Why Ransomware Victims Avoid Calling It 'Ransomware'Also: CrowdStrike's Sales Slowdown; Leveraging Better Threat Intel
The latest edition of the ISMG Security Report discusses why too few organizations admit to being victims of ransomware attacks, how delayed enterprise subscription start dates forced CrowdStrike to cut sales forecasts, and leveraging threat intelligence to protect critical infrastructure.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz discuss how the stigma of ransomware leads victims to avoid using the term;
- ISMG's Michael Novinson describe the slow sales growth of endpoint security behemoth CrowdStrike as small to medium business clients stall spending;
- Ben Deering of the U.S. National Security Council explain how private sector entities can help the U.S. government leverage better threat intelligence.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Nov. 10 and Nov. 24 editions, which respectively discuss the consequences of not paying a ransom and the ransomware group Zeppelin's costly encryption mistake.
Anna Delaney: Cybercrime conundrum, victims who won't say ransomware, and CrowdStrike sales growth slows -- these stories and more on this week's ISMG Security Report.
Delaney: Hello, I'm Anna Delaney. In our first story today, Executive Editor Matthew Schwartz shares insights from an interview with Rebecca Moody of Comparitech, on how some corporates who have been victims of ransomware attacks are avoiding the word ransomware.
Mathew Schwartz: What is a ransomware attack called if it's ransomware, but an organization that's fallen victim doesn't want to call it ransomware? Some companies have become expert at spinning as in using corporate speak or weasel words to avoid having to ever say the word ransomware. To a raft of press statements or data breach reports from companies that talk about suffering unexpected downtime, or perhaps a cybersecurity incident, the word cyberattack is another favorite. What's going on here? Companies aren't comfortable saying they've been hit by ransomware. That's despite the volume of ransomware attacks appearing to have recently declined, at least against the healthcare sector.
Rebecca Moody: I think maybe hackers have become a bit more targeted in their approach, which has caused a bit of a dip.
Schwartz: That's Rebecca Moody, head of data research for Comparitech. Her firm has been tracking the impact of ransomware on the healthcare sector. Obviously, it's good news that the volume of attacks seems to have declined by any amount. But some other shifts are less welcome.
Moody: There's also a change. I've noticed this because I go through so many breach reports. A lot of companies are now avoiding the word ransomware or it's almost like there's a stigma around it. You'll see a data breach report and it'll say, "We've been hit by a cyberattack. That's very broad. What do we mean here? Sometimes they will say that systems are encrypted. That kind of gives you a good indication it's ransomware. But I think there's a movement away from publicly admitting to have been having suffered a ransomware attack unless their hands are tied and systems have gone down, hackers have publicly released data and so on. So I think the dip may be because there's fewer ransomware attacks, but I think there are other factors playing into it as well.
Schwartz: Businesses not coming clean about cybersecurity problems or attacks isn't new. We've seen this for years with data breach notifications, some organizations issue clear, informative notifications designed to help victims better protect themselves. They also issue these notifications soon, but not too soon after an attack when they've identified exactly what happened and who is at risk and how. Many other organizations, however, employ a variety of tactics seemingly designed to try to minimize their culpability. For example, anyone who wants to hide bad news tends to put out a press release on a Friday, hoping it will disappear by the Monday morning news cycle. In breach notifications, marketing spin too often gets used with abandon. Victims love to talk about how sophisticated attackers continue to prey on society, and how they are but the latest to be caught up in this unstoppable tsunami of criminality. Too often, however, there is no mention of what their organization might have been doing to protect itself. For example, by employing sophisticated defenses, logging, robust monitoring, and so on, all of which might have better detected, blocked and mitigated the attack. Now, this isn't to blame victims. But a lack of clear, forthright language complicates efforts to track ransomware not just by industry researchers, but also by defenders who want to help everyone block these types of attacks. It also doesn't help police who are trying to track and disrupt gangs, potentially warn victims in advance of systems getting encrypted, and sometimes even recover cryptocurrency ransom payments if a victim chose to pay. Understanding the scale of the problem also helps policymakers not least to ensure there's sufficient funding for law enforcement, as well as an emphasis on helping businesses to better help themselves via better cybersecurity resilience. It's great news that the volume of ransomware attacks may have recently declined, but to truly combat ransomware we need to see an increase in reporting by victims who come clean and come forward and tell it like it really is. For ISMG, I'm Mathew Schwartz.
Delaney: A longer sales cycle for small businesses and delayed subscriptions start dates for large enterprises has forced security vendor CrowdStrike to lower its sales forecast going forward. I asked our business editor Michael Novinson for his take on the story. Michael, you reported this week that CrowdStrike sales growth has stalled as SMB clients delay spending. Tell us about it.
Michael Novinson: What CrowdStrike is finding is that the small and mid-sized businesses are supplying a lot more scrutiny to deals and that they're having to go through a lot more checks or verifications before seeing a sale through to completion - whether that's legal, privacy, compliance - that there's just additional layers in order to get purchases approved right now. What that's meant for CrowdStrike is that sales outside of the enterprise, which would be that small and medium-sized businesses, those are taking 11% longer to close. As a result, in CrowdStrike's fiscal quarter that ended October 31, that new annual recurring revenue was down $15 million directly as a result of this. They did emphasize that most of these deals, it's not that companies are just walking away from purchases altogether, virtually all of these are getting to the finish line eventually. But they're just taking longer to get there. For CrowdStrike that just means that money is coming in slower than they had anticipated.
Delaney: What about larger enterprises? What are they doing?
Novinson: Larger enterprises have a different set of challenges. CrowdStrike executives did say that they haven't seen a slowing of purchasing from larger enterprises that they are still procuring at the same rate as they were in the previous fiscal quarter, which ended July 31. And some of this is that larger enterprises are more bound by compliance and privacy regulators. They often have to make purchases, it's a must-have not a want-to-have. But having said that, these large enterprises typically are procuring CrowdStrike technology on a subscription basis. What they have done is essentially staggered the start of their subscription. They're buying several CrowdStrike modules in asset management, cloud security, endpoint security. If they're buying a number of different modules, most CrowdStrike customers buy five or six different modules. They're having different ones initiated at different times. In particular, pushing the start date out to a future quarter so that they don't have the expense line on their balance sheet for whatever the customer's particular quarter is. It's a way for customers to help them manage their operational expenses to take care of the balance sheet to control costs. But again, what it means for CrowdStrike is money that they expected to come in this quarter now is going to come next quarter or the quarter after that. The other piece that they had said is macroeconomic uncertainty - that somewhere many larger and enterprise customers, after having multi-year subscriptions are only doing a one-year renewal, and they don't want to be locked in for three years or five years. Their renewal period is shorter than the initial contract, which is typical. Usually, people renew for at least the same length as the initial contract if they're happy. But everybody just wants the flexibility right now, especially if things get worse to not be locked in. So in terms of the large enterprise, this was a $10 million bite out of their annual recurring revenue from these delayed subscription start dates as compared with the quarter before. So just more things that are making it harder for CrowdStrike to bring in the money they expected to bring in.
Delaney: There's all doom and gloom, Michael. What do these trends and figures say about what's to come?
Novinson: I think there's two takes on that. I think CrowdStrike was very candid and transparent about the macroeconomic challenges, perhaps more so than some of the other publicly traded security vendors have, that did make it clear that even a very well-regarded cybersecurity company like CrowdStrike is not immune from the laws of gravity, the macroeconomic pain will be felt by all and even if cybersecurity is seen as less discretionary and more of a necessity that the laws of gravity apply here as well. CrowdStrike has to deal with the effects including their case that they're also going to slow hiring. Having said that they do a bigger picture that the slowdown may be an opportunity for them. Their expectation is that this slowdown will drive consolidation that budget-conscious customers will be looking to reduce their security footprint and get more security capabilities from future vendors. Their feeling is that they can be a beneficiary of that. Their strength is endpoint. It's an endpoint detection response vendor, but they can do asset management, cloud and identity. They have upwards of 20 different modules. They just bought an external attack surface management company. Instead, their feeling is when companies are looking to consolidate in origin, looking to reduce the number of agents they have, CrowdStrike will be a popular choice for those folks. They also feel that just financially, they're on more sound footing. They have two and a half billion dollars on their balance sheet. When they're looking at folks who didn't go public that stuck in purgatory with funding when they look at folks who maybe aren't as cash-rich that their feeling is that they can be aggressive if M&A opportunities arise - that they can be aggressive in pursuing new customers where the opportunity merits and that their more stable financial position will help them weather the storm better than some of the smaller firms as the recession perhaps deepens.
Delaney: Michael, this has been helpful analysis. Thank you so much.
Novinson: You're very welcome, Anna.
Delaney: Finally, ahead of ISMG's Mission Critical: Securing Critical Infrastructure, Connected Devices, and Crypto & Payments summit from December 13 to 15, I spoke with Ben Deering, director for cybersecurity and operations policy at the White House, about leveraging threat intelligence to protect critical infrastructure. I asked him how private sector entities can help the U.S. National Security Council to help them with better intelligence. Here's what he said.
Ben Deering: I think several sectors and many firms in these sectors have already been very constructive in how they help us help them. It's only, I guess, you could say the pilot skill level. But several sectors have hosted or welcomed me and my interagency colleagues over the last year on-site visits. Those are very important. Let me just explain why I'm even talking about these among all the ways we could partner is, so we've been over the last year to an LNG plant, a gas compressor station, a rail facility, and a major water treatment plant. Each time, it's been great. We've gotten to sit down with the plant operators and the engineers as well as the network defenders. It's amazingly insightful, I would say. We always come away both impressed with the complexity of the systems that our private sector partners are operating to great lengths. They go to ensure that they remain safe and reliable. Then how sophisticated their cybersecurity and other security measures already are. And so those are very helpful. One of the reasons that I say that they are helpful is the idea of providing sector-specific information. We can't do that if we don't understand the sectors and if we don't understand how the aviation sector is different than the water sector or the grid. What that means both in terms of the physics of those sectors, but also the network architecture, of those sectors, how that changes, maybe the attack vectors that are most likely to be utilized by an actor or the capabilities and level of mature capabilities an actor might need to disrupt one sector versus the other. All of those are helpful. You can't get a sense of that sometimes until you go out and understand some of these real-world sites. So we've appreciated that.
Delaney: That's it from the ISMG Security Report. I'm Anna Delaney. Until next time!