Note: This originally appeared on the PCI Security Standards Council blog.
Ransomware attacks continue to present a serious threat to businesses. Christopher D. Roberti, Senior Vice President for Cyber, Intelligence, and Supply Chain Security Policy at the U.S. Chamber and PCI SSC Executive Director Lance Johnson discuss the threat to businesses across the U.S. and around the world and how to better guard against this attack.
Why is the issue of ransomware attacks so important right now?
Lance Johnson: Ransomware attacks continue to be popular with cyber criminals around the world and are a threat we continue to hear about from our global stakeholders. The average total cost of recovery from a ransomware attack has more than doubled, increasing from $761,106 in 2020 to $1.85 million in 2021. Understanding these threats and how to defend against them can help better protect merchants who are at risk.
What exactly is a ransomware attack?
Lance Johnson: A ransomware attack involves cyber actors gaining access to your network, systems and data and then rendering parts of these unusable, and/or stealing some of the data you have stored. The cyber-actor then ‘ransoms’ the data back requiring payment to provide a decryption key to allow for the recovery of the encrypted data and systems or to guarantee sensitive data is not further exposed. In some cases, ransomware actors will publicly release or sell the data that has been stolen if the victim does not pay. Ransomware attacks are often the result of a phishing attack, when a company employee clicks on a malicious link, or the exploitation of known vulnerabilities in outdated software that an organization has not updated using patches they receive from software vendors.
Why should the business community care about these attacks? Who is most at risk?
Christopher D. Roberti : Businesses of every size are targets of ransomware attacks. It is no longer something that only large organizations have to worry about.
Ransomware poses an imminent threat to America’s overall economic health as cybercriminals increasingly target small businesses. On a U.S. Chamber of Commerce webinar just last year, U.S. Secretary of Homeland Security Alejandro Mayorkas noted that small businesses comprise approximately one-half to three-quarters of the victims of ransomware at that time. Moreover, more than $350 million in victim funds were paid as a result of ransomware in 2022 to date, and the overall rate of ransomware attacks has grown by more than 300% from the previous year.
What can be done to guard against ransomware attacks?
Lance Johnson: When it comes to protecting payment card data, which is often the target of a cyber-attack, adherence to the PCI DSS is considered a best practice. PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices.
For dealing with the threat of ransomware attacks related to payment security, the PCI DSS has recently published an updated infographic on ransomware attacks. In our infographic highlight the best steps for protecting payment data against ransomware attacks. We also put out a ransomware bulletin earlier this year with the National Cybersecurity Alliance.
What should small merchants do to better understand this risk?
Christopher D. Roberti: As hybrid and remote work environments have increased dramatically since the beginning of the COVID-19 pandemic, ransomware attacks have increased and continue to be an ever-present threat. The U.S. Chamber of Commerce has made this issue a priority and we have produced numerous Chamber resources for our members with the goal of educating them about the threat and ways to better defend against it. The best defense against ransomware attacks is to educate yourself on the nature of the threat, build relationships with law enforcement, create (and execute) plans to protect and recover your business. Some helpful resources for that include: