Ransomware as a service (RaaS) has become increasingly popular. The practice lets the malware author scale earnings while off-loading personal risk to those perpetrating the actual crime. But as these crimes target critical targets, policymakers are starting to step in. Which will only increase your cyber compliance risk. What’s going on?
Cyber crime growing in complexity
Indeed, there was hope last year that the ransomware threat had ebbed. After all, analysts reported steep declines in ransomware detections from early 2021.
Ransomware attacks didn’t go away, though. Thanks to the increasing popularity of RaaS, they only got more sophisticated.
How so?
Nowadays, the author of the ransomware makes their software available to customers dubbed affiliates. These affiliates often lack technical skill of their own, but can use the software to hold people’s data hostage
It’s this scaling of potential criminals that’s of greatest concern to organizations.
Not just that, the threat’s been exacerbated by geopolitical tensions, as well as increasing access to cryptocurrencies and dark money, and the generalized instability unleashed by the pandemic.
Targets, too, our getting more critical, including public utilities, other critical infrastructure, as well as mission-critical software services.
Cyber compliance grows more complex
This rise in attacks on critical assets has provoked a backlash from policymakers and regulators. They’re stepping up efforts to keep sensitive data safe.
Many of these regulatory regimes were already in place before the pandemic. However, they’re being deepened and expanded.
In fact, if Gartner’s forecasts bear out, we’ll see two thirds of the world’s population covered by data privacy regulations.
Just in the U.S., five states will roll out comprehensive consumer privacy laws this year. In 2022, alone, at least 40 states and Puerto Rico introduced or considered more than 250 bills or resolutions that deal significantly with cybersecurity, according to the National Conference of State Legislatures. And of those, 24 states enacted at least 41 bills.
National regulators like the Securities and Exchange Commission (SEC) are increasingly proposing new disclosure requirements on regulated entities, as well.
Looming cyber compliance risk from overstretched staff
Which opens more risk for companies. Some requirements are simple. Many, however, are more onerous, such as the timely reporting of material cybersecurity incidents and follow-up reporting.
Many organizations don’t know when they’ve been breached. They lack the manpower and capabilities to detect or respond.
That’s because security teams are already swamped – the sharp rise in cyber-attacks having produced an even sharper rise in data alerts that security personnel must triage. The increasing pace of automatic notifications has also created alert fatigue among overworked personnel.
As a result, more than a quarter (27 per cent) of all alerts were ignored or not investigated in mid-sized corporations, according to the International Data Corporation. Slightly larger organizations (1,500 to 4,999 employees) saw personnel ignore nearly a third of all alerts.
What then can be done to address the increasing cyber compliance risk that comes from failing to detect and triage cyber attacks? Download our Guide to Deploying Data Alerts to Improve Strategic Cyber Incident Response and Management to find out.