Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Editorial: Paying the price of lax security

Reprints

Governments around the world routinely proclaim they don’t negotiate with terrorists. Yet, as official archives released years later sometimes reveal, they often do.

While the principle of not encouraging more terrorist activity by offering any concessions may be laudable, when it comes down to specific cases, the consequences of not talking may be impracticable or unpalatable.

The same appears to be true in the world of cyber crime. As we have seen over the past couple of years, and particularly over the past six months, ransomware attacks are becoming an increasing problem for companies and individuals. Apparently easily available if you know where on the dark web to look, ransomware programs can be used to lock up computers and hold them as virtual hostages until the ransom is paid. Usually demanded in bitcoin, the ransoms may be just a few hundred dollars, but they can add up to considerable sums if they are paid by enough people with captured data.

And for some companies, paying the ransom is worth it. As we report on page 27, while major ransomware attacks such as WannaCry and NotPetya grab most of the attention, companies are being hit by a steady stream of smaller attacks and must face the decision of either losing their data or paying up. Given the importance of data in today’s commercial world, it’s understandable that some organizations feel that they really have no choice in the matter.

While they may resent making any payment to criminals on principle — and fear that their data won’t be unencrypted even if they do pay — companies must act in the real world. They have to continue operations uninhibited and must do whatever it takes to keep their businesses running.

Given the volume of attacks, though, they also must take measures to at least reduce or even eliminate the impact if they are held to ransom.

The first step should be having backup protocols in place. By frequently backing up their data, organizations should be able to isolate ransomware attacks when they occur and draw on their backed-up data to continue their operations. With Plan B in place, organizations should then be able to concentrate on installing high-quality cyber security programs and training employees, regularly and consistently, in cyber security best practices.

Insurance can also play an important role. Coverage for ransomware attacks is available under both kidnap and ransom policies and cyber liability policies, so policyholders should be able to secure coverage in the event their security efforts fail. And as the cyber liability market matures, with more underwriters offering broader coverage and higher limits and pricing cyber risks into more coverages, they should be able to offer lower premiums to better-protected risks. At least, that’s how it should work in principle.

 

Read Next