Talk to the board, not just IT, about ransomware
Editor’s note: The following is a guest article from Lucia Milică, global resident CISO at Proofpoint.
Cyberattacks are growing in scale, raising the impact of the attack and the cost of recovery.
Two-thirds of organizations have experienced a ransomware attack, and costs exceed $5.6 million on average each year. Of those, only $790,000 are tied to ransomware payments, laying bare the sprawling indirect costs of such attacks.
The destruction of data is not the only threat — some ransomware actors practice double and even triple extortion, selling stolen emails and data on dark web or publishing it to embarrass an organization unless a ransom is paid.
The key to stanching the tide of this increasingly harmful threat is understanding and communication. It’s not just a conversation technology leaders should have with their IT departments, the board must be closely involved too.
Cybersecurity teams must understand the inner workings of modern ransomware, including how it can best be detected and deterred. Just as important, teams must effectively communicate the problem and solution to the board so they can put plans and protections in place for before, during and after an attack.
The changing face of ransomware
The entry point for modern ransomware remains unchanged. Cybercriminals gain access to networks via email in most cases.
Criminal groups used to launch mass blanket attacks, hitting as many email addresses as possible, hoping at least a few would take the bait. Today, however, these felonious networks research their intended targets, uncovering information that can make their malicious messages appear even more convincing.
The tactics employed once inside an organization’s perimeter have also changed. Traditionally, ransomware was a smash and grab, get inside, dump the payload, and demand a ransom. In recent years, cybercriminals have taken to moving laterally through compromised networks, infecting as many devices and critical systems as possible. The more data at risk, the higher the ransom they can demand.
As a result, the time to detection is now much more critical than before. That accelerates the need for rapid, clear communication between end-users, cybersecurity teams and the board.
Get people on the same page
Clear and effective communication is vital to preventing and protecting against ransomware due to the increased importance of rapid response. Make sure that everyone in an organization, including the C-suite, is aware of the level of risk they face, the likelihood of encountering an attack in the wild and what to do if that happens.
The biggest question for the board in the event of a ransomware attack is whether to pay or not pay. Although organizations should not pay, as that can perpetuate and finance cybercrime, there are situations where they may be forced to consider all alternatives.
Paying does not guarantee a rapid resolution, while refusing to pay could very well lead to considerable data loss. But whatever your policy, you should understand your board’s position in advance to ensure you can quickly orchestrate a response.
Communication is just as important during a ransomware attack. Technology leaders need to keep the board informed on the who, where and when of the threat, as well as its status, namely, is it still in progress, or has it been contained? With rapid access to accurate information, decision-makers can quickly put response plans into action, shut down affected systems, and restore backups where possible.
The aftermath of a successful response to a ransomware attack is no time for complacency. While the overwhelming feeling may be one of relief, it’s very important that cybersecurity teams and board members conduct a thorough analysis.
That means assessing damage and data loss, examining the method of entry and the tactics deployed once inside, and outlining the steps to recovery. Any lessons learned from this post-mortem should be swiftly implemented to bolster technical defenses and improve threat awareness among the workforce.
How to speak to the C-suite
When communicating with the C-suite, keep in mind that what a leader says is just as important as how they say it.
CFOs, CMOs, and even CEOs may not be versed in technical cybersecurity language or the systemic risk inherent in complex digital systems. Instead, frame the conversation in terms of business value. Make sure they understand what is at risk across the enterprise, the consequences of failing to protect it, and the steps required to do so.
Clarity is always key. The more seamless an organization’s lines of communication — up, down, and across the business — the faster it can respond to a ransomware attack. And that might be the difference between immediate detection and long-term disaster.