Are cybercriminals counting on the victim’s simple cost-to-benefit decision to have their cyber-insurer pay the ransom? And, if so, are they targeting companies with cyberinsurance?
We’ve discussed the rising uptick of ransomware attacks in frequency, sophistication, and effectiveness here on this blog. But an article popped up recently proposing the question of whether the presence of cyberinsurance is a factor in the rise in attacks. It’s a reasonable assumption – organizations that have an insurance policy protecting them against ransomware attacks would find it far easier to pull the trigger on paying the ransom. A ransom costing several hundred thousand dollars may only cost a small fraction of that in a deductible payment by the victim organization.
While not every cyberinsurance policy pays out – as in the $100 million on-going fight between Mondelez, the owner of brands such as Oreos and Nabisco, and Zurich Insurance group which doesn’t appear to have been settled – organizations with proper riders for ransomware certainly have a much easier decision of whether to pay.
So, then the question becomes, are cybercriminals targeting companies with cyberinsurance? It may seem far-fetched, but, think about it: hackers could target insurers, gain access to an application with customer policy data, export it and… instant target list.
At the same time, cybercriminals can simply look at the headlines for verticals of business that pay the ransom and make some assumptions. Take the rash of recent attacks on state and local government – seems like targeting to me. It could be an assumption of low degrees of security in place, or does it have to do with cyberinsurance?
The right answer is don’t wait to find out.
Even an organization with the least amount of security in place can still put up a good fight with continual Security Awareness Training, which educates users about how they are a necessary part of an attack by clicking on malicious content. Ransomware attacks can increase all they want. But if users are taught how to spot malicious content in email and on the web and never engage with it, your organization is safer from the threat of ransomware.