The Extreme Approach assumes that the attackers have access to the best skills and capabilities, without significant resource limitations, and are motivated to attack you, rather than anyone else.

It poses a simple question: is there anything that you could do to dissuade them, by making their attacks more difficult, more time consuming or more expensive?

It then poses a second question: how many of those things could your business afford, and how many would be acceptable to your business users, if you explained why you want to do them?

Finally, it poses a third question: how many of those things would the business owners approve based on the risk of business failure due to an attack versus the cost of protecting the business?

Your response to those questions depends on whether you accept the assumptions, so let’s look at the evidence in support of those assumptions in more detail:

  • Ransomware is dominated by organised crime syndicates, and the largest make billions of dollars each year by extorting money from businesses and other organisations
  • Most of these organised crime syndicates have access to cyber skills and capabilities that are comparable to large nation states, and some are tolerated or even approved by them
  • More recently, these crime syndicates have started selling Ransomware as a Service, which is effectively a franchise to extort money from businesses and organisations
  • One consequence of Ransomware as a Service is that you can’t realistically predict why your business might be targeted, or the level of motivation your attackers may have to target you
  • The business models of these crime syndicates are constantly changing, as their businesses mature and expand, so you could be attacked for reasons you cannot understand or predict
  • Modern Ransomware steals all of your data, and deletes all of your backups, before encrypting your production systems and demanding a ransom for release of your data
  • The ransom demands often include threats to release data to customers, competitors, the public or authorities, and attacker search stolen data for new extortion opportunities
  • Even if you pay the ransom, your data may still be retained for years or even decades, and used to extort money from your business, customers, suppliers, staff, or anyone else

If you conclude that the risk to your business might just conceivably be real, then looking for things that you can do to reduce that risk seems quite reasonable, subject to the caveats that they must be both affordable and acceptable to the business.

The extreme approach to cyber security focusses on identifying security measures that are affordable and acceptable, before considering specific technical implementations, and consequently prioritises cost and user experience, in parallel with the security benefits of specific risk mitigations.

Contact Us

    Item added to cart