Cyber Risk, IT tools, and Ransomware Trends (Oh My!): Analysis from Pre-Pandemic to 2021
Below, we’ve highlighted some of the data that intrigued us most from our inaugural Corvus Risk Insights Index. To see all of our findings, you can download the full Index here!
Since March 2020 we’ve seen a lot of change, from where we work to how we work. An entire company going remote is a big adjustment, especially on a rapid timeline. As if that wasn’t enough of a concern for IT managers in 2020, ransomware was on the rise. As organizations figured out how to tackle these challenges over the next 18 months, what did their actions mean for their cyber risk profiles — in the use of security tools, management, and preparedness — and how did that vary across sectors?
To start to answer these questions, we’ve collected data from the three months leading up to March 2020 (pre-pandemic for those of us in the United States), and then mid-March to mid-May 2021. Our objective? Understand the IT trends throughout various industries throughout this — we’ll avoid saying unprecedented, but you get the idea — past year and a half. Are certain industries ahead of others when it comes to mitigating cybersecurity risks? Were certain security measures prioritized over others, especially as remote work became central to our daily lives? What cyber incidents are on the rise, and which ones have we begun to combat successfully?
For the IT trends portion, we’re using proprietary data sourced from our in-house scan technology that we use as part of the insurance quoting process. We’ve excluded scans that were performed for our existing policyholders, as our risk mitigation efforts lead to substantial changes in key security measures that would skew results. Instead, we sourced from scans done at the point of quoting, before the organization becomes a Corvus policyholder (or not). To track the trends in ransomware and other incidents, we’re using our own claims team’s metrics.
Presence of Remote Desktop Protocol
Remote desktop protocol (RDP) allows users to access desktop computers from separate locations, enabling them to edit original files and use applications when working away from the office. Last year, just as we were seeing a surge of employees logging in from home, there was a crescendo of attacks linked to the exploitation of accessible ports commonly used for RDP.
Security practitioners have brought attention to the risks attached with the use of accessible RDP, and their efforts have largely reduced the presence of accessible RDP by nearly half. Fortunately, it wasn’t an incredibly common occurrence before the pandemic, but we’ve still seen an overall decrease in usage across industries. Before March 2020, we saw results in the ballpark of 2-10% of organizations in a given industry having accessible RDP, whereas now we’re in the range of 0-4%.
Among Insurance Agents & Brokers, we saw one of the most notable decreases from pre-pandemic to now, dropping from 7.58% to 1.77%. On the other hand, Restaurants and Retail were the leading two of the few industries to see an increase in usage.
Cyber insurers, among security practitioners, were relevant contributors to the successful awareness campaign that led to a decrease in RDP presence. Among our policyholders at Corvus, we see RDP presence at almost zero, thanks to a policy implemented last year. Since IT systems are constantly changing, it’s hard to reach a perfect eradication of RDP, but it remains a tiny fraction (thousandths of a percent at any given time) among our policyholder base.
Email Security Provider Usage
At Corvus, we encourage the use of email scanning and filtering tools for basically any organization. It can help prevent business email compromise through phishing, a popular form of social engineering, as well as provide more basic security functions to safeguard private information.
Just as we saw a reduction in vulnerabilities from pre-pandemic to now, we saw a big increase in organizations utilizing email security software: 2.5x more organizations implemented email security, a 158% increase across industries. Not a single industry remained flat or down on this measure; instead, we’re looking at many industries experiencing a 3-4x change. Across the industries we studied, K-12 schools had the lowest growth figure, still at a laudable 23% increase. The next lowest was 34%.
Some standout sectors of growth include:
Real estate agents & real estate operators (lessors) — two different sectors — with major jumps from low bases. They both are experiencing 4x growth.
Transportation had nearly 1000% growth, from 1.5% up to 16%.
While it appears that the shift in widespread remote work may have encouraged this lift in usage, we want to highlight that the post-pandemic average is only at 16.8%. While we’re optimistic about the positive trend, we believe that the software can and should be more widespread than it is now. There’s definitely room to keep the good momentum going.
As we’ve seen above, more organizations are using email tools to mitigate risk. But are all email security providers created equal, and are these tools actually protecting organizations from a phishing incident? Our data science team investigated further to answer those questions:
- The data science team analyzed the rates of phishing incidents amongst our policyholders, based on the email provider or security tool used by the organization. For policyholders using an email security service or tool with a below-average rating (a higher level of incidents), we see a 45% increase in the likelihood of a phishing claim, and a 2x increase in the likelihood of any cyber claim (when compared to the group using above-average tools)
We saw a steady rise in the frequency of ransomware claims among our policyholder base from Q2 last year through Q1 of this year. But the frequency dropped by 50% in Q2 of 2021, which we attribute to the shutdown of two prolific ransomware groups: Darkside and REvil, in May and July 2021. That rate has largely stayed the same through Q3 (only up a tenth of a percent)
Data exfiltration refers to the theft of data from a victim’s IT system and is a tactic we’ve seen used by threat actors to “double extort” and increase leverage. For example, imagine a victim whose system is encrypted by ransomware but is prepared with a robust backup strategy and is able to confidently reject the initial demand. In this situation, the threat actor will need to find something beyond encryption to compel a payment (or otherwise give up). By stealing sensitive data and threatening to expose it — potentially leaving the victim with hefty regulatory fines and reputational damage — the attackers may salvage a return on their hacking efforts. They may also double extort victims by, after being paid to unencrypt their system, returning to seek a second ransom payment through the possession of sensitive data.
Exfiltration is down slightly this year so far, from 27% of all ransomware incidents in 2020 to 22% this year to date. Prior to 2020, it was rare. Unfortunately, we don’t anticipate that this will be an extended decline as “Ransomware as a Service” enterprises continue to evolve and find ways to make money through providing access to victim systems for any willing buyer.
Better Backups = Fewer Ransoms Paid — but costs are up
The conversations around ransomware can sometimes feel apocalyptic, especially as we see a cluster of newsworthy breaches. However, we’d like to encourage some optimism around the reality of dealing with threat actors. We’ve seen, despite the efforts of criminals to double-extort victims, organizations have avoided large ransom payouts with effective backups. The combination of internal and offsite backups can act as a failsafe to prevent catastrophic results after a cyber incident. Download our full report for more on the ratio of demands to ransoms paid.
We saw lower quarterly averages of ransom paid in the first half of 2021 compared to 2020, but Q3 saw a more than 2x rise. While the average of $290K for the quarter marks a return of the high average we hadn’t seen for over a year, there is a reduction in overall attack frequency and a drop in successful attacks that mitigates the aggregate impact.