“Do Not Pay” policies and pending bills elevating ransomware to a terrorist threat – these are just a sampling of the strategies that companies and governments are enforcing to deter ransomware groups from attacking. But the harsh reality is that ransomware attacks are on the rise, becoming a “when,” not “if” situation for companies.
A recent report from Cohesity found that almost 1 in 2 (49%) of global IT and security leaders said they had stress-tested their ‘data security, data management, and data recovery processes or solutions’, by simulating a response to a cyber event or data breach, in the past six months. With that in mind, a shocking 2% responded that they were actually capable of recovering data and restoring business processes within 24 hours, and 83% were willing to pay a ransom to recover data and restore business processes faster.
Stress testing is a critical step as companies build cyber resilience. However, in the face of rising threats and the widespread adoption of new technologies like AI and cloud services, the legacy approach towards stress testing is in dire need of an overhaul to keep pace with the rapidly evolving cyber landscape.
The traditional approach
In broad terms, a “stress test” in cybersecurity is an evaluation designed to determine the resilience and robustness of systems, networks, or applications under extreme or abnormal conditions. The goal is to assess how these systems handle malicious attacks or other stressful conditions that could potentially cause a system to fail or degrade in performance.
Key aspects of a traditional cybersecurity stress test include:
- Objectives and Scope: Determining which systems, networks, or applications will be tested, as well as identifying the types of threats the organization is most susceptible to.
- System Mapping: Analyzing and mapping out the IT infrastructure to understand all potential entry points, including cloud services.
- Simulating High Traffic Loads: Testing how a system or network performs under heavy traffic, such as during a Distributed Denial of Service (DDoS) attack, where the goal is to overwhelm the system with requests.
- Malicious Attack Simulation: Stress tests may involve simulated cyberattacks, like attempts to exploit vulnerabilities, to see how a system responds and whether it (and the people involved) can repel the attack and recover quickly.
- Recovery and Failover: Assessing a system’s ability to recover from a failure or to switch to backup systems (failover) during a crisis, especially ransomware.
While these steps should remain paramount as part of a company’s stress testing strategy, recent industry shifts and technological advancements should be taken into account and added into existing strategies to ensure testing remains thorough and up to date.
Foremost, stress tests should now undoubtedly consider AI-driven attacks, such as automated malware or AI-powered phishing campaigns. These types of attacks have been gaining considerable traction with ransomware groups, with the FBI even issuing a warning earlier this year to individuals and businesses in
San Francisco to be aware of the escalating threat posed by criminals leveraging AI tools to conduct increasingly sophisticated cyberattacks and voice/video cloning scams. In fact, Cohesity recently found that 80% of IT leaders globally reported they had responded to what they believe to be AI-based attacks or threats within the last 12 months. By incorporating a variety of simulated AI-enabled attacks into stress tests, organizations can better prepare and understand how well current defenses are able to cope with these emerging threats.
Additionally, an increasing number of companies are shifting operations to the cloud, with global spending on cloud IT infrastructure expected to reach $129 billion in 2024. As more and more companies make the shift, especially with the increase in hybrid or remote work, cybercriminals are exploiting neglected areas of the cloud to carry out credential-based, hijacking, and man-in-the-middle attacks. In order to counteract these developments, stress tests should now consider and assess how well a given company’s cloud-based services, hybrid environments, and multi-cloud setups can withstand high loads and attacks.
Lastly, IT decision-makers must prioritize regular stress testing to ensure their systems remain resilient and secure. With the rapid pace of technological advancements, new vulnerabilities, and evolving attacks, stress testing must evolve at the pace of innovation to both identify and quell weaknesses before they can be exploited.
Comprehensive stress testing is being recognized as a critical step by some of the world’s preeminent organizations in the financial sector, with the European Central Bank recently conducting an evaluation of 109 banks to ensure they had in place ‘adequate business continuity, communication and recovery plans, which should consider a wide enough range of cyber risk scenarios’. As governing bodies embrace more rigorous testing scenarios, organizations proactively testing security systems to a similarly high standard should be considered best practice. By incorporating the steps listed above, organizations can strengthen their resilience by identifying bottlenecks, vulnerabilities, and weak points in their infrastructure while also keeping pace with evolving regulatory expectations and the growing complexity of cyber threats in today’s digital landscape.