Ransomware – To Pay or Not to Pay Just Got More Complicated and Public/Private Partnerships May be The Answer

October 22, 2020


Homayun Yakub

Senior Security Strategist


NEW DELHI, India – October 22, 2020

Ransomware can cripple an organization. It often impacts a company’s ability to deliver core services, and can quickly jeopardize the trust customers have placed in them-ultimately impacting their bottom line. Public and private organizations alike are susceptible as attackers continue to evolve their tactics with increasing proficiency and accuracy. The global pandemic’s impact is also felt in this area, as the attack surface has broadened exponentially with organizations moving large portions of their workforce to remote-work status. The news cycle now frequently includes a rise in ransomware incidents suggesting the trend will only continue.

Organizations already dealing with the ramifications of the related economic downturn must now also contend with ransomware as another very real threat. The U.S. Government has also increased their attention on the issue with the Treasury Department releasing guidance on not paying ransoms to any attacker on their sanctions list. As such, doing so may incur civil penalties and fines, which adds yet another dynamic for organizations: whether to even report the incident for fear of government action.

All these increasing challenges have accelerated the need for organizations to formalize their responses, reinforce training/education of their workforces, and re-evaluate their security posture to consider adopting new processes and related technologies to minimize risk exposure. It also serves as an exigent opportunity to foster greater public/private collaboration on how best to stem the tide of ransomware attacks.

Cryptomalware variations

Ransomware has become a name synonymous with cryptomalware. The attacker encrypts data and demands a payment in order to release the data to the victim – they hold your data to ransom. Here the cybercriminal hopes to benefit at the expense of the targeted organization. However, in these scenarios, there will always be a loser. Either the victim loses (their data and their money) with the attacker winning a payday, or the attacker loses when they don’t get paid (note the victim may also lose as well in this situation when their data is encrypted). And meeting hackers’ demands don’t always yield expected results: we’ve seem examples of victims paying the ransom and not getting their data back due to either the decryption routine being faulty or the attacker not honoring the agreement to decrypt the data.

Leakware, also called double-extortion ransomware, is an adaptation of ransomware threatening to leak an organization’s data into the public domain unless a payment is made to the attacker. This creates a scenario between attacker and victim as the victim must still pay an often hefty fee to the attacker in order to prevent the disclosure of their data and all of the brand damage and potential regulatory attention that may entail. The attacker gets paid, but the victim doesn’t have their data lost or leaked. It results in the best of a bad situation for the affected organization – depending on the monetary value of the ransom demand, the ability to afford it, and/or the perceived value of the data. Attackers have recently pivoted attention to leakware knowing that organizations mitigate having to pay the traditional ransomware demand by having good backups in place.

Changing the rules – the risk of sanctions

Organizations consider many factors when deciding to pay a ransom demand. This may include the availability of good backups in order to restore the now locked data, the potential damage to the business’s brand reputation of paying or not paying, the likelihood of the attacker repeating an attack, any regulatory fines that may need to be paid to regulatory bodies, the ability to pay the attacker including the monetary value of the ransomware demand or having a known or reliable mechanism to pay the attacker. Further, an organization may have a SOP in place to handle a ransomware incident, or they may not.

It is clear to see that such a decision tree works in the favor of the attacker.

On October 1, 2020 the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. In the explanatory advisory the Department of the Treasury explains that paying the attacker may “encourage future ransomware payment demands but also may risk violating OFAC regulations.” A list of ransomware families and authors is provided upon which the U.S. Department of the Treasury has applied sanctions. This list includes the authors of Cryptolocker, SamSam, WannaCry and Dridex. It is now necessary for organizations considering paying the ransoms to factor in the risk of sanction violations.

Even with the introduction of such sanctions, businesses will go through a calculation based on dollars or cents and weigh the cost of disruption to the business versus the cost of other mitigatory actions. This is when a playbook can be helpful to steer the affected business into well thought-out and anticipated actions. What else can be done to help before or during a ransomware incident?

How to protect yourself from ransomware/leakware

By not adopting a proactive stance, a targeted organization is forced into a zero sum or non-zero sum cryptomalware game by the attacker. If the attacker is successful in engaging, it becomes vital that the targeted organization to retain the upper hand. Here’s a high-level 5-point checklist to help in that regard:

1Create a ransomware incident playbook applicable to your organization, practice it often and refine as appropriate.

2Educate your users to understand how to avoid succumbing to the lures and tricks of cybercriminals.

Adopt solid and proven backup procedures in order to restore data in the event of a cryptomalware incident, including offline backups.

Adopt a data loss prevention program across your organisation so you gain visibility of where your data is and who is interacting with it. As part of your data protection strategy you should consider further steps such as segmentation of data across networks.

Remember that Behavior analytics can help identify anomalous actions within your environment which may be caused by attackers assuming the profile of a privileged user, interacting with files en masse or transferring data en masse.

What else must we do as a collective?

At the beginning of the pandemic, most CISOs focused on maintaining resiliency and minimizing business disruption as they transitioned to a majority remote workforce.. This movement to working from home further exacerbated the situation due to an expanded threat landscape and a reduction in controls normally present in a traditional office environment. The overlay of today’s reality against an economic, health and mental health backdrop has unfortunately created an opportunity for attackers to step up their activities and target remote workers who are attempting to balance work and life demands without otherwise being distracted and therefore susceptible to attacks. Against this backdrop, one thing is clear: in the cybersecurity industry, we’ll all benefit from increased public/private discussion and collaboration to find a better way forward. Now is a time for us work together to operationalize a ransomware approach that protects organizations in such a way that ensures attackers don’t win.

Future Insights – The Emergence of the Zoom of Cybersecurity

October 15, 2020

  • Cloud deployment is a necessity. Digital transformation has happened-and where it hasn’t, it needs to.
  • Cybersecurity grows in importance at the board level, thus driving demand for security cloud platforms.
  • Behavioural analytics will help leaders make intelligent, risk-based decisions on the fly.

I always love looking towards the future, but in 2020 it seems that the future rushed right at us, startling us and shaking us all up. Now we’ve had a little time to adapt, we can regroup, reassess, and take steps forward again.

This is the status quo today: We have all moved to remote working. Cloud deployment is a necessity. Digital transformation has happened-and where it hasn’t, it needs to.

All of these macro factors has led me to the conclusion that cybersecurity is now a business differentiator, and it needs a category disruptor. Cybersecurity has become the enabling engine which permits businesses to accelerate their pivot to the cloud and take advantage of the speed, scale and resilience of digital transformation.

The understanding and position of cybersecurity within the boardroom has long been an area for debate, but now, our discipline has moved a step higher in the food chain, and our importance is elevated. So where does that leave us? What will happen in 2021 to the industry?

The Irresistible Force

When Gartner first introduced SASE as a concept in 2019, their first report indicated that the market would not be ready or moving to this model for between three and five years, and only 40 per cent of companies would have moved to the model by 2024. But a combination of existing market forces in shifting to the cloud, plus the new blueprint of remote working forced upon us, means we’re facing a faster defragmentation of the market and an emergence of the “security platform” as the tool of choice.

This puts us in a situation rather like the irresistible force paradox. When an immovable object, in this case, the way cybersecurity is perceived at board level, meets an unstoppable force, here digital transformation driven by both market change and the events of 2020, what happens? It’s my view that in fact the immovable object moves. Cybersecurity grows in importance at the board level, thus driving demand for security cloud platforms. Boards of Directors seek out differentiation and innovation for their businesses, speedy solutions, and cost savings: all of which will deliver pressure for security in the cloud, and thus a need for a cloud platform security solution.

These changing demands at the top will deliver metamorphosis within the cybersecurity industry. The need for a converged, digital, cloud-delivered platform means we’ll see the emergence of the “Zoom of Security.” As we all discovered this year, Zoom “just works.” It’s a high-tech system which is easily accessible for the everyday consumer, and this is what boards will demand of their cybersecurity platforms.

Any serious category disruptor must be more deeply integrated into the public cloud ecosystem. Currently, developers are using security as a tool, but having to shoehorn in applications and functions not necessarily designed as cloud-native. Security will move to the left for the developer, and will become easily deployable and fully integrated.

Security… by stealth?

This integration will result in security becoming so engrained in applications and platforms that people will no longer realise they are being “secured.” Cybersecurity products have long been tarred with the brush of being intrusive, conflicting with people’s ability to get the job done, thus constricting innovation. Even for cybersecurity practitioners, the security stack is too complex. It’s got to become more automated, delivering security as a service so that enterprises can get on with their core business: not their core business plus running a team of expert cybersecurity professionals.

Analysts agree: in fact, Forrester is predicting that Zero Trust architectures will grow 200% in 2021. Once we emerge out the other side of this shift, security will be a cloud commodity, and the combination of technology plus data will give IT leaders true visibility of how and where data is moving through an organization.

It is this visibility of data which is the game changer. It’s not about monitoring in terms of keeping tabs on people’s actions, or invading their privacy: it’s about giving data analysts and business leaders a clear line of sight over data and its movements. Behavioral analytics gives us the telemetry we need to make intelligent, risk-based decisions on the fly, without intruding on either people’s privacy or their workflows.

We will have some fun as we look forward to next year. In my view, this category disruptor is likely to emerge through vendor consolidation and/or market movements, so we should also expect some significant merger and acquisition activity within the cybersecurity sector in 2021.

This defragmentation of the market, and shift to cloud and converged platforms alongside vendor consolidation should mean that security gets easier for business leaders – and hopefully for the professionals on the frontline too. In 2021, cloud will become part of cybersecurity’s DNA in a way that it isn’t today.

Future Insights Takeaways:

  • Cybersecurity has become the enabling engine which permits businesses to accelerate their pivot to the cloud.
  • We’re facing a faster defragmentation of the market and an emergence of the security platform as the tool of choice.
  • The need for a converged, digital, cloud delivered platform means we’ll see the emergence of the “Zoom of Security” in 2021.
  • Security will become so engrained in applications and platforms that people will no longer realized they are being “secured.”
  • Visibility of data is the game changer: the combination of technology plus data will give IT leaders true visibility of how and where data moves through an organization.
  • In 2021, cloud will become part of cybersecurity’s DNA in a way that it isn’t today.

Forcepoint on RBI Cybersecurity Policy for Urban  Cooperative Banks 

October 8, 2020


Brijesh Miglani

Security Consultant


NEW DELHI, India – October 8, 2020

“This is a great step forward by RBI to strengthen the cybersecurity infrastructure of urban cooperative banks (UCBs) and will help enhance the security posture of UCBs in having mature cyber security practices against emerging cybersecurity threats. The most significant part of the new Technology Vision document is the fact that UCBs will now have to appoint Chief Information Security Officers (CISOs) and that boards will become responsible for cybersecurity.

The Cyber Security Framework for UCBs talks about setting up of a Cyber Security Operation Center (C-SOC). The SOC provides a setup for multiple technologies for better incident management, predictive and behavior analysis, and automation to help banks detect attacks at an early stage. This will help protect UCBs from cybersecurity breaches, particularly given that UCBs hold multiple data related to personally identifiable information (PII) and payment card industry (PCI).

To address these real-world hacks and breaches, UCBs should adopt a behaviour-based data protection approach that focuses on data and user behavior analytics. The risk-adaptive protection analyses human behaviour to look for indicators of behaviours to identify risk. By focusing on individual users’ interaction with data, security teams can better understand, organize, manage and mitigate risk as it occurs. The ultimate goal is to prevent the accidental or malicious use of organisations’ data, while combatting threats from phishing attacks, compromised credentials and other potential vulnerabilities.

Forcepoint Dynamic User Protection Delivers Industry’s First Cloud-Native User Activity and Insider Threat Monitoring  Solution-As-A-Serice

September 30, 2020

  • Forcepoint Dynamic User Protection brings mainstream UAM and insider threat protection with SaaS-based solution designed for the programmable cloud featuring lightweight agent, no policy configuration via built-in Indicators of Behavior and real-time analytics for complete view of risk activity to secure employees and critical data in today’s remote work era
  • Intelligent Data Loss Prevention now enabled through Dynamic User Protection’s unified endpoint to deliver automated risk-adaptive policy enforcement and zero trust data access by leveraging individual risk scores to protect critical data and IP wherever it is accessed and used
  • Human-Centric Cybersecurity Brought to Life as Dynamic User Protection underpins the Forcepoint cloud security platform to empower global enterprises with continuous risk assessment where risk drives policy across all control points; including Forcepoint Data Loss Prevention available today with future integrations planned throughout 2021

MUMBAI, India – September 30, 2020

Global cybersecurity leader Forcepoint today announced the introduction of Dynamic User Protection that redefines modern user activity monitoring (UAM) and insider threat protection with the industry’s first cloud-native solution to deliver out-of-the-box functionality with no policy configuration. Through this capability, security teams are now empowered with real-time visibility into true risk behaviors of compromised and malicious users within hybrid cloud environments.

All security begins with visibility and the massive shift to remote work created blind spots into user activities with critical data and intellectual property in unmanaged home environments. Attackers have actively exploited this vulnerability with a 400% increase in cyberattacks in 2020, according to the FBI. Coupled with the reality that 95% of cybersecurity breaches are the result of compromised user credentials and human error, it is a competitive imperative today that businesses gain needed visibility to mitigate a data breach in real-time.

With Dynamic User Protection, user activity monitoring not only becomes easy-to-deploy it also brings mainstream enterprise access to continuous risk assessment across security control points. For example, utilizing Dynamic User Protection’s risk scores transforms the traditional audit-only mode Data Loss Prevention (DLP) deployment to become intelligent DLP by automating policy response based on level of risk while significantly reducing false positives. This ability to understand user risk in real-time across all control points becomes a cybersecurity game-changer for security teams, allowing global enterprises for the first time to seamlessly implement core Zero Trust and CARTA frameworks.

In this next phase of cybersecurity, managing risk across the cloud, network and endpoint will drive everything. With Dynamic User Protection, Forcepoint is changing the rules of the cybersecurity game by delivering global enterprises the ability to automatically enforce security policy across all control points tailored to a specific end-user based on the risk they represent,” said Nico Popp, Chief Product Officer at Forcepoint. “Dynamic User Protection is the heart of our new converged cloud security platform with integration into Forcepoint Data Loss Prevention available today with future integration planned across the entirety of the Forcepoint portfolio, including our recently announced Cloud Security Gateway SASE solution which will be delivered in first-quarter 2021. This is the true power of human-centric cybersecurity realized today and it is powerful for every organization that desires the ability to prevent a data breach before it can occur.”

Dynamic User Protection utilizes Indicators of Behavior (IoB) as the real-time analytics engine to determine the overall risk of an entity. These IoBs deliver security teams context around behaviors and by combining multiple behaviors determines true risk scores that assess overall risk of an entity as good and/or bad. With this capability, enterprises can now prioritize observed risk in real-time to move left of breach while also reducing security friction.

Delivered in an easy-to-consume SaaS model, Dynamic User Protection is fast and easy to deploy with a small 30MB footprint on the endpoint that installs in under 30 seconds with no reboot required. Utilizing Forcepoint’s unified agent, Dynamic User Protection is also self-maintaining through auto-updates ensuring enterprises have an always easy-to-manage cloud-delivered UAM.

Dynamic User Protection key features at-a-glance include;

  • Autopilot: pre-configured user risk assessment that continuously collects, enriches and correlates events on the endpoint in order to detect anomalous behavior.
  • Anomaly Detection: sets of observed data establish an entity’s baseline activity for specific applications and actions; and, observed data are analyzed with the anomaly detection engine to identify outlier behaviors and alert to real-time security risk.
  • De-centralized Analytics: performed on the endpoint versus the centralized approach with traditional UAM/Insider Threat solutions
  • Risk Calculation: continuous assessment of entity activity and risk impact generates a dynamic risk score that goes up and down based on the level of risk
  • Risk-Adaptive Policy Enforcement: based on the risk score, risk-adaptive DLP policies automate security response based on level of risk. Enforcement options include: Audit, Block, Notify, Confirm Prompt, Encrypt and Drop Email Attachment.

External cyber adversaries as well as internal bad actors put data at risk be it via compromised credentials or malicious insiders. Unfortunately, a lack of visibility into how users interact with data too often leads to cybersecurity incidents resulting in data loss,” said Doug Cahill, Vice President and Group Director at Enterprise Strategy Group. “Meanwhile, digital transformation initiatives have been accelerated by a surge in remote work. As a result, cybersecurity teams are revisiting ‘rights and privileges’ associated with users working from home, an endeavor which requires scale and accuracy. Leveraging User Activity Monitoring-as-a-Service allows enterprises to take advantage of what could best be called a ‘data scientist in the cloud’ to proactively manage user risk and protect critical data from being breached.”

To learn more about Dynamic User Protection and Forcepoint’s suite of Dynamic Data and Edge Protection solutions, visit:


Additional Resources

# # #

About Forcepoint

Forcepoint is the global cybersecurity leader for user and data protection. Forcepoint’s behavior-based solutions adapt to risk in real-time and are delivered through a converged security platform that protects network users and cloud access, prevents confidential data from leaving the corporate network, and eliminates breaches caused by insiders. Based in Austin, Texas, Forcepoint creates safe, trusted environments for thousands of enterprise and government customers and their employees in more than 150 countries. www.forcepoint.com

Join Forcepoint on Social Media


LinkedIn: https://www.linkedin.com/company/forcepoint

Twitter: https://www.twitter.com/forcepointsec

Forcepoint Recognised by Frost & Sullivan as the 2020 Indian Data Loss Prevention (DLP) Vendor Company of the Year

September 17, 2020

Forcepoint’s unique human-centric security approach is highlighted for providing the most effective data protection

MUMBAI, India – September 17, 2020

Global cybersecurity leader Forcepoint announced that it has been recognised as the 2020 India DLP Vendor Company of the Year by Frost & Sullivan.

Forcepoint’s next-generation DLP is designed for the evolving nature of today’s cybersecurity landscape and uses a human-centric approach to ensure that protection is not the enemy of productivity. Forcepoint’s risk-adaptive data protection solutions automatically apply appropriate actions based on an individual’s risk level while reducing false positive alerts for the cybersecurity teams, thereby freeing up their time.

Frost & Sullivan Best Practices Awards are based on in-depth independent research that is presented to an elite panel of jury members to evaluate the contenders. This panel consists of some of the most prominent CIOs and CTOs from the Indian industry. Forcepoint took the number one industry rank in 2020 based on its excellence in several key areas, including technological advancements, customer satisfaction, and its visionary position in terms of macro market trends. Frost & Sullivan also takes revenue growth, portfolio diversity, and market penetration into account when awarding Company of the Year.

Frost & Sullivan’s award recognises Forcepoint’s Dynamic Data Protection (DDP) as unique in the cybersecurity industry. DDP integrates behaviour-centric analytics with data protection tools, allowing cybersecurity teams to prioritise high-risk activities and automate data protection policies in near real-time, providing the highest security and workforce productivity.

The impeccable brand equity that Forcepoint has built in over the period of time by delivering DLP solutions that address today’s security needs makes it a vendor of choice for several large Indian brands.” said Rajarshi Dhar, Senior Industry Analyst, ICT Practice, Frost & Sullivan.

Surendra Singh, Senior Director and Country Manager at Forcepoint India, said, “Our endeavour has been to support enterprises in their digital transformation journeys through our unwavering focus on innovation and customer success. This recognition validates our behaviour-centric data protection approach, which places people and data at the centre of an organisation’s security design thinking and further solidifies our position as a leader in user and data protection. We remain committed to helping organisations leverage all the possibilities of a digital economy efficiently.”

In the near future, India is expected to have its own Personal Data Protection law. Indian enterprises are going to need strong data protection mechanisms like human-centric data security to prevent data from misuse, unauthorised access, or loss, thereby protecting regulated, sensitive, and business-critical data,” added Singh.

Forcepoint DLP offers a number of market-leading attributes that allow cybersecurity teams to:

  • Control all their data with one single policy
  • Simplify compliance with pre-defined policies
  • Protect critical intellectual property with unsurpassed accuracy
  • Prevent data breaches automatically

Additional Resources:

Blog: Forcepoint Wins Frost & Sullivan 2020 Indian Data Loss Prevention (DLP) Vendor Company of the Year

Brochure: The Definitive Guide to Data Protection

Customer case study – Fedbank Financial Services Limited

eBook – Rethinking Data Protection: The Human-centric Approach

Solution Brief: Dynamic Data Protection

Webcast: Modernize Your Data Protection

# # #

About Forcepoint

Forcepoint is the global cybersecurity leader for user and data protection. Forcepoint’s behaviour-based solutions adapt to risk in real-time and are delivered through a converged security platform that protects network users and cloud access, prevents confidential data from leaving the corporate network, and eliminates breaches caused by insiders. Based in Austin, Texas, Forcepoint creates safe, trusted environments for thousands of enterprise and government customers and their employees in more than 150 countries. www.forcepoint.com

%d bloggers like this: