Ransomware attacks are now a topline concern for businesses everywhere. In 2022, organizations worldwide detected a whopping 493.33 million ransomware attacks. According to the latest data from IBM, the average cost of these attacks was $4.54 million.
Those are astounding numbers. And in response, governments are taking action. One of the actions they’ve taken already is forbidding payments to ransomware gangs. Recently, the U.S. and U.K. announced sanctions, including a payment ban to Russia’s notorious Trickbot ransomware gang. Florida and North Carolina have banned state government departments from paying ransom to cyber gangs; New York is considering similar legislation.
Another action governments are mulling is a legal requirement that companies be ransomware-ready. Is this a good idea? In a recent survey by Arcserve, respondents were evenly split on the question. They were also divided on the question of whether companies that do pay a ransom should face penalties. Those supporting penalties argue that paying ransom encourages cybercriminals and perpetuates the problem. Those against penalties say that paying the ransom is often the only way to recover lost data, and penalizing victims amounts to kicking them when they’re down.
These findings highlight the complexity of the issue and the challenges that governments and businesses face in addressing it. For example, legally requiring companies to be ransomware-ready would have myriad benefits and drawbacks. On the benefit side, such laws could improve cybersecurity and limit ransomware attacks. They could reduce the financial impact on companies everywhere and inspire better consumer confidence in data security.
On the drawback side, such laws would likely increase compliance costs, more regulatory complexity, and a false sense of security. While laws could establish a baseline standard for cybersecurity, that standard would be a challenge for many small and medium-sized enterprises. And besides, compliance would not be an ironclad guarantee of immunity to ransomware attacks.
Ransomware-readiness advocates acknowledge these possibilities but assure that a requirement would benefit businesses in the long run. You could compare it to brush-clearing laws in states where wildfires are a risk. Yes, it’s an imposition to clear vegetation around your home, it takes time and money, but it protects you and your neighbors from the widespread and disastrous conflagration. Of course, any ransomware-readiness requirement must be sensible and practical because imposing unnecessary or unreasonable demands could harm businesses more than help them.
Weighing the benefits and drawbacks of regulation
Before deciding on any ransomware-readiness regulation, assessing the potential benefits and drawbacks is essential. Let’s start with the benefits. One of the most significant potential benefits of government-mandated rules is that they would establish a baseline for cybersecurity, leading to a higher level of preparedness in the business community overall.
If more robust cybersecurity measures are mandated, the thinking goes, companies will be better equipped to detect, prevent and recover from ransomware attacks. These measures, in turn, will reduce ransomware attacks, which will benefit companies and society at large. Companies prepared for ransomware attacks will inspire confidence in consumers, who can trust that their data and financial information are safe.
Now for the drawbacks. The biggest is the cost of compliance. Companies would have to spend to comply with regulations mandated by governments, and the expense would be particularly onerous for small businesses. As a remedy, governments could provide tax breaks for companies that comply with a ransomware-readiness requirement. Offering financial relief to companies that meet specific criteria could promote communitywide action.
And then there is the question of complexity. Compliance regulations are already hard to interpret and meet. Any new ransomware-readiness requirements would add more complexity and challenges, particularly for smaller enterprises with limited resources or technical expertise.
Another drawback is that these mandates can lull businesses into a false sense of security. It’s essential to remember that compliance with any potential ransomware-readiness regulations would not guarantee that a company will not fall victim to a ransomware attack. Attackers are constantly at work on their techniques. Many can now bypass even the most robust security measures and will continue to advance their methods with or without government ransomware mandates.
Protecting data, whether it’s required or not
For now, the possibility of ransomware-readiness rules remains open. But regardless of whether government mandates come or not, businesses should still take steps to protect themselves. They can’t simply conclude that if the government doesn’t require it, it’s unnecessary.
A reliable backup system is one of the best ways to guard against a ransomware attack. This system should include storing backups offline or in a secure, isolated environment and testing those backups regularly to ensure they’re working correctly. There should also be a consistent backup schedule, which enables organizations to seamlessly restore any compromised systems or data.
Encrypting your sensitive data is also highly recommended. That way, if ransomware attackers gain access to your critical assets, they won’t be able to extort you. Organizations should look for a data storage solution that safeguards information continuously by taking snapshots every 90 seconds. It means that even if ransomware does sneak through and cybercriminals overwrite your data, your information will still be easily recoverable to a recent point in time. Because the backup snapshots are immutable, you’ll have several recovery points to restore your data intact.
Large and small businesses should also understand that not all data is created equal, so they should consider data tiering. It is a system in which less frequently used, less vital data is moved to lower-level storage, which may be less available and recoverable but less costly. The idea is that because not all data is created equal, the “less equal” data doesn’t need the Fort Knox treatment. Companies should have different policies for different data sets, depending on how quickly they need to access and recover it in case of a ransomware attack.
It will be crucial for governments and stakeholders to carefully evaluate all the potential benefits and drawbacks of ransomware regulations before implementing them. This approach will enable policymakers to determine rules that balance the benefits of improving cybersecurity and the costs companies may incur in complying. Regardless, companies that store and use data — which nowadays is just about all companies — should plan their steps to ensure their data is safe, backed up and recoverable during ransomware attacks.
Ahsan Siddiqui is director of product management at Arcserve.