In the latest episode of Finite State’s podcast, “IoT: The Internet of Threats,” Megan Stifel, Chief Strategy Officer at the Institute for Security and Technology (IST) and co-chair of the Ransomware Task Force (RTF) Working Group, joins podcast host Eric Greenwald to discuss the current and future state of ransomware, what small- and medium-sized businesses can do to fight ransomware, and whether tactics like regulation and insurance actually help or hurt the fight against ransomware​​.

In the episode, they also discuss the RTF's recently released report, "The Blueprint for Ransomware Defense," which the RTF calls a "clear, actionable framework for ransomware mitigation, response, and recovery." 

During this 20-minute episode, Megan and Eric examine:

  • How small- and medium-sized enterprises can defend against ransomware, even with limited cybersecurity expertise 
  • The current state of ransomware: where it is and where it's going 
  • Whether regulation works in driving companies to improve cybersecurity, or if it just creates compliance theater
  • If ransomware insurance makes things better or actually causes the frequency and severity of ransomware to grow

What does the ransomware threat environment look like?

What's happening with the ransomware threat environment right now? Is it growing? Abating? What kinds of businesses get hit hardest or most often?

Business interruption expenses increased more than 150% between 2016 and 2020, and ransomware accounts for nearly 80% of these expenses. Year-over-year, ransomware payments grew 82% and the average ransom payment was around $600k, according to data discussed during this episode. 

Ransomware is a clear and persistent threat to today's companies, but how can they protect themselves? Listen to the full conversation at the 5:00-minute mark. 

Is cybersecurity regulation worth it?

Does regulation succeed in encouraging companies to improve cybersecurity or does it just create more compliance theater? "If you ask anyone from industry if they want regulation," Stifel says, "most of the time, they say no. Compliance is a burden, but the counter to that is to say you've had the opportunity to do this on your own, and you've basically failed." Listen to the full conversation at the 10:00-minute mark.

Is ransomware insurance worth it? 

If kidnapping insurance, arguably, encourages more kidnapping, does ransomware insurance actually make ransomware more frequent and its demands much bigger? "There is less of a practice of covering ransomware payments. Before, you could get insurance coverage for your payment, now you will not," Megan Stifel comments in this episode. 

How has insurance changed the ransomware environment and what does it mean for cybersecurity efforts? Listen in, as the conversation starts around the 15:30-minute mark. 

Episode Details

Megan Stifel is the Chief Strategy Officer at the Institute for Security and Technology (IST), a San Francisco-based think tank that designs and advances solutions to the world's toughest emerging security threats. Megan also serves as a co-chair of the Ransomware Task Force (RTF) Working Group. Launched in April 2021, the RTF brings together key industry, government, and civil-society stakeholders to combat the ransomware threat with a cross-sector approach. 

Megan is also the founder and CEO of Silicon Harbor Consultants, LLC, and a Visiting Fellow at the National Security Institute at the Antonin Scalia Law School at George Mason University. Prior to these roles, Megan served as a non-resident senior fellow at the Cyber Statecraft Initiative, Global Policy Officer at the Global Cyber Alliance, and Director for International Cyber Policy at the National Security Council. Megan holds a J.D., Law from Indiana University's Maurer School of Law.

Episode Links

All episodes of Finite State’s “The Internet of Threats” podcast can be heard on Spotify, Apple Podcasts, and Google Podcasts.

Listen to this episode in its entirety below!