Gavin Struthers, Senior Vice President Asia-Pacific & Japan at Sophos
According to a recent Sophos ‘State of Ransomware 2022’ report, 78% of the organizations surveyed in India were hit by ransomware. Of these, 80% of the attacks resulted in data being encrypted, usually the last phase of a ransomware attack.
Digitaltech Media interacted with Gavin Struthers- Senior Vice President, Asia-Pacific & Japan, Sophos, to understand why ransomware needs to be addressed in the boardrooms and how businesses can embrace threat hunting directly or through (MTR) Managed Threat Response service to safeguard their assets from the fast-evolving cyber threats landscape.
Read the excerpts from the interview below:
DTM: Could you elaborate more on the Sophos ‘State of Ransomware 2022’ report?
Gavin: Our report found that 78% of the Indian organizations surveyed were hit by ransomware in 2021. Previous year this figure stood at 66%. India was among the top five countries hit by ransomware out of the 31 countries surveyed. But the most startling statistic is that when organizations were hit by ransomware in India, 80% of them had their data encrypted, and 78% of them chose to pay the ransomware to retrieve data. Globally this figure stood at only 44%.
|The State of Ransomware in India 2022|
|78% of Indian organizations were hit by ransomware in the last year|
|80% of attacks resulted in data being encrypted.|
|98% of those whose data was encrypted got some of their data back|
|Paying the ransom was the #1 method used for restoring data|
|65% used backups to restore data.|
|Indian organizations that paid the ransom got back on average 71% of their encrypted data.|
|The average Indian bill to recover from a ransomware attack in 2021 was US$2.81M.|
|97% said the ransomware attack impacted their ability to operate|
|Indian organizations took on average one month to recover from the attack.|
|89% of organizations have cyber insurance that covers them if hit by ransomware.|
|94% of respondents in India reported that their experience of getting cyber insurance changed over the last year.|
DTM: Why do you think the Indian figure stood at 78%?
Gavin: There are essentially two angles to it. The first could be that they were not prepared, which means they did not have adequate business continuity plans and failed to do their backups properly. It is a lesson for Indian organizations that they need to be more proactive, prepared, and vigilant.
The second is that the ransomware tactics could have changed as they keep evolving. Ransomware attackers threaten and extort organizations that they may leak their sensitive data. Organizations worry that their brand and crucial data are getting exposed, and the sooner they can pacify the attackers by saying that they will pay them, the faster they can get their data off their hands and from being misused for wrong purposes.
DTM: So, what are the key questions organizations must ask themselves about ransomware?
Gavin: Organizations need to delve deeper into how prepared they are for a ransomware attack.
When we interact with organizations, we ask the following key questions:
- How recently have you revisited the cybersecurity response plan?
- Have you assessed your readiness? i.e., have they hired a 3rd party provider to tell them whether they have potential misconfigurations and gaps in their policies, plans & procedures?
DTM: How can organizations ensure that they have the best and most effective incident management plan for ransomware incidents?
Gavin: When an organization gets attacked, it needs a business continuity plan, along with the right people, processes, and technologies. Many organizations think that this is a technology problem, and hence they purchase more technology. There are around three and a half thousand security vendors in the market there, and they all say and pretend that their technology is the super bullet to solve the problem.
This has become a global phenomenon due to a lack of awareness and ignorance. But the bottom line is that organizations cannot always be 100% protected and can be compromised. It usually starts with human error, following which humans get scammed, spammed, and phished.
Human ignorance and error are the top two issues we have to deal with. While awareness around cybersecurity has improved in the boardroom, the world has changed, and consumers needs to trust an organization. Organizations will have to start by embedding security into everything they do. An effective incident management plan will require them to transform their business model and apply cybersecurity as if it is built-in.
DTM: What advice is Sophos giving to businesses and boardrooms so that they take ransomware issues more seriously?
Gavin: While being prepared is one aspect, the other is what we have learned in the last 24 months. Organizations must understand that they are likely to have many holes in their buckets, and their walls shall get compromised due to human error or some smart tactic that the bad guys have orchestrated through sophisticated tools. Hence, you require a 24×7 approach.
Organizations today require smart cybersecurity analysts and threat hunters to decide what looks strange and what is likely to be a problem.
Having a 24×7 mindset implies that we have to keep monitoring every second, hour, and day. Hence, organizations require a team, which they can either do themselves or hire a team and outsource to a third party. At Sophos, our partners offer managed threat response service, a 24×7 service where the partner is inside the organization’s world and gathers telemetry from all their devices and applications. These partners contextualize and suggest what looks odd.
This proactive monitoring is what we call cybersecurity-as-a-service. Our recommendation to boards is that they now need to think about detection & response capabilities, delivered by our 24×7 practitioners who monitor, threat hunt, and analyze the environments.
DTM: So, what challenges are you dealing with on this path?
Gavin: The problem is that you need good skills. Cybersecurity skills and lack of expertise are the challenges that we face today. Not enough people are coming into the system, especially women.
DTM: Have you done crisis management and recovery testing for ransomware attacks on critical systems?
Gavin: Sophos has a managed threat response service, a 24×7 service. We also have a rapid response team that responds to attacks that are happening in real-time. We have extensive experience around all of that and have also witnessed dire attacks happening in real-time, where we had to come live, identifying attackers coming in and moving sideways. We were able to pre-empt and shut the attackers down and often saw them pop up again even as we navigated to find all the indicators of compromise and attack. We have a platform called XDR, which is an expansion of EDR. We use all that information gathered from mobile firewalls and other devices and adjust and correlate them to identify where the problems are, and within minutes of a crisis or an attack we can identify a problem and neutralize the same.
Our managed service partners also embrace our platform to deliver 24×7 managed threat response service. Sophos is one of the few organizations in India & globally that does it at scale. We already have about 9000 customers for MTR service globally. It is the fastest-growing area of our business, and we believe that going forward Sophos will continue to deliver cybersecurity services at scale.
DTM: What other cybersecurity threats do you foresee in the days to come?
Gavin: Ransomware is an epicenter of all the cyberattacks we see today. We foresee more Linux-based attacks as Linux OS has a massive footprint, both in on-premises and public cloud. We could also see mobile attacks continuing. People in India today carry out extensive financial activities on their mobile phones. It is a tremendous hunting ground for credential stealing and man-in-the-middle attacks. Apart from this, crypto-jacking will be another popular phenomenon visible in the future. We will have to be vigilant and see whether the crypto miners are using our resources for the wrong reason. But mostly, it is the ransomware threat that would be prevalent as that is where most of the money is.
DTM: What incentives are you offering to the partners?
Gavin: Partners are the front and center of everything we do.
We have created a community called Alpha. It is a technical community, and an extension of Sophos. Whatever training we get, we take it to them. So we will provide master classes on MTR (Managed Threat Response) to our key partners who want to become experts in the area.
We will also have another community called Alpha Elite with separate set of requirements. We want to have them since customers need them, and we don’t have enough scale to get to the entire community. Sophos will provide them incentives to join the elite group. We will also carry out a 13-city roadshow where we will not just tell our partners where the money and deal are but also suggest how they can become better trust advisors to their customers.