In 2019 alone, ransomware is reported to have caused up to $170 billion of damage to organizations across the globe. This year, the extent of the damage done is likely to be far greater. In their Mid-Year Threat Landscape Report for 2020, BitDefender reported a 700% increase in the number of attempted ransomware attacks so far compared to the same period in 2019. The recent dramatic rise in attacks also ties into a longer-term trend. As cybercriminals target valuable customer and employee data directly, the potential for a ransomware related data breach is increasingly high.
Faced with this ransomware onslaught, organizations of all kinds need to rethink how they protect themselves. Part of that rethink means merging the need to provide better privacy protection for their employees with the necessity to protect themselves from the consequences of a ransomware attack exposing both customer and employee data. With federal agencies signaling the possibility of fines for complying with ransomware demands and the liability from exposing personally identifiable data likely to rise significantly, not doing so will soon be too costly to consider.
Why ransomware is becoming more dangerous
Even though some reports suggest the number of successful ransomware attacks appears to be decreasing, the amount of damage done by ransomware attacks that do succeed is rising fast.
This is partly because threat actors are increasingly leveraging human error as an entry point into corporate networks. In targeting users, cybercriminals can exploit the kinds of misconfigurations (like excess user privileges) that organizations overlook as they rush to adopt technologies like cloud computing. By using COVID-19 related concerns, combined with stolen credentials or leaked personal data as a hook to catch victims, targeted phishing scams are becoming a common entry point for the most devastating ransomware attacks.
Another reason for the increasing danger that ransomware poses is the amount of data that successful attacks now expose. According to the recent Mid Year Report by Risk Based Security, the median number of records a data breach exposed in the first six months of 2020 was 54% higher compared to the same period in 2019. With the average cost incurred by a successful data breach also doubling between 2018 and 2019, ransomware can cause irrecoverable damage to compromised organizations.
However, as devastating as ransomware attacks and resulting data breaches already are, the damage they cause is likely to rise even further. This is partly due to increasingly strict data protection laws that potentially promise to fine organizations for allowing a data breach to occur.
CPRA, GDPR, and ransomware
Expected to pass the ballot this November, the California Privacy Rights Act (CPRA) creates a precedent for data privacy that also increases penalties for offending organizations. By stipulating harsh fines for violations of the law, including allowing a data breach to occur, this law would significantly increase the liability risk that a successful ransomware attack creates.
If successful in California, rising public demand for data protection makes it highly likely that similar laws will soon appear elsewhere, too.
The CPRA is modeled on the General Data Protection Regulation (GDPR) law enforced by the European Union since 2018. With a maximum fine per organization of up to $24 million (or 4% of a company's annual turnover, whichever is bigger), GDPR has substantially increased the financial risk from ransomware attacks for EU companies.
GDPR has also been exploited by cybercriminals who, after stealing customer and employee data from victims, threaten to directly report them to EU regulators for GDPR violations unless a ransom is paid.
While the stipulations of CPRA and any subsequent acts are unlikely to go quite so far as GDPR, liability for data breaches is still increasing. As laws like the CPRA become more commonplace across other states, organizations will be expected to provide more significant protections to both customer and employee data. This expectation also plays into the hands of cybercriminals. As they estimate the likely ransom an organization will pay to regain access to its data, hackers will undoubtedly extract a premium based on the knowledge that their victims are at risk of massive fines.
Rather than waiting for a legal push to act (or a punishment for not acting), the prospect of tightening regulations means that the time to start prioritizing privacy is already here. Why? Because as well as ensuring that meeting future regulatory requirements is less painful, doing so benefits organizations in more ways than one.
Creating a culture of privacy provides protection, prevention, and employee retention
Creating a strong culture has long been recognized as a driving performance factor among market-leading companies. When it comes to privacy, this rule holds. To safeguard themselves from ransomware attacks that exploit employee information and provide an added benefit to new and existing staff, organizations need to take a proactive, culture first, approach to privacy.
In essence, this means weaving privacy into the fabric of an organization. For employees, this creates a privacy-first working environment that ties in with their personal feelings about how companies manage their data.
As well as helping protect against targeted phishing scams by minimizing the amount of employee data available to cybercriminals, creating a culture of privacy is also key to attracting and keeping the best people. Research by Accenture shows that nearly 55% of potential employees would not apply for a job with an organization that doesn't use their data responsibly. Remote working has further exacerbated these concerns. According to a survey conducted by Lenovo in June, over 70% of employees are concerned about their data privacy when working from home.
With the average cost to a business of up to $150 for a single piece of employee personal identification exposed to a third party, keeping employee data private is also a matter of financial imperative. Legislation like the CPRA, which calls for fines on incidences of employee data exposure to be equally as harsh as those prompted by customer information exposure, will further underscore the value of employee privacy.
Privacy as a benefit
To mitigate the rising costs that a lack of employee privacy protection creates, organizations need to look at how they can integrate a culture of privacy into their operating ethos. An effective privacy culture is one that extends privacy to employees as part of their remuneration package, similar to health care options, retirement benefits, and other perks. In this way, privacy can appear on the plus side of the equation when it comes to company culture.
For managers, this means approaching privacy from the top down. Companies need to be transparent with employees regarding how, why, and when they access and use their data. Rather than seeing information as a one-way street (i.e., from employee to employer), companies need to be conscious about getting employee buy-in regarding how their data helps with performance monitoring or productivity management.
Organizations should also consider giving employees privacy benefits beyond the workplace. Security awareness and Rasonsomware phishing training and awareness combined with regular scans of employee PII available on the open web, for example, can together provide employees with insight into how to achieve greater privacy in their business and personal lives - which, for better or worse, are increasingly blurring.
Employers can further extend privacy protection to their employees by giving them access to tools and services as a natural part of the benefits package. Making employees aware of how and where third parties outside the workplaces harvest their data will go a long way to improving data security awareness when on the job, too.
The rise of ransomware has been one of the many negative developments that this year has brought. As part of a rising wave of cybercrime that is estimated to cost the world economy over $6 trillion per year by 2021, ransomware attacks present a terrifying prospect for every organization.
The encroaching march of privacy-focused data protection legislation will further increase the onus on companies to protect against ransomware attacks and secure their customer and employee data. This legislation will also embolden cybercriminals to target companies directly, knowing that the stakes are raised when considering potential ransom demand. To meet these challenges and create a better working environment for privacy-conscious employees, creating a culture of privacy is vital.
Creating a culture of privacy doesn’t just minimize the amount of data that can be potentially leaked. It also helps prevent ransomware by protecting employee personal information from being accessed by third parties and raising awareness of the threat itself. This might sound like an overly simplistic step to take when faced with sophisticated ransomware attacks. But, it’s worth remembering that over 40% of employees are not even aware of what ransomware is.