Trust in Legacy Vendors Sinks as Ransomware Spikes

Organizations are losing trust in legacy vendors as ransomware payout demands and extortion fees massively increase and organizations get slower at detecting cybersecurity incidents.

These were among the findings of CrowdStrike’s Global Security Attitude Survey, conducted by research firm Vanson Bourne.

The study of 2,200 senior IT decision-makers and IT security professionals found 66% of respondents’ organizations suffered at least one ransomware attack in the past 12 months and more than half (57%) of businesses did not have a comprehensive ransomware defense strategy in place.

Ransomware Demands are Escalating

Meanwhile, the average ransom payment increased by 63% in 2021 to $1.79 million, compared to $1.10 million in 2020.

The fact that organizations are almost universally getting hit with “double extortion” further increased the financial impact of ransomware attacks on these businesses.

This is when threat actors not only demand a ransom to decrypt data but also threaten to leak or sell the data unless the victims pay more money.

The survey revealed nearly all (96%) organizations that paid a ransom were forced to pay additional extortion fees, costing businesses on average $792,493.

A Symptom of a Larger Shift

Mohit Tiwari, co-founder and CEO at Symmetry Systems, explained an increasing number of attacks are primarily a symptom of enterprises moving from network-perimeter defenses with a squishy middle to workloads on the cloud that are open to the internet and where small errors on even enterprise-internal applications can get amplified.

“There is no use blaming traditional vendors—newer vendors don’t have a silver bullet, either,” he said. “Instead, it is more valuable to build cloud-enabled security tooling with open interfaces and open evaluations.”

Recent attacks such as Sunburst and Kaseya have once again brought supply chain attacks to the forefront, with 45% of respondents admitting they had experienced at least one supply chain attack in the past 12 months.

More than eight in 10 respondents (84%) said they are fearful that supply chain attacks will become one of the biggest cybersecurity threats in the next three years.

“Supply chain attacks are just one vector—cloud permissions, insider threats and application-security attacks are other vectors that have led to major incidents recently,” Tiwari pointed out.

The Problem With Processes

From Pathlock president Kevin Dunne’s perspective, more applications than ever before mean more data than ever before, and you can’t be everywhere at once.

“It’s harder to implement effective and consistent controls across all these applications for critical business processes, whether it is pay-to-procure, payroll, expense approvals and reporting and so on,” he said. “Apps are being used in ways that are possible but that may not have been intended, so it stretches security models.”

For example, the early days of the internet saw operating systems that were never designed for wide-scale networking connected to it. Some of these legacy apps fit the same bill with regards to the processes they’re being asked to be a part of.

In addition, business transactions and processes (both internal and external) include and require a parade of applications to perform correctly and legacy, foundational apps often interact with special-purpose apps to move a request/transaction through a workflow.

“The remote workplace requires these processes to be executed in seemingly infinite new ways—from new source locations, new devices, across on-prem and cloud applications,” Dunne said. “It’s the fear of many that legacy applications can’t keep up with these logistical gymnastics in a secure and performant manner.”

However, all these applications—whether legacy or new entrant—need effective process controls applied to reduce the risk and resulting anxiety.

In fact, Dunne said, access controls/orchestration applied to these “legacy” apps is an effective way of improving the security posture of those applications/systems, limiting the scope of activities where warranted, that would otherwise be unavailable natively.

He pointed out that “legacy” might be an unfortunate descriptor of “in widespread use”, especially in the case of vendors like Microsoft.

“The massive global adoption of a technology provider like Microsoft obviously leads to being targeted frequently; it’s a numbers game,” he said. “Therefore, any attack, attempted or successful, is newsworthy, contributing to negative associations.”

Introducing the Human Element

Heather Paunet, senior vice president at Untangle, a provider of comprehensive network security for SMBs, added that the challenge for IT professionals is to find newer technology solutions that are easy to use, fast and reliable so that employees can turn it on once and forget about it.

“Legacy vendors will need to develop tools that keep in mind the ease-of-use and user interface for employees that rotate in and out of the office,” she said.

Paunet pointed out that remote and hybrid work introduces the human element to cybersecurity.

“Bad actors targeted VPNs because they knew that many companies, by quickly moving their employees to a remote working environment, were using older implementations of VPN protocols with exploitable security holes,” she explained.

She added many of these legacy security products are designed for IT professionals, not the average employee, which makes it harder for remote and hybrid employees to fully use the tool.

For example, when working from home, employees were finding that with older VPN technologies, their connection speeds were reduced. This resulted in them turning their VPN off and thus reducing security as they connected to their corporate network.

“When choosing vendors, companies will need to be more vigilant than ever when thinking about how their business could be compromised,” Paunet said. “It is also important to conduct a thorough review of vendors. Research for any past exploits, when they were detected and how fast a patch was developed.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 248 posts and counting.See all posts by nathan-eddy