2022 began with successful ransomware attacks against global IT and digital transformation providers, no thanks to the notorious LAPSUS$ ransomware gang. Often, any discussion about ransomware impact has mostly centered on affected organizations. Rightly so, as victimized organizations usually suffer significant disruption to their operations. In 2021, the US Federal Bureau of Investigation received 3,729 complaints identified as ransomware. Recently, a company closed all of its 175 stores in Denmark due to a ransomware attack. Globally, 81% of organizations are highly concerned about ransomware attacks.
A recent Sophos report showed that “66% of organizations were hit by ransomware in the last year, a 78% increase over the previous year”. 90% of these organizations suffered operational disruption, and 86% lost business and revenue. In the first half of 2022, ransomware variants nearly doubled compared with the second half of 2021. The popularization of Ransomware-as-a-Service (RaaS), and the willingness of affected organizations to pay are some drivers for increased ransomware attacks.
There has been limited focus on the social implications of ransomware. However, this limitation is giving way to increased scrutiny of the way organizations handle environmental, social, and governance (ESG) issues. ESG involves incorporating environmental and social policies and practices in corporate decisions and processes to identify and mitigate risk factors that could jeopardize an organization’s ability to remain operational and sustainable. Investors are not the only ones interested in ESG risk indicators prior to making investment decisions, some governments are demanding organizations make ESG disclosures. The US ESG Disclosure Simplification Act of 2021 empowers the Securities and Exchange Commission to establish standards for ESG disclosure. The European Union has also established ESG disclosure requirements that asset managers must adhere to in their reporting.
Ransomware as an ESG Scope
Ransomware and other cyber threats constitute environmental, social and governance issues organizations must address. A successful ransomware attack against an environmental system could lead to environmental, social, and governance implications. A recent ransomware attack against an environmental group disrupted its Enthalpy Analytical laboratory network, which handles testing of environmental pollutants needed to ensure that providers of air, water, and soil services deliver quality services. In 2019, The Weather Channel suffered a ransomware attack during a severe weather broadcast, directly impacting millions who relied on the channel for information to make logistics and transportation decisions. Addressing ransomware is not only a cybersecurity concern, but it also impacts areas pertinent to ESG considerations.
Social Implication of Ransomware
The social pillar in ESG is primarily concerned with an organization’s stance on social issues and how their position affects internal and external stakeholders. Customer data protection is an integral part of any organization’s social responsibility. Successful ransomware attacks have a direct impact on the public, with the potential of disrupting life and public health. Research has shown that ransomware and other cyber threats have social and psychological impacts on the public.
Healthcare topped the list of the most targeted sectors in the second quarter of 2022, according to a Kroll report. There was a 90% increase in ransomware attacks during the same period compared with the first quarter of 2021. The 2017 WannaCry ransomware attack against the UK’s National Health Services resulted in widespread disruption and psychological effects for many. Operational disruption affects patient care delivery and other critical functions. There is also evidence connecting ransomware to higher mortality rates. Besides these obvious impacts, ransomware has also contributed to rising mental health issues amongst cybersecurity professionals. Apart from a lack of confidence amongst cybersecurity professionals of impacted organizations, 51% of cybersecurity professionals take prescribed medications for their mental health, while 64% confirmed difficulty getting work done. Some of the symptoms exhibited include high stress levels, burnout, depression, and suicidal behavior.
There has been a surge in attacks against the agriculture sector. A 2021 attack on the world’s largest meat processor not only disrupted its operations at multiple facilities, but it also had a ripple effect on the meat market and led to an increase in meat price. The timing of the attacks targets critical planting and harvest seasons to maximize disruption, further pressuring organizations to pay. As the adoption of precision agriculture increases, ransomware will continue to be a major threat to agriculture, thereby exacerbating hunger and starvation. With more than 2 billion people facing dangerous levels of food insecurity, and 345 million experiencing acute hunger, ransomware attacks against agriculture will increase global hunger and lead to proportionately higher levels of starvation.
Modern businesses rely on energy to remain operational. Incessant attacks against the energy sector causes severe disruption to the supply chain. In 2021, the largest refined products pipeline in the US suffered a major ransomware attack which caused a consequential disruption to life. I was among the millions of Americans directly impacted by the attack. Besides the scarcity of fuel, stations with limited supply had long lines of frustrated, and sometimes, physically aggressive customers who had their lives upended for days. Just last month, a ransomware attack impacted the operations of Greece’s largest natural gas transmission operator. As a critical infrastructure, an attack on the energy industry directly impacts the lives of millions of people who rely on energy products.
Ransomware attacks cause conspicuous societal disruptions, economic losses, and increased poverty. The ransomware attack against Costa Rica led to major disruptions, causing the country to declare a national emergency. Organizations often make the onerous decision to pay to remedy ransomware attacks, with no guarantee that their data will be recovered. Besides the cost of remediation, further internal costs are incurred due to ransomware victimization, such as litigation, and compensation. Employment loss has been associated with ransomware, as impacted organizations are compelled to make staff cuts due to budgetary impacts. Lost employment leads to greater burdens on public aid, while prolonged unemployment increases poverty and negative psychological effects.
ESG Disclosure of Ransomware
Though organizations in the US may soon be required to make disclosures about ransomware attacks, they will soon be making ESG disclosures, which would include ransomware and other cyber threats. This is not particular to the US, as there is a global drive towards making disclosures of cybersecurity risks to sustainable business investments and operations. Ransomware disclosure will have a critical impact on investment decisions and organizations’ financial sustainability. Therefore, addressing ransomware is not only socially responsible, but organizations will also benefit tremendously from implementing adequate controls to reduce successful ransomware attacks and impacts.
An ESG-ransomware disclosure should not be the only major factor driving responsible cybersecurity governance and protection against ransomware and other destructive cyber threats. Ransomware affects every aspect of society, from healthcare, energy, transportation, food, to critical public services, and government operations. Ransomware attacks should be properly classified as a public health issue, national security emergency, and acts of terrorism. The world is potentially at risk of cascading socio-economic and health disruption if ransomware is not addressed as a global risk, rather than just the problem of impacted organizations.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.