Cybersecurity is one of the biggest concerns for every business today. Hacking and ransomware attacks deliver high returns for a relatively low effort and the significant rise in revenue fuels increasingly more aggressive and costly attacks. That recipe means the cybercriminal community will expand and ramp up its activities to keep those cash streams flowing.

The processes and organizational advancement of these syndicates are astounding. Few people outside the tech industry understand the capabilities of these groups that often get support from nation-states and organizations with evil objectives. While the 24/7 news may cover ransomware attacks on multi-billion-dollar pipeline companies and other high-profile organizations, there is little if any mention of small and mid-size companies. That creates a false sense of security. Many business leaders think their organizations are simply too small to fall into the crosshairs of those cybercriminals.

The reality is that every company is a target today, and it just takes one slip for ransomware to get into the system and potentially shutter the entire organization. According to research firm IDC, approximately 37% of global organizations reported being hit by at least one of the more than 130 variants of these attacks in 2021. Many of those victims likely invested significant resources in their IT system defenses. While businesses must do everything possible to prevent these attacks, a more realistic goal today is to minimize the potential harm that may occur when cybercriminals manage to find those gaps.

Complacency is also a concern. Unlike the early days of computers, today, businesses should consider cybersecurity investments as a maintenance fee that will likely continue to grow as the threat levels rise. IT spending needs to increase each year to protect its most valuable assets, including customers, employees and data. Ensuring the security of the company’s networks and operations centers is critical, and organizations with remote and hybrid workforces may need to double down on those efforts and investments.

Minimize the Threats

Prevention is critical. While no one has come up with a 100% foolproof defense against ransomware attacks (other than running a business without computers and internet connections), anything companies can do to boost their collective defenses helps lessen their financial and legal exposure.

Cybersecurity strategies are business-critical. Building an effective plan and investing in awareness training, anti-ransomware and antivirus tools, and other proactive measures mitigates a company’s risk profile. And while none of those actions can guarantee a company’s complete protection from threats, they reduce liability and cyber insurance costs and lessen the executive team’s anxiety when properly implemented and managed.

Most IT professionals add layers of cybersecurity measures to protect networks, devices and other technologies, including cloud applications and proprietary software. It is virtually impossible to lock down every potential access point to prevent cybercriminals from reaching their ultimate target: data. Stealing and ransoming business and personal data drives hundreds of millions of dollars (potentially billions since many attacks go unreported) in income for nation-state-supported crime syndicates, professional hackers and basement-dwelling amateurs each year. One thing they all have in common is an innate ability to make organizations pay dearly for their mistakes.

Business leaders need to understand that premise and why no matter how much they invest, no company is ever completely safe from ransomware attacks. Here are some of the ways cybercriminals strike paydirt:

1. People make mistakes. According to one recent report, human error plays a role in virtually all (94%) cybersecurity breaches, including nonadherence to email protection measures, poor credential management and employee sabotage. No matter how many technologies and policies a company implements, ransomware purveyors know someone will slip up at some point.

2. Ransomware is a thriving and ruthless business. From rudimentary attacks by rogue workers to elaborate new business models like Ransomware as a Service (RaaS), this is a profitable and rapidly evolving opportunity. The reward for cybercriminals far outweighs the risks, and this community’s almost limitless creativity and cruelty should strike fear into every corporate decision-maker.

3. IT resources are limited. Even before the “Great Resignation,” the number of high-tech job openings was astronomical. The ensuing pandemic and changes in work preferences are impacting many companies’ ability to fully staff their IT departments and adequately protect their systems.

4. Management support is lacking. Effective cybersecurity strategies begin and end at the top. Executives must prioritize cybersecurity, from adopting strong policies and leading by example to investing in technologies and programs to properly protect their people and systems. Employees often discard or discount initiatives that don’t appear to have solid support from managers and other executive team members.

5. Supply chain attacks are rising. Cybercriminals understand that there’s usually more than one way into a company’s networks, including access through business partners’ systems. Ransomware attacks from suppliers and contractors are a rising concern. Recent examples include Target and SolarWinds, where cybercriminals first gained access to other companies’ systems from which they spread malware using connected networks and applications. Many organizations implement standards and follow industry best practices to vet their business partners’ IT security tools and methodologies.

6. Testing is never a high enough priority. Companies can invest a significant amount of their resources on cybersecurity yet not know if it will actually work. Periodic evaluations and adjustments are critical to ensure the integrity of every organization’s defenses. Cybercriminals are constantly looking for openings to exploit, from non-working end-point protection tools and unencrypted email systems to lax credential management. Testing helps businesses identify and rectify those vulnerabilities as well as any others that happen to pop up between evaluations.

Frame The Threats

Ransomware attacks are non-discriminatory. Cybercriminals target anything and everything, and thanks to new business models, the cost of entry for aspiring hackers is virtually non-existent today. With all of the resources they have on tap, no business or individual is safe.

The risks are rising exponentially, especially for companies that work with sensitive personal and financial data, as well as those adopting WFH (Work from Home) environments. More importantly, the decision-makers must understand that even with the latest measures, those threats will never completely disappear.

Cyber insurance coverage adds another critical layer by mitigating potential liabilities for the business. A basic protection package can also lessen the executive team’s anxiety level and assure other stakeholders that their financial interests are well protected.

Raising the cybersecurity bar is never easy. However, any cost-effective measure that can prevent a business from being the “lowest hanging fruit” for criminals is worth pursuing. With the threat level of ransomware rising and no guarantees that companies can stop every attack, leadership teams should be open to all potential abatement options today.

The risks MSPs face are not always clear. While most IT business owners are aware of the consequences of losing clients, hiring bad drivers, and not locking their doors, other potential threats are not quite so clear. For example, knowing where the ultimate responsibility falls when a client becomes the victim of a ransomware attack or some other type of cybersecurity incident can get a bit fuzzy.

The factors may be complex and assigning responsibility for failures tends to get similarly complicated. Is the targeted vulnerability on the MSP side or due to client’s negligent employee? IT services providers need to know best practices for minimizing their collective risks to effectively protect their businesses, customers, and the livelihoods of everyone’s employees. Cybersecurity responsibilities must be clearly and frequently communicated to the respective parties, with periodic testing of each safety protocol to minimize the chances of a breach, ransomware attack, or other type of data-related incident.

As with any tech process or theory, a proactive management approach is essential. MSPs must continually assess their collective security environments and add new measures to reduce their company’s liability in the event something bad were to happen to their systems…or to their clients. The things that work well today may become vulnerabilities tomorrow.

The Weakest Links

Whether opening a business or walking down the street, risk is a part of life. Virtually everything and every activity brings some level of uncertainty (if not actual danger) and people spend a lot of time and effort managing the unknowns. Cybersecurity is a perfect example of that concept.

When cybercriminals compromise an organizations’ IT networks or data collection and containment systems, it’s almost inevitable that someone will start pointing fingers. Failures lead to blame. There will never be an unbreakable security perimeter as long as humans are part of the equation, and the responsibility for a lapse often falls to people far beyond those making the mistake. Many business leaders expect cybersecurity to be infallible. Even when an employee bypasses company security policies or ignores basic logic, some will blame their MSPs (or their internal tech teams when applicable) for not doing more to limit, if not completely prevent any subsequent damage. Their understanding of the scope and complexities of these attacks may not mesh with the true challenges of defending their networks, computers, and employees – especially workers who ignore rules, take shortcuts, or intentionally sabotage their systems.

Realistically, the liability for any failure should extend to all the “players.” Employees should pay closer attention and follow best practices. Company executives could invest more to strengthen cybersecurity measures and training and better enforce workplace policies. Unfortunately, everyone expects MSPs to be infallible − no matter how much their hands are tied by clients’ decisions and budget limitations – so they often take most of the blame.

Minimizing those liabilities must be a priority for every business. For MSPs, that mission is even more critical to limit their exposure to the processes and technologies actually in their control when an attack does occur. Proper safeguards and insurance coverage are an essential part of that equation.

The Known Liabilities

Cybersecurity concerns continue to grow. The problem is that there is absolutely no room for error: not from employees, business owners and managers, or the IT teams that support their technology systems. MSPs have to be more diligent than ever to reduce their own liabilities. While no IT services firm can eliminate every risk, some of the steps team members’ can take to minimize the company’s exposure include:

• Setting and enforcing strict internal cybersecurity policies. Between breaches, ransomware, phishing and a slew of always evolving malware targeting any network opening, MSPs cannot overlook anything today. Establishing and adhering to firm guidelines for the implementation, management and support of every IT system −for clients and internally – must be a priority. Lapses in a provider’s cybersecurity practices and controls can significantly increase its liability if those issues contribute to the breach of a customer’s data.

• Demanding high cyber standards from clients. There is no excuse for poor cybersecurity policy adherence today. If there was one issue that MSPs should ever consider firing a client over, this is the one, especially considering the impact a potential breach could have on both businesses. Providers must be willing to walk away from high-risk organizations to protect their reputations, financial stability, and livelihoods. MSPs that continue supporting clients with known vulnerabilities are amplifying the risks and potential monetary impact to their own bottom lines. Implementing and following through with a tough love approach, delivering cybersecurity upgrade ultimatums to poorly protected businesses, is business critical for IT firms in today’s threat environment.

• Keep building. Cybersecurity is dynamic. MSPs may gain the upper hand over cybercriminals by installing the latest protection measures and adding support options – but those wins may be short-lived without a roadmap of continual upgrades. One of the prime reasons providers attend channel events today is to gain insight on new tools and strategies to combat ransomware attacks and social engineering schemes. Adding layers of protection and upgrading existing tools helps keep cybercriminals at bay. MSPs that continually fortify cybersecurity protection and end-user awareness training (a critical component in any plan) prevent their clients from becoming the “low hanging fruit” those miscreants typically target. Those measures also help limit providers’ liability should something bad occur. MSPs following and promoting industry best practices have less to worry about in this era of high cyber anxiety.

• Checking all the “compliance boxes.” Failure to comply with recovery time or recovery point objectives or backup errors (including data losses) can be major legal and financial liabilities. MSPs have to be compliance experts for all of their clients and adequately support each requirement to limit their mutual liabilities in case of a ransomware attack or other data-compromising event. Rules and regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Financial Industry Regulatory Authority (FINRA) can make clients’ heads spin. While the companies bear a major part of the responsibility for compliance, the blame for any failures is increasingly shifting to the MSP and IT communities. Providers can minimize their risks by adopting all prescribed requirements, testing systems frequently, and stressing the importance of these standards with clients, end-users and their own staff members.

No Easy Outs

Managing risk is part of doing business today. MSPs, like their clients, must strive to do the right thing everyday to minimize their legal and financial liabilities.

Following prescribed cybersecurity best practices and addressing regulatory and industry standards are essential steps. However, even the best laid plans can fail in today’s high threat environment, as cybercriminals look for even the smallest opening (typically a human error) to launch an attack.

Every organization needs a cybersecurity-specific insurance policy to minimize the monetary impact of business compromises. No MSP can expect to plug every potential gap or predict when a client’s employee will click that ransomware-launching link. Knowing the company has financial protection and support in these situations helps ease the burden (for everyone).

The riskiest thing many businesses do is maintain the status quo. The cybercrime community appears to take that to heart as they continue to renew and upgrade previously retired malware and launch new and more damaging versions of their malicious software. The greater the creativity, the more money they can generate from unsuspecting individuals and businesses. Unfortunately, cybercriminals are very innovative and imaginative, so MSPs and other security professionals need to work even harder to keep ahead of the latest schemes and attack methodologies.

That job gets tougher as ransomware purveyors find new ways to up their game and outfox unsuspecting and inattentive prey. The latest schemes – including triple extortion attacks − illustrate the lengths cybercriminals will go to terrorize end-users and maximize their ROI on malware development or purchases. Not satisfied with the penetration rate of traditional ransomware, they are doubling down on their successes, further victimizing end-users and businesses reeling after the initial event.

One key reason malware developers are going to that effort is they have a substantial financial stake in expanding the size and depth of the attack vectors. Much like MSPs’ desire to add incremental recurring revenue to fuel cash flow and grow their market and wallet shares, cybercriminals often rely on subscription sales of their code to ensure steady income increases. Adding new features to their “offerings” and schemes keeps demand high and malware developers profitable.

And those margins are surely high already. According to the 2022 Palo Alto Unit 42 Ransomware Threat Report, the average ransom request was approximately $300,000 in 2020, which nearly doubled to $541,000 in 2021. While the actual payments can cost less than the initial demands, malware victims are handing over a lot more cryptocurrency today. Those numbers will continue escalating with the introduction of new and more powerful attack schemes.

Cybercriminals Triple Down on the Threats

In 2019, with companies and the tech industry thwarting many ransomware strikes, negatively impacting their revenue growth, the cybercriminal community developed a solution to generate more income from each successful attack. Double extortion schemes copy all the data in the infected systems before encrypting the network and then threaten to publish or sell the information if the company (or individual) refuses to pay. That “cache” may include credit card numbers, protected health information, or proprietary information that the cybercriminals attempt to sell on the black market.

Malware developers were not content with the financial outcomes of employing those malicious methodologies and added a new twist with triple extortion. In these attacks, cybercriminals attempt to ransom the target company and its customers and other organizations in its ecosystems (and databases). MSPs are certainly not the only people looking to grow wallet share today.

Imagine the impact of a triple extortion attack on a medical practice or hospital? The amount of personal information in one of those systems could put a ransomware purveyor’s kids through law school. Those types of situations could put an attorney or accountant out of business, considering how much damage a data compromise could inflict on their clients and reputation. Even though ransom demands are typically smaller for the secondary victims (the patient or customers), the embarrassment and potential financial ramifications of having sensitive information leaked to the general public would be difficult for any company to overcome.

One of the first publicized examples of a triple extortion ruse was the 2020 Vastaamo breach. The company manages twenty-five psychotherapy centers across Finland and works directly with the country’s public health services. In addition to demanding a significant bitcoin payment from the provider, cybercriminals also sent similar requests to thousands of the organization’s patients, threatening to share their session files and recordings if the ransom wasn’t received.

Data Protection Goes Beyond Technology Solutions

The Vastaamo triple extortion case highlights the value of data an MSPs’ clients may possess. With access to sensitive information, cybercriminals gain great power and leverage and can make a lot of demands. An MSP’s job is to protect all data, including personal and confidential files, and prevent malware purveyors from scoring the big wins. Triple extortion is most effective when cybercriminals know they have companies over a barrel and have the leverage to dictate lucrative terms for the return of that information.

With the rise of the REvil community and its ransomware-as-a-service business model, things may worsen before they get better. According to Check Point, that group is leveraging DDoS attacks in their schemes and offering to make phone calls to victims’ business partners and the media. Even if their MSP can restore their networks and systems using data backups, they can’t prevent cybercriminals who make their own copies from publicly publishing or selling that information.

The truth is that no IT services company can assure its clients of 100% protection from these types of threats. For those unforeseeable situations, businesses need the appropriate level of cyber insurance coverage. These policies aim to help affected companies regain their financial footing and pay for the restoration services needed to rebuild their operations, integrity, and momentum.

While MSPs address the technical aspects of rebuilding systems and networks, a client’s cyber insurer should have their back, helping provide the resources needed to get businesses back on their feet. From proactive insurance assessments and MSP-supportive recommendations to post-incident handholding, a reputable broker can help IT providers and their clients. Those are the types of services DataStream Insurance provides. We can determine if your clients are insurable and help get them protection from the latest attacks, like triple extortion…and whatever threats may come next.