Government regulations on ransomware payments set to tighten

As cyber attacks continue to rise, organisations need strategies to meet evolving threats and become better prepared, Gartner says

The global damage caused by cyber attacks is projected to surge to $265bn by 2031 from about $20bn in 2021. Reuters
Powered by automated translation

About one third of countries are preparing to pass legislation to tackle ransomware activity between now and 2025, far more than the 1 per cent in 2021, a new report from Gartner says.

Laws to regulate payments, fines and negotiations resulting from ransomware attacks are necessary as such illicit activities, which affect organisations and individuals, become more common, the Connecticut-based research firm said on Monday.

The forecast is part of Gartner's latest predictions for an industry where vigilance must be constant.

“Cyber security is constantly evolving, but with it comes more complexity, which possibly gives malicious actors the advantage. We can’t fall into old habits and try to treat everything the same as we did in the past,” Richard Addiscott, a senior director analyst at Gartner, said.

“Most security and risk leaders now recognise that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our programme and our architecture.”

Cyber attacks are on the rise, with perpetrators finding more ways to trick unsuspecting victims. Global damage inflicted by such attacks was estimated to cost about $20 billion in 2021, up fourfold from $5bn in 2017, and far higher than $325 million in 2015, according to industry publication Cybersecurity Ventures.

The costs of cyber attacks are projected to rise to $42bn by 2024, $71.5bn by 2026, $157bn in 2028, and $265bn by 2031, the report said.

Companies are taking notice and intensifying their efforts to counter such threats.

About 72 per cent of organisations said they are ready to manage a ransomware attack, Boston-based security firm Cybereason said in its annual report this month.

By 2025, 60 per cent of companies will embrace zero trust — a uncompromising practice that requires rigid authentication to gain access to a system — as a starting point for security, Gartner said.

“However, as zero trust is both a security principle and an organisational vision, it requires a cultural shift and clear communication that ties it to business outcomes to achieve the benefits,” Gartner said.

The same number of companies are projected to use cyber security risk as a primary determinant in conducting third-party transactions and business engagements.

More than two thirds of chief executives are expected to impose a culture of organisational resilience to survive coinciding threats from cyber crime, severe weather events, civil unrest and political instabilities by 2025, Gartner said.

Regulations on user privacy are also expected to increase, with governments demanding that organisations provide consumer privacy rights between now and 2023, the report said.

This would cover about five billion people who have consumer privacy rights, up from about three billion in 2021, it said.

“Since most organisations do not have a dedicated privacy practice, the responsibility for operationalising these requirements is passed on to technology, more specifically security, under the umbrella of the chief information security officer's office,” Nader Henein, a vice president analyst at Gartner, wrote in the report.

Weaponising technology to cause human harm and casualties also continues to be a serious concern, with attacks on operational technology — the hardware and software that monitors or controls equipment, assets and processes — becoming more common and disruptive.

“Security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” Gartner said.

Updated: June 28, 2022, 4:30 AM