Better than cyber insurance: A new approach to ransomware
Connecting state and local government leaders
Securing IT infrastructure and data can help governments avoid the “to pay or not to pay” dilemma.
Cyber insurance is an attractive option to government agencies working to stave off and respond to a growing number of ransomware attacks, but it could inadvertently incentivize attackers, according to a new report.
Many government organizations can save money by transferring their cybersecurity risk to an insurer, according to “Ransoming Government: What state and local government can do to break free from ransomware attacks,” a new report that Deloitte’s Center for Government Insights released March 11.
Governments aren’t the only beneficiaries of cyber insurance, though. “For every dollar in premiums collected from policyholders, insurers paid out roughly 35 cents in claims, making cyber insurance nearly twice as profitable as other types of insurance,” the report said.
Additionally, these policies make ransomware attacks more enticing to bad actors, who see that their demands are more likely to be met. In the second quarter of 2019, governments that paid ransoms shelled out 10 times more than their commercial counterparts, according to Deloitte.
“Therefore, while paying the ransom in a ransomware attack may seem to be an easy, short-term solution, in the long run, it may make the problem worse,” the report stated.
Not paying the ransom isn’t exactly a walk in the park, either. The city of Baltimore refused to give in to a demand for $76,000 to regain control of a majority of its servers in May 2019, and it racked up more than $18 million in recovery costs and lost revenues.
In 2019, governments reported 163 ransomware attacks -- a nearly 150% increase over the 2018 number, according to the report, which added that agencies paid more than $1.8 million in ransom and millions of dollars more on recovery costs.
Beyond the “to pay or not to pay” dilemma, Deloitte offered a third option, based on “building well, operating well and responding well.”
First, governments should build a system architecture that prioritizes protection of the most critical data and compartmentalizes it to make it tough for hackers to encrypt. The report also air-gapped system backups and training and reskilling employees on cybersecurity efforts to better fend off attacks.
“Operating well” means minimizing risk by improving cyber hygiene and playing war games in which the IT office rehearses a realistic scenario so that officials can try out the decisions they would be making in an actual attack, the report said. That way, when they’re staring down the real thing, they feel more confident about how to proceed.
Lastly, “responding well” means minimizing the impact when an attack is attempted. For instance, artificial intelligence can identify and block unusual downloads from links that employees click on. Additionally, information sharing is critical. “Sharing information about ransomware experiences, even when it is uncomfortable or potentially embarrassing, can be key to the ‘herd immunity’ that can keep other governments safe,” the report stated.
Lubbock County -- one of 23 local Texas governments hit by ransomware last August -- has already seen the value of resources, training, and quick responses. An employee’s call about icons changing on a desktop in real time was a sign of attack, according to the report. County officials isolated the affected computers and stopped the attack before it locked down any critical systems.
Read the full report here.