The chair of the Federal Trade Commission (FTC) is advising businesses that the FTC might hold them accountable for not fixing vulnerabilities commonly exploited by cybercriminals launching ransomware attacks.
FTC Chairwoman Edith Ramirez says the actual ransom demand is usually $500 to $1,000 but can be as high as $30,000. Based on data from the FBI, the U.S. government estimates there are now 4,000 ransomware attacks being launched per day, representing a 300 percent increase over the 1,000 ransomware attacks per day in 2015.
Even more concerning for the average organization, Ramirez also revealed that thus far the FTC has pursued more than 60 enforcement actions against companies that have been hit by ransomware. That may seem like a government effort to punish the victim of a crime, but the FTC is starting to make it clear that the careless handling of data is indeed a potential crime punishable by fines that far exceed the ransom being demanded by hackers.
The growing ransomware threat
While that effort may not do much in terms of getting more companies to voluntarily admit they have been victimized by ransomware, it should go a long way to getting more organizations to modernize their approaches to data protection. The sad fact of the matter is that in addition to not investing enough in IT security, most organizations today rely on approaches to data protection that make their ability to actually recover data a hit-or-miss proposition.
Unfortunately, things may be about to get worse before hopefully getting better. Ramirez notes that ransomware has become a core component of phishing campaigns, with an estimated 93 percent of all phishing attacks sent by emails containing some form of encryption meant to be used to demand ransom.
Things are apparently no better in the cloud. Netskope, a provider of cloud security software, this week reported that that nearly half (44 percent) of the cloud applications it investigated contained some type of malware associated with ransomware attacks.
Helping customers manage risk
For IT services providers, the ransomware conversation with customers needs to start with risk management. Every executive that ever got a degree in business knows that managing risk is a fundamental element of managing a business. IT security issues such as ransomware are just one in a long line of those risks. Framed from that perspective, it then becomes apparent that the organization needs to focus on protecting its most critical data assets. In most cases that’s customer data containing credit card numbers and other forms of personal identifiable information (PII) such as a healthcare records.
Business leaders may not like the fact that they have to allocate more money to protecting that data. But should that data fall out of their control, they will like being the subject of government scrutiny even less. More often than not, the difference between being viewed as a true victim or as someone engaging in reckless behavior will come down to how responsibly an organization handles their data in the first place.
Obviously, there is no better indication of responsibly handling sensitive data than hiring a professional IT service firm to do it. The opportunity now is for IT service providers to drive home that point at a time when governments are making it abundantly clear their patience with organizations that don’t employ reasonable measures to protect data has already run thin.