This article first appeared in Digital Edge, The Edge Malaysia Weekly on December 11, 2023 - December 17, 2023

In recent years, ransomware has surged as a pervasive global threat, infiltrating networks, disrupting operations and extorting millions from individuals and organisations. Its exponential growth has sparked widespread concern among cybersecurity experts and governments, highlighting the need for robust defences and international collaboration to combat this escalating cyber epidemic.

Every country has become a target in these malicious attacks, and Malaysia is no exception.

“In fact, the Sophos State of Ransomware Report 2022 found that Malaysia had the third-highest number of organisations hit with ransomware globally, with 79% experiencing ransomware attacks, and Malaysia had the world’s seventh-highest average ransomware payment of close to US$900,000 (RM4.2 million),” says Sathish Murthy, senior systems engineering lead at Cohesity Asean and India.

Ransomware has undergone a notable evolution, advancing from basic attacks that could be countered by traditional backup solutions to more sophisticated tactics. The second iteration targets data backups before encrypting production data, limiting recovery options and bolstering ransom demands.

The latest evolution involves encrypting and stealing data, leading to “double extortion” schemes that expose or sell sensitive information.

Ransomware-as-a-Service (RaaS) has certainly gained traction among major malicious groups, offering tools like Locky, Goliath and Shark to less-skilled cybercriminals. This helps them execute faster and more frequent attacks, amplifying the urgency for robust data security and proactive defence strategies.

“Currently, Malaysia is on a significant digital transformation and new technology adoption journey, which is an important step for helping the economy develop, increasing job opportunities and regional or international competitiveness. At the same time, this adoption of new technologies — whether it be 5G, IoT (Internet of Things), AI or cloud applications — increases the amount of data generated. That, in turn, expands the attack surfaces that malicious actors will look to exploit,” says Sathish.

There are a wide range of tactics and techniques that these malicious actors use that create data security and business continuity challenges.

“Malicious actors gain their leverage by focusing on the sensitivity or criticality of that data to their most critical business processes. This is why we see acutely targeted attacks, as malicious actors look to disrupt companies’ operations and impact revenue generation. We also see malicious actors threatening to release sensitive data or demanding multiple payments to be able to retrieve data in a restorable form,” Sathish explains.

The key challenge that companies and their IT or security teams face when securing data is how they can manage and protect data to ensure their core systems, business processes and operations are not disrupted. This is important regardless of where the data is stored, because a company’s attack surface is defined by the business-critical data that they store.

“To address the challenge posed by ransomware, it is vital that an organisation’s people, processes and technology cohesively come together to address the sophisticated cyberthreats that exist.

“Taking advantage of modern data security and management platforms that align with zero-trust principles, provide scalable visibility of data, have AI-powered anomaly detection and snapshot immutability, and effective identity and data access management controls, helps enable better cyber resilience,” shares Sathish.

The rise in ransomware has also fuelled a surge in the adoption of cyber insurance among businesses worldwide. Its popularity stems from providing a proactive shield against financial repercussions arising from data breaches and cyber-related risks.

“Cybersecurity insurance is designed to provide financial protection against losses resulting from cyberattacks, data breaches and other cyber-related incidents. It may cover costs related to lost income, legal fees, data recovery fees, employing a cybersecurity rapid response and remediation task force; and, in some APAC (Asia-Pacific) markets, it has even covered the cost of hiring a public relations firm to help with damage control to a company’s brand.

“Cybersecurity insurance policies typically include coverage based on first party or ‘direct’ losses, such as lost revenue or data recovery costs, and third-party losses like legal costs and settlement payments,” he explains.

Five key factors significantly impact cyber insurance qualification, coverage and premium costs: a company’s data security measures, historical data breach incidents, revenue size, geographical location and industry type.

Insurers leverage these factors to assess and underwrite risk when issuing policies. Particularly crucial is the industry a business operates in, as sectors like healthcare, finance and energy utilities, often classified as critical infrastructure, have specific requirements due to their heightened risk profiles and regulatory standards.

One of the greater issues plaguing the industry and this expansion on an international scale is also a talent shortage.

“This is also true in Malaysia, which faces a predicted shortfall of 12,000 cybersecurity workers by 2025, according to the Department of Skills, CIAST and Cybersecurity Malaysia,” says Sathish. “Therefore, the adoption of capabilities that help automate the mundane and deeply voluminous such as AI-powered data security, recovery and management capabilities is vital, as these capabilities free up precious human resources to focus on the more complex or important IT and security tasks.”

The best way to qualify for cyber insurance is for companies to first prove they can adequately protect their existing data.

“Like home contents or car insurance policies, an insurer will want to know that a company has existing cyber and data security capabilities such as email security, data protection policies and data access controls. Where most companies fall short is having adequate and robust internal security controls and a modern data recovery solution that meets the stringent requirements of a worsening cyberthreat landscape and cyber insurance policy prerequisites,” Sathish shares.

For some companies, opting for regular cyber insurance premiums proves more financially feasible than investing upfront in cutting-edge cybersecurity and data recovery technology. Cyber insurance providers often enforce data security prerequisites, a crucial consideration for companies, including small and medium enterprises (SMEs), before opting for coverage. In certain cases, investing in cyber resilience capabilities upfront becomes necessary before cyber insurance is attainable for businesses of any size.

Sathish’s advice for companies looking to beef up their data security protocols prior to qualifying for cyber insurance is to ensure they have solid data security and a recovery. These include having multiple data backup copies — for example, adopting the 3-2-1 approach to data backups — or having immutable backup snapshots that cannot be modified by malicious actors.

“Companies should also have strong data access controls like role-based access controls (RBAC) and multifactor authentication (MFA); having air-gapped or isolated backups whereby they are stored in isolated cloud or offline locations; data backup integrity scanning so that backups can be kept free of malware before being used to restore files; instant mass restore capabilities for rapid restoration of systems; and regular testing of data recovery processes and systems — some insurers ask for proof or assurances of a successful restoration test within the prior six months,” he says.

It is also important to ensure regular security assessments and employee training, especially on the latest social engineering techniques, developing and practising incident response protocols, regular vulnerability and penetration testing, and updating cyber resilience capabilities based on new threat trends.

“The latest data security and management platforms now provide data classification or threat intelligence to help companies understand what sensitive data they have, where it is located, and what is or might be exposed. At Cohesity, we’ve bundled this into a complete solution called DataHawk, and we have customers who have shared that this has been helpful in their recent cyber insurance qualification,” he says.

Additionally, says Sathish, recent advancements in data recovery technology introduce cloud-based cyber vaults, revolutionising data storage for critical information during cyber crises.

These vaults, akin to traditional offsite backups but are faster and cost-efficient, especially benefit smaller companies by basing costs on stored data volume rather than logistics expenses.

Enhanced data management and security platforms, like those at Cohesity, not only fortify data security but also render data AI-ready, enabling functionalities such as pattern recognition, autonomous monitoring and comprehensive issue remediation for businesses.

According to Sathish, companies that have to fall back on cyber insurance prize discretion, as the insurance payout would have likely covered remediation and recovery. As such, they will not want to invite future attacks. Despite its coverage, cyber insurance might not fully cover the fallout costs either, as research indicates that the average expense of a ransomware attack far exceeds the initial ransom demand by 10 to 15 times.

“There are also some markets where there are financial regulations or legislative penalties for data breaches that may not be negated by cyber insurance. It isn’t guaranteed to cover all lost revenue or rebuild a company’s reputation. This is why focusing on cyber resilience first and making cyber insurance a pillar of your strategy is ideal,” he adds.

“If a company has modern data security and data recovery capabilities, the right human resources and processes, then it may not require cyber insurance at all because it can remediate and recover from the attack on its own without having to pay a ransom and its data is protected even if a breach occurs. This is particularly the case if the company proactively chooses not to pay the ransom.”

In a time where cyberattacks are an inevitability rather than a possibility, companies must adopt a holistic approach comprising people, processes and technology to bolster resilience against ransomware.

“While cyber insurance can be a great pillar of cybersecurity and cyber resilience strategies, it can’t be the only pillar.”

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's App Store and Android's Google Play.