

Q. How does cyber insurance work?

A. The role that cyber insurance plays has evolved over time. The policy serves as a risk-transfer mechanism, so costs associated with a cyberattack event are potentially covered by the insurance, depending on the scenario.

It also helps with the coordination of lots of different experts to respond to a cyberattack.

So, in a typical ransomware scenario, you might think about costs to recover your system, to restore data from backups, to perform forensic work to determine things like how the threat actors got into the system, if they’re still there, and then how to get them out.

Q. I’ve talked to a cybersecurity expert who said you should never pay a ransom in a ransomware attack. What are your thoughts on that?

A. Nobody ever wants to pay an extortionist. We don’t want to, our customers don’t want to, and law enforcement, which is often involved in these matters with us, doesn’t want to.

The reality of the situation, though, is that sometimes the decision is made to pay the extortionist. And it could be based on a lot of different factors, like impact to the organization.

For example, when you’re a healthcare organization, sometimes patient care comes into the decision-making process, and so it’s a really complex decision.

We don’t really make recommendations to pay a ransom or not pay a ransom. That’s up to the organization to decide.

Fortunately, the likelihood of having to pay a ransom has decreased over the last year, and I think we can probably assume that number is going to continue to go down.

Q. Why is the likelihood of having to pay a ransom going down?

A. I think a lot of it has to do with education. Organizations are aware of the ransomware exposure. They’re more aware of some of the controls they can put in place to defend against it, and make the events less severe if they are the victim of ransomware.

So, that’s implementing things like multifactor authentication, backup procedures, even just having an incident response plan, a disaster recovery plan, so that you’re in the best possible position if it does happen. That makes the likelihood of having to pay a ransom a lot less.

Q. Of the claims that Travelers receives related to ransomware attacks, what percentage end up paying a ransom?

A. It’s probably about 20% to 25% that actually choose to pay.

Q. Does a cyber policy through Travelers cover a ransomware payout?

A. It does. It covers most of the costs associated with the ransomware event.

Q. Beyond ransomware, what are the other major cybersecurity threats?

Q. We are starting to see social engineering fraud increase in frequency. Social engineering fraud is the classic scenario when you receive an email or a communication from a criminal that is purporting to be someone else, that tricks you into sending money or something else of value.

But it’s not the Nigerian prince phishing scenario anymore, where you can identify an email as fraud because it’s written in broken English, or it’s coming from the wrong email address.

This is where threat actors have gained access to a user’s actual email inbox. They are looking within the email inbox, they have access to calendars, archive folders and can really get a good idea of the inner workings of the organization to perpetrate phishing schemes that are very difficult to detect.

A lot of time the phishing message will come from a superior’s actual email address. They will ask to send money to customers that actually exist.

It’s very difficult to detect that it’s fraud.

The migration to cloud-based email platforms has helped perpetuate social engineering fraud.

Q. In terms of overall trend lines of all types of cyberattacks, are we seeing an increase or decrease?

A. Over the last couple of years, they’ve been pretty flat as far as the total volume of activity that we’ve seen, but that’s down pretty significantly from 2019, 2020, 2021, when the frequency and severity of ransomware was at its highest.

Sign up for Enews

0 Comments

Order a PDF