Many organisations limit their preparation and response to cyber-attacks to IT security and technology issues. Yet they should include all business and executive levels when dealing with ransomware risks.
Are companies adopting the right cyber approach to ransomware? Are their organisation and governance sufficiently prepared to react to this type of attack?
“The malicious act represents one of the most powerful business models in cybercrime today,” according to IBM. “It can cost companies as much as $40 million to $80 million to regain access to their data. It can also jeopardise their operations or even their survival.”
The victims are also human, especially when hospitals and vital medical devices are targeted: as in September 2020, when a patient admitted to the emergency room in Düsseldorf could not be saved in time by medical teams, because a cyber attack blocked all systems and data in the facility.
Involve all businesses
In the face of this increased malware targeting more and more businesses and critical public services, “organisations need to adjust their ransomware mindset around the role of security,” says a recent report from Accenture Security.
Because recovery strategies based on traditional business continuity plans are no longer enough to maintain adequate cyber resilience.
“Both upstream and downstream of the attack, managing ransomware is too often a technical matter. As is crisis prevention, treatment and remediation, which are very often managed by the IT and security manager,” the paper’s authors explain. “Whereas all technical, operational and administrative departments are involved.”
The organisation must therefore include all its businesses in its approach to ransomware: “The approach must go through a complete mapping of its critical assets and processes, to fully understand its value chain, list all impacted systems and associated applications,” recommends Accenture. “The goal is to define and prioritise the right responses in the event of an attack, in order to minimize the operational, financial, image or reputation risks.”
A non-transparent communication plan
The second major challenge identified by the paper is that existing crisis communication plans lack transparency and agility to adapt to new and complex cyber environments.
According to the paper, a predefined decision framework, coupled with a better understanding of the industry, its regulations and its customers, can create a more robust crisis communications approach.
Among other recommendations, the authors suggest that organisations impacted by an attack should “communicate openly but carefully. And that’s by defining an agile communications strategy beforehand, one that takes into account the complexities of a cyber-attack from a technical and business perspective.
“Before setting their communication process in motion, organisations must be careful, avoid sharing incorrect information, and consider the parties involved,” they say.
As a result, financial institutions that are victims of data theft, including customer credit card data, will need to adhere to strict regulatory and compliance requirements for monitoring and reporting before the general public is made aware of the intrusion and theft.
Bringing the CEOs on board
Another cyber vulnerability identified by Accenture is that preparedness plans do not include decision makers. During the crisis, when, in which departments and at which sites will business need to be restarted?
Or which important and critical decisions need to be made first? In order to respond and recover quickly in the event of ransomware, the paper recommends including the CEO, executive committee or board of directors in the cyber resilience strategy.
“Organisations should include these decision makers in their approaches and exercises to test and validate attack prevention, detection, response and recovery processes,” the paper advocates.
“They can not only test their defences against a typical ransomware attack, but also introduce the risk and adrenaline of a ‘real’ attack scenario.”
For example, in a simulated ransomware intrusion, executives are informed of a decline in three business areas. They are then asked to determine in real time which business to recover, how to communicate about the attack and its response, and who is responsible for making these decisions.
Because ransomware knows no boundaries, it impacts the entire ecosystem of an organisation: from investors, suppliers and trusted third parties to customers, and internally to employees and administrative and operational functions.
“Any crisis response strategy must therefore take into account the range of stakeholders involved,” concludes Accenture.
However, as with many IT professions, there is a shortage of talent in the cyber sector, with an estimated 2.5 million jobs to be filled worldwide. To be more cyber-resilient, companies should also review their organisation, advocating a culture and brand image that matches the expectations of cyber talent?