The idea that the spending needs to grow linearly with the growth is a damning indictment of the mindset of the vast ineffectual mess that is the cybersecurity industry.
It’s not a popularly held mindset, either within the security industry or outside of it. This piece seems to be pitched at salespeople whose only job is to extract money from other companies.
Basic hygiene security hygiene pretty much removes ransomware as a threat.
Basic hygiene security hygiene pretty much removes ransomware as a threat.
I cant tell if you’re being flippant, or naive. There is nothing that removes any category of malware as a threat.
Sure, properly isolated backups that run often will mitigate most of the risks from ransomware, but it’s quite a reach to claim that it’s pretty much removed as a threat. Especially since you would still need to cleanup and restore.
It's not often presented as "we should be spending more", but it's absolutely true that cybersecurity is predominated by a reflexive "more is better" bias. "Defense in depth" is at least as often invoked as an excuse to pile on more shit as it is with any real relation to the notion of boundaries analogous to those in the context from which the metaphor is drawn.
The security industry absolutely has a serious "more is better" syndrome.
I'm not really sure what point you're making. Is the point that it is harder to to secure more things? Is it that security events happen more frequently the higher your number of employees goes?
If so, I bristle at this way that many developers (not necessarily you, but generally) view security: "It's red or it's green."
Attack surface going up as the number of employees rises is expected, and the goal is to manage the risk in the portfolio, not to ensure perfect compliance, because you won't, ever.
And just as dangerous: 50 employees. Because quite frequently these 50 employee companies have responsibilities that they can not begin to assume on the budgets that they have. Some business can really only be operated responsibly above a certain scale.
> Basic hygiene security hygiene pretty much removes ransomware as a threat.
It does not. The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware, not to mention AI agents. And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
And no, backups aren't the solution either, they only limit the scope of lost data.
In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
AFAIK the idea is to have backups so good, that restoring them is just a minor inconvenience. Then you can just discard encrypted/infected data and move on with your business. Of course that's harder to achieve in practice.
If the important data is in a web app and the Windows PC is effectively a thin client, this lowers the ransom value of the local drive. Of course business disruption in the form of downtime, overtime IT labor cannot be mitigated by just putting everything online.
The next step is just to move to security by design operating systems like ChromeOS where the user is not allowed to run any non-approved executables.
If tricking a single employee can cause an entire company to stall out, it's a process issue. Just like how a single employee should not be able to wire out $100,000.
Getting rid of Windows in favor of an OS with a proper application sandbox like Android would solve so, so many security issues, but that's not viable in most cases because so much software depends on the outdated user-based permissions model most desktop OSs are built around.
Please don't. It's bad enough that companies running windows have all the data on win premises. Dumbing down what the users can do with their machines seems like the end of personal computing.
I don't think Android is "dumber" or less capable than Windows. In many ways the application sandbox actually gives owners a lot more control over their devices than a less locked down OS would, allowing them to restrict what information installed applications are allowed to access.
But what I think you're concerned about (and I agree) is that the flip side of that is that giving device owners more control over their apps also gives the OS developers more control, and Google's interests are not always perfectly aligned with the device owner's. There's a much wider market for apps than there is for operating systems, so sometimes app developers' interests will actually be better aligned with the device owner's than the OS developer's interests are.
One possible saving grace here is AOSP. In theory you could have multiple competing AOSP-based desktop OSs, each catering to a slightly different set of users. This would be close to the ideal situation in my opinion. Either that or Chrome, Firefox, Edge, and Ladybird all evolve into full fledged OSs with WASM-based apps.
Sleeper agent malware is a thing especially in high risk situations. If somebody has a dormant RAT installed since year X-1 it’s going to be impossible to solve that in year X by using backups
Modern ransomware are not just encrypting data but uploading them somewhere too, the victim is then threatened with a leak of the data. A backup does not save you from that.
Well yes, if you get breached, you have problems. At least in good backups scenario you can continue to operate, so you have money incoming to fix this.
> all mounted network shares where the user has write permissions
This is very literally what 'basic hygiene prevents these problems' addresses. Ransomeware attacks have shown time and again that they way they were able to spread was highly over-permissioned users and services because that's the easy way to get someone to stop complaining that they can't do their job.
Basic security hygiene in the modern world is "assume your employees can be a threat", either because they're incompetent ("I accidentally deleted the shared spreadsheet, I thought it was my copy"), malevolent ("I will show them all!") or compromised ("I clicked a link in my email and now my computer is slow.")
If you aren't designing your systems to be robust against insider threats, they will fail.
(If you design them to be robust against insider threats, they will probably also fail, so you have to be constantly working to understand how to limit the consequences of any individual failure.)
Serious professionals use one or more spending models to determine budget.
My favorite is the Gordon-Loeb model[0], but there are others that are simpler and some that are more complex. Almost none that imply the budget should naively grow in lockstep with prevelence linearly.
I think TFA doesnt really mean to imply that it should, merely that there is a likley mismatch.
This is a similar fact in government. For instance in the UK with the NHS and other services, we often look at total spending and assume that spending has to stay at least constant in real terms or grow, when in reality you want some metric of spending per outcome.
Ideally you want spending to go down as we get more efficient, and up as we find new treatments that work (we often add cost effective treatment as well, but that should make everyone uncomfortable no matter what side you argue)
Apply that to any other war or arm's race. "The fact that the US' defense spending needs to grow linearly with China's is a damning indictment of the mindset of the vast ineffectual mess that is the defense industry".
Do you just expect one side to magically be more dollar-efficient than the other? I'm confused.
Companies spend a ton of money on very sophisticated, powerful, invasive, and expensive software to protect themselves against ransomware.
But the best antidote to many forms of ransomware isn't security software at all— it's offline backups.
Like so much in cybersecurity, an analysis by spending categories like this feels like vendors and their marketing teams driving the discourse. Even if we accept that dollars provide the right lens through which to look at this problem, companies that spend more on making sure they have good backups and good restore procedures aren't going to show up as spending more on cybersecurity in this kind of analysis.
The company losing access to the data is only one half of the ransomware thread. The other half is unauthorized parties gaining access to the data. Backups only protect against the former.
It's one of those ideas that sounds nice in theory, but doesn't survive contact with the real world. In the same way that many people would say that you shouldn't negotiate with terrorists or kidnappers; but if it's their loved one who's being held and tortured they'll very quickly change their mind.
Getting to a world where no one pays ransoms and the ransomware groups give up and go away would be the ideal, and we'd all love to get there. But outlawing paying ransoms basically sacrificing everyone who gets ransomwared in the meantime until we get to that state for the greater good.
And where companies get hit, they'll try hard to find ways around that, because the alternative may well be shutting down the business. But if something like a hospital gets hit, are governments really going to be able to stand behind the "you can't pay a ransom" policy when that could directly lead to deaths?
Financial costs won't solve the problem for companies, because they're hard to enforce. You'd be weighting up the cost of dealing with the fallout of getting hacked against the cost of paying the random and the chance that you might get caught and fined. If that former cost is existential for the business, then it'd always be worth paying and taking the risk.
The only real way around that would personal consequences for the owners/directors of the company - "get caught paying a ransom and the whole board goes to jail" would certainly discourage people. And also provide a wonderful opportunity for blackmail when people did.
Not to mention all the problems of fining public sector organisations, and how counter-productive that usually is.
Right, make the penalty for paying a ransom catastrophic. Very few employees will risk a criminal conviction and years in federal prison just to protect their employer.
It's all fun and games until it's your livelihood at stake, and then it makes a lot more sense to acquiesce, lick your wounds, and keep your business alive.
Getting hacked is no fun, but companies don't deserve to die because something in their tech stack was vulnerable.
I respectfully disagree - I do agree that the natural financial death of a company probably shouldn't result in bailouts, but if I as a company get breached because my fully-updated, follows-best-practices Windows Domain got hacked because of a vulnerability in Microsoft's stuff? That's hardly fair.
Shouldn't I be able to sue Microsoft for financial relief?
That is an acceptable outcome. Life isn't fair. Companies fail all the time for a variety of unfair reasons. This will force customers to demand that Microsoft and other software vendors improve their own security practices and/or indemnify customers for damages from breaches. You can sue Microsoft for financial relief if they breach your contract.
I work in the state government space. Many targets/victims of ransomware are small/local government agencies and the ransom demands are greater than their annual budgets. Not every agency is big enough to have someone (bored) come in on Sunday, notice stuff getting encrypted and then run in to the server room and hit the big red button like Virginia's legislature in 2021[0].
Many ransoms are far more than the victim can actually pay. Not all ransom payments result in a decryption key that actually works.
Most local governments lack the scale and budget to competently maintain their own IT infrastructure. It's not just security but everything. They should outsource the infrastructure layer to a large contractor, or possibly to the state government.
I don't think you can enforce such a rule. I think it's a good approach too.
Another issue is that not paying up and risking restore from underfunded ops dept. might be more expensive than paying up AND making a selected executive look bad. And we can't have that, can we.
It would make the ransomware statistic go down without actually stopping crime. Any company that considers paying the ransom would have a strong incentive to never report the security incident to avoid being punished for ransom payments
Plus it gives the ransomware gangs a whole new angle they can use.
So, remember how you illegally paid us a ransom a few months ago? Unless you want to go to prison, then you better...
We're already seeing this against companies who pay ransoms and fail to report the breaches when they're legally required to - but it would be much worse if it's against individuals who are criminally liable.
Make employees criminally liable for making ransom payments, along with whistleblower protections. Very few employees will risk going to prison to protect their employer. You can always get another job.
I don't think this helps anybody. There will always be some poor soul taking the blame for the crimes of the higher ups. And what exactly the crime would be? Using company money to pay an unspecified third party? Also pretty hard to enforce.
It should be a crime to knowingly transfer money to criminals for any reason. And it wouldn't not hard to enforce: offer bounties to whistleblowers who turn in their colleagues.
Agreed - it’s not that it’s a bad point but it would be an ineffective rule which is usually an excuse to forgo other more effective (usually more expensive) options
Unfortunately the actual solution will probably have to mirror real world, which means balkanizing the Internet to clarify legal jurisdiction, maybe some international police task force to aid with cross-border investigation, but ultimately it all hinges on whether and how much the countries with most nuclear aircraft carriers are willing to pressure other countries to take this seriously.
All that does is make the problem more expensive by whatever cut the middle men who will pop up take and however much the overhead of the obfuscation is. It might reduce payments at the margin, but probably not enough to be worth the cost.
I don't think there is a reasonable correlation, since stopping ransomware doesn't require that much of an increase in spending; it's a culture thing more than a money thing.
Moving security tickets to the top of the stack is absolutely a money thing. Training is a money thing. Exchanging velocity for security is a money thing. Changing culture takes money.
All senior leaders need to visibly spend time on areas of cultural focus. Employees will ignore an email from some random IT department middle manager. But if they see C-suite executives putting sustained effort into something then they'll pick up on that and start to do likewise.
Stopping Ransomware is trivial if governments knew where the money goes. But cryptocurrencies and lax capital control pushed by the uber-rich makes it impossible.
The technology is there and it is used to track the average citizens every move. But when it comes to rich people then the money goes and comes without control (and without taxation).
Cryptocurrencies are a great solution to enable criminal activity. Their only use and highly appreciated by terrorists, criminals and dictatorial governments around the world.
It is far from trivial. What are you going to do if the money goes to an enemy country?
And while cryptocurrency are certainly popular with criminals, it is far from the only option for hiding transactions. As for the technology, if it exists, it is not very effective. The shadow economy is going strong even among average citizens, from drug trade to babysitting.
If governments can't stop even the most trivial kind of unreported work in their own country, how to you expect them to stop well organized international gangs, sometimes backed by nation states.
What cracks me up is how much crypto is emblematic of Libertarianism. Sounds promising if you think about it a superficially, but is obviously bad if you actually think about it in any real world terms.
And not just abstractly - they both fall apart for the exact same reasons. Libertarianism is essentially "But, what if we scaled up the failures of crypto to all of society?"
If ransomware spending must scale directly with ransomware attacks then I don't see how companies could possibly keep up with the spending. A lot of the "gaps" in cybersecurity are essentially spending problems. Companies want to spend as little on it as they can.
Well, given that C levels see cybersecurity has a bad return on investment (read: insurance), Ive seen countless numbers of people laid off these jobs.
So yeah, I'm surprised its only 3x, and not even more.
A good abliterated local LLM is great at finding dumb exploits and writing ransomware code. And the cybersec professionals? Yeah, theyre pivoting elsewhere and gone.
Wait until companies try powering their businesses with agentic systems. Then businesses aren't paying a ransom to prevent privacy law lawsuits, but rather they'll be paying a ransom equivalent to the black market value of their business.
There is a publication making a related point in the DeFi security context: as TVL rises, the incentive to attack rises too, and defenses do not (or cannot) automatically scale with it[1].
Cybersecurity is not about stopping issues but about compliance and liability. Attend RSA once, and you will see it yourself.
Basic hygiene security hygiene pretty much removes ransomware as a threat.
I cant tell if you’re being flippant, or naive. There is nothing that removes any category of malware as a threat.
Sure, properly isolated backups that run often will mitigate most of the risks from ransomware, but it’s quite a reach to claim that it’s pretty much removed as a threat. Especially since you would still need to cleanup and restore.
The security industry absolutely has a serious "more is better" syndrome.
Now take limited time/budget and off you go making sure basic security hygiene is applied in a company with 500 employees or 100 employees.
If you can do that let’s see how it goes with 1000 employees.
If so, I bristle at this way that many developers (not necessarily you, but generally) view security: "It's red or it's green."
Attack surface going up as the number of employees rises is expected, and the goal is to manage the risk in the portfolio, not to ensure perfect compliance, because you won't, ever.
It does not. The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware, not to mention AI agents. And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
And no, backups aren't the solution either, they only limit the scope of lost data.
In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
The next step is just to move to security by design operating systems like ChromeOS where the user is not allowed to run any non-approved executables.
If tricking a single employee can cause an entire company to stall out, it's a process issue. Just like how a single employee should not be able to wire out $100,000.
But what I think you're concerned about (and I agree) is that the flip side of that is that giving device owners more control over their apps also gives the OS developers more control, and Google's interests are not always perfectly aligned with the device owner's. There's a much wider market for apps than there is for operating systems, so sometimes app developers' interests will actually be better aligned with the device owner's than the OS developer's interests are.
One possible saving grace here is AOSP. In theory you could have multiple competing AOSP-based desktop OSs, each catering to a slightly different set of users. This would be close to the ideal situation in my opinion. Either that or Chrome, Firefox, Edge, and Ladybird all evolve into full fledged OSs with WASM-based apps.
Not applicable everywhere, but I think it's applicable most places.
This is very literally what 'basic hygiene prevents these problems' addresses. Ransomeware attacks have shown time and again that they way they were able to spread was highly over-permissioned users and services because that's the easy way to get someone to stop complaining that they can't do their job.
Basic security hygiene in the modern world is "assume your employees can be a threat", either because they're incompetent ("I accidentally deleted the shared spreadsheet, I thought it was my copy"), malevolent ("I will show them all!") or compromised ("I clicked a link in my email and now my computer is slow.")
If you aren't designing your systems to be robust against insider threats, they will fail.
(If you design them to be robust against insider threats, they will probably also fail, so you have to be constantly working to understand how to limit the consequences of any individual failure.)
My favorite is the Gordon-Loeb model[0], but there are others that are simpler and some that are more complex. Almost none that imply the budget should naively grow in lockstep with prevelence linearly.
I think TFA doesnt really mean to imply that it should, merely that there is a likley mismatch.
[0] https://en.wikipedia.org/wiki/Gordon%E2%80%93Loeb_model
Do you just expect one side to magically be more dollar-efficient than the other? I'm confused.
But the best antidote to many forms of ransomware isn't security software at all— it's offline backups.
Like so much in cybersecurity, an analysis by spending categories like this feels like vendors and their marketing teams driving the discourse. Even if we accept that dollars provide the right lens through which to look at this problem, companies that spend more on making sure they have good backups and good restore procedures aren't going to show up as spending more on cybersecurity in this kind of analysis.
Is there some reason to believe that this isn't the best approach? And if not, then any theories as to why it hasn't been enacted?
Getting to a world where no one pays ransoms and the ransomware groups give up and go away would be the ideal, and we'd all love to get there. But outlawing paying ransoms basically sacrificing everyone who gets ransomwared in the meantime until we get to that state for the greater good.
And where companies get hit, they'll try hard to find ways around that, because the alternative may well be shutting down the business. But if something like a hospital gets hit, are governments really going to be able to stand behind the "you can't pay a ransom" policy when that could directly lead to deaths?
A ban on paying ransoms isn't the right tool for this. Fine them, punitively, with a portion set aside to incentivize whistleblowing.
The only real way around that would personal consequences for the owners/directors of the company - "get caught paying a ransom and the whole board goes to jail" would certainly discourage people. And also provide a wonderful opportunity for blackmail when people did.
Not to mention all the problems of fining public sector organisations, and how counter-productive that usually is.
The penalty for not paying is often catastrophic. The penalty for paying will have to be similarly impactful.
Getting hacked is no fun, but companies don't deserve to die because something in their tech stack was vulnerable.
Shouldn't I be able to sue Microsoft for financial relief?
Many ransoms are far more than the victim can actually pay. Not all ransom payments result in a decryption key that actually works.
Notes:
0 - https://www.nbcnews.com/politics/politics-news/officials-vir...
Another issue is that not paying up and risking restore from underfunded ops dept. might be more expensive than paying up AND making a selected executive look bad. And we can't have that, can we.
So, remember how you illegally paid us a ransom a few months ago? Unless you want to go to prison, then you better...
We're already seeing this against companies who pay ransoms and fail to report the breaches when they're legally required to - but it would be much worse if it's against individuals who are criminally liable.
If you mean ban all crypto currencies, then you're correct.
The technology is there and it is used to track the average citizens every move. But when it comes to rich people then the money goes and comes without control (and without taxation).
Cryptocurrencies are a great solution to enable criminal activity. Their only use and highly appreciated by terrorists, criminals and dictatorial governments around the world.
And while cryptocurrency are certainly popular with criminals, it is far from the only option for hiding transactions. As for the technology, if it exists, it is not very effective. The shadow economy is going strong even among average citizens, from drug trade to babysitting.
If governments can't stop even the most trivial kind of unreported work in their own country, how to you expect them to stop well organized international gangs, sometimes backed by nation states.
What cracks me up is how much crypto is emblematic of Libertarianism. Sounds promising if you think about it a superficially, but is obviously bad if you actually think about it in any real world terms.
And not just abstractly - they both fall apart for the exact same reasons. Libertarianism is essentially "But, what if we scaled up the failures of crypto to all of society?"
So yeah, I'm surprised its only 3x, and not even more.
A good abliterated local LLM is great at finding dumb exploits and writing ransomware code. And the cybersec professionals? Yeah, theyre pivoting elsewhere and gone.
[1] https://web.archive.org/web/20240911103423/https://www.bittr...