Why You Shouldn’t Wait as Governments Consider Legal Avenues to Ensure Businesses Are Ransomware-Ready

By Ahsan Siddiqui, Director, Product Management, Arcserve

Ransomware attacks are now a topline concern for businesses everywhere. In 2022, organizations worldwide detected a whopping 493.33 million ransomware attacks. According to the latest data from IBM, the average cost of these attacks was $4.54 million.

Those are astounding numbers. And in response, governments are acting. Forbidding payments to ransomware gangs is already happening, with the U.S. and U.K. announcing sanctions, including banning payments to Russia’s notorious Trickbot ransomware gang. Florida and North Carolina have prohibited state government departments from paying ransom to cyber gangs, and New York is considering similar legislation.

Governments Consider Requiring Ransomware Readiness

As governments step up and put more laws in place to fight ransomware, one avenue under consideration is legally requiring that businesses are ransomware-ready.

Is that a good idea? In a recent survey by Arcserve, respondents were evenly split on the question. They were also divided on the question of whether companies that do pay a ransom should face penalties. 

Those supporting penalties argue that paying ransom encourages cybercriminals and perpetuates the problem. Those against penalties say that paying the ransom is often the only way to recover lost data, and penalizing victims amounts to kicking them when they’re down.

Pros and Cons of Ransomware Regulations

These findings highlight the complexity of the issue and the challenges that governments and businesses face in addressing it. For example, legally requiring companies to be ransomware-ready would have myriad benefits and drawbacks. 

On the plus side, such laws could improve cybersecurity and limit ransomware attacks. They could reduce the financial impact on companies everywhere and inspire better consumer confidence in data security. And they would provide a baseline for cybersecurity, leading to a higher level of preparedness in the business community.

The downside of these laws includes increased compliance costs, more regulations, and a false sense of security. While laws could establish a baseline standard for cybersecurity, that standard would be challenging for many small and medium-sized enterprises to meet. Even then, compliance would not be an ironclad guarantee of immunity to ransomware attacks.

Ransomware-readiness advocates acknowledge these possibilities but assure that a requirement would benefit businesses in the long run. You could compare it to brush-clearing laws in states where wildfires are a risk. Yes, it’s an imposition to clear vegetation around your home. And it takes time and money. But it protects you and your neighbors from widespread and disastrous conflagration. Of course, any ransomware-readiness requirement must be sensible and practical because imposing unnecessary or unreasonable demands could harm businesses more than help them.

Complexity Creates Compliance Challenges

Then there is the question of complexity. Regulations are already hard to interpret and meet. Any new ransomware-readiness requirements would add more complexity to compliance and bring new challenges, particularly for smaller enterprises with limited resources or technical expertise.

Another drawback is that these mandates can lull businesses into a false sense of security. It’s essential to remember that compliance with any potential ransomware-readiness regulations would not guarantee that your company will not fall victim to a ransomware attack. Attackers are constantly changing their techniques. Many can now bypass even the most robust security measures and will continue to advance their methods with or without government ransomware mandates.

Protecting Your Data from Ransomware, Whether It’s Required or Not

For now, the possibility of ransomware-readiness rules remains open. But regardless of whether government mandates come or not, your business should still take steps to protect itself. You can’t simply conclude that if the government doesn’t require it, it’s unnecessary.

A reliable backup system is one of the best ways to guard against a ransomware attack. This system should include storing backups offline or in a secure, isolated environment. And it should include testing those backups regularly to ensure they’re working correctly. There should also be a consistent backup schedule, which enables you to restore any compromised systems or data seamlessly.

Encrypting your sensitive data is also highly recommended. That way, if ransomware attackers gain access to your critical assets, they won’t be able to extort you. It would be best if you looked for a data storage solution that safeguards information continuously by taking snapshots every 90 seconds. 

That means that even if ransomware does sneak through and cybercriminals overwrite your data, your information will still be easily recoverable to a recent point in time. Because the backup snapshots are immutable, you’ll have several recovery points to restore your data intact.

Use Data Tiering to Contain Costs

Whether your business is large or small, you should also understand that not all data is created equal. So consider data tiering, a system in which less frequently used, less vital data is moved to lower-level storage, which may be less available and recoverable but less costly. 

The idea is that because not all data is created equal, the “less equal” data doesn’t need the Fort Knox treatment. Your company should have different policies for different data sets, depending on how quickly you need to access and recover it in case of a ransomware attack.

Final Takeaway

It is crucial that governments and stakeholders carefully evaluate all the potential benefits and drawbacks of ransomware regulations before implementing them. That will enable policymakers to set rules that balance the benefits of improving cybersecurity with the costs companies may incur in complying. 

So make plans to ensure your data is safe, backed up, and recoverable after a ransomware attack. That should start by talking to an Arcserve technology partner. They have the expertise and experience to help you put effective ransomware protections in place and achieve true data resilience.