"Whose Fault Is It?" Quick to Fire, Slow to Act... Companies Hit by Ransomware Again Within Six Months After Paying Up [Cover-up 7]

Security Awareness Remains at Rock Bottom Even After Ransomware Attacks
SMEs Score Only 34.9 Points in Security Awareness
Lack of Security Teams and Hack Response Manuals
No Legal Requirement for Security Systems in SMEs
Severe Shortage of IT Talent... Hiring Specialists Is Nearly Impossible
Cyber Insurance Costs 3 to 5 Million Won Annually
Only 20,000 Companies Have Cyber Insurance for Five Years Running

Pixabay

"Whose fault is it? We should fire someone."

Last year, when an electronics manufacturer suffered its first ransomware attack, the company's CEO was furious. The IT staff member who handled everything from discovering the hacking incident to negotiating with the hacker said, "After the hacking, when I brought the report, the very first thing the CEO said was that we needed to find and fire the employee responsible for causing the breach. He didn't even look at the pages suggesting the adoption of a security management solution for small businesses. In the end, all we did was pay the ransom to the hacker."

However, just six months later, the company was hacked again. This time, the CFO berated the IT staff member, saying, "Isn't it humiliating to have paid the hacker twice?" The staff member recalled, "I almost blurted out, 'Then you should have invested in security in the first place.'" He added, "There were no countermeasures because the CEO was indifferent. It's not even surprising that it happened twice."

▲Work files infected with ransomware, appended with the extension '.locked' (Photo by victim company)

Security Awareness Among Company Leaders Is Rock Bottom

Even after suffering ransomware attacks, companies that do not report the incidents and keep them hidden continue to show extremely low levels of security awareness. Being hacked again within six months is a clear case of "not even fixing the barn after losing the cow." These companies, even after losing tens of millions to billions of won to hackers, take no action and end up falling victim to the same incident repeatedly. The extent of companies' complacency about security can be seen in the results of a security consulting survey conducted last year by the Korea Internet & Security Agency (KISA) targeting small and medium-sized enterprises (SMEs). A KISA official stated, "Out of 246 SMEs inspected, the average score for information security management systems was only 34.9 out of 100, indicating extreme vulnerability. To put it simply, most of these companies lack not only security teams but also response manuals for when a hack occurs."

The Ministry of Science and ICT designates companies that are required to have security systems and obtain Information Security Management System (ISMS) certification. However, this only applies to large hospitals, schools, tech companies with annual sales of over 10 billion won, or those with over 1 million daily users. The majority of SMEs and mid-sized companies in the manufacturing sector are not included. Even if their security systems are full of holes, the government imposes no penalties.

Because there is no legal obligation and management is indifferent, some companies fall victim to ransomware multiple times. A confidential report from AhnLab's threat intelligence platform, TIP, provides such examples. Manufacturing company A was attacked twice over two years. In 2022, it was targeted by "Snatch," a hacker group specializing in data leaks. Last year, "Hunters International," notorious for its advanced techniques, broke in. The report explained, "A second attack suggests that the security vulnerabilities from the first incident were not fully addressed, or new vulnerabilities emerged."

Lee Myungsoo, head of AhnLab's cyber incident response and threat intelligence unit, A-FIRST (AhnLab Forensic Intelligence ReSearch Team), said, "Manufacturing companies, especially traditional ones, tend to neglect the importance of security. Even after negotiating with hackers and sending money, it is essential to analyze why the hacking occurred and establish countermeasures."

Manufacturers Struggle to Hire IT Staff

Of course, SMEs and mid-sized companies in the manufacturing sector are not entirely without reason. There is a severe shortage of IT talent, making it extremely difficult to hire specialists. Even if they establish security systems, they often lack professionals to manage them. According to a 2023 survey by the job platform JobKorea of 283 SMEs with fewer than 300 employees, "IT/development positions" ranked second in terms of recruitment difficulty at 21.2%, just behind "sales positions" at 23.9%. The main reason cited was the difficulty in finding candidates with relevant knowledge or experience.

An industry insider said, "Young developers don't want to work for manufacturing companies because the pay is low and there is little to learn. Wouldn't you rather work at a large company with more senior colleagues to learn from, instead of a small company with only one or two IT staff?"

Another issue is that when a hacking incident occurs, the IT staff often has to shoulder all the blame alone. Shin, who has been head of IT at a pharmaceutical SME for 18 years, said, "Establishing a security system is only possible if management actively supports it. The smaller the company, the less likely they are to invest in this area." He added, "The person in charge repeatedly requests countermeasures, but management ignores them, and when an incident occurs, all the blame falls on the individual. That's why developers are reluctant to join small companies."

Cyber Insurance Also Neglected: "It's a Waste of Money"

Even after being hacked two or three times, there are ways to recover financially. The most obvious is cyber insurance. However, few companies actually purchase it, as the annual premium of 3 million to 5 million won is considered too expensive. One SME CEO said, "When I inquired with an insurance company, I found that the premiums didn't vary much depending on the company's size, so it actually felt like a loss to me. We already pay significant costs for the four major employee insurances and fire insurance, so it's not easy to add cyber insurance on top of that."

For the past five years (2020-2024), the number of companies with cyber insurance has remained at around 20,000. According to data obtained by Asia Economy from the office of Park Sanghyuk, a member of the National Assembly's Political Affairs Committee, the number of cyber insurance contracts held by domestic insurers increased by only 3.7%, from 21,794 in 2020 to 22,599 last year. An official from a major insurance company said, "Most renewals are only among companies that already have cyber insurance. Considering that there are over 8 million companies in Korea, this is a negligible number." He added, "In the end, only a tiny minority of companies are taking precautions against cyber threats, while the rest remain completely unprotected."

Editor's NoteIn the real world, when a hostage situation occurs, someone always reports it?whether it's the victim or a bystander, notifying the police quickly is the top priority. But in the case of cyber hostage situations caused by ransomware, the opposite is true. Victim companies are busy hiding the incident, even after losing all their money and time to hackers. Lee Hyungtaek, head of the Korea Ransomware Response Center, who has dealt with over 20,000 ransomware attacks in the past 10 years, said, "Very few companies report incidents after being hacked, even major ones like SK Telecom. Nine out of ten companies never disclose the damage externally. The cycle of hackers taking the money and leaving keeps repeating itself."