No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Ransomware Threats Are Growing. How Can Boards Protect Mission-Critical Assets?

Depth and breadth of cyber risk elevates cybersecurity to directors’ portfolio

by Jim DeLoach
December 14, 2022
in Cybersecurity
data minimization practices_w

Illustration by Luis Moreno Martinez | For CCI


As the sophistication level of cyber attackers continues to rise, there’s probably not a business on Earth that isn’t at risk. While the day-to-day management of the cyber threat falls to others, as Protiviti’s Jim DeLoach explores, company boards need to have a strong hand here.

A ransomware attack is every organization’s nightmare. Even with concerted efforts to understand and manage the threat, the uncertainty created by must-read headlines of the chaos that high-profile attacks engender is troubling to senior executives and directors alike. Smart leaders know a strategic response is needed. The recent attack confirmed by a cloud solutions provider only serves as yet another reminder that no one is immune.

The Wannacry and NotPetya attacks in 2017 got everyone’s attention as to the potential devastation ransomware incidents leave in their wake. Since then, these attacks have continued unabated against one brand after another, and in 2021, the high-profile Colonial Pipeline and Kaseya attacks once again proved that the perpetrators of these crimes play for keeps. Reputation damage, hefty ransoms, business continuity and uncertainty about data recovery are all concerns. But the core of the conversation is about exposure to loss of intellectual property and customer information and the specter of unpleasant dealings with criminals and other parties who may or may not be sponsored by nation-states.

A survey of 280 technology leaders from organizations of all sizes that suffered a ransomware attack in 2021 disclosed that 97% of such attacks attempted to infect backup repositories and 53% of data was encrypted by the attacks. Interestingly, 52% of organizations paid the ransom and were able to recover their data, 24% paid the ransom but still could not recover their data and 19% recovered their data without paying ransom. To top it off, 52% of the survey respondents believe, as a key takeaway from the attack experience, that a significant improvement or complete overhaul is needed in the collaboration between cybersecurity and IT backup teams.

Notwithstanding the aforementioned poll, the market still does not know the number and full scope of these attacks, as relatively few companies victimized by them are eager to share their experiences. That said, estimates of total ransomware costs in the United States in 2021 run as high as $20 billion.

According to Coalition, a cybersecurity insurance provider, ransomware attack frequency and costs are down. This downward trend is attributable to organizations becoming more aware of ransomware and more stringent underwriting standards, leading them to implement better controls. These improvements have helped enterprises restore operations without paying ransom. One thing is clear: Few companies are fully protected — and no company feels safe.


dirty words

For Cybersecurity Teams, ‘Audit’ Doesn’t Have to Be a Dirty Word.

by Troy Fine
December 7, 2022

Let’s face it: Nobody wants to be audited. For the average Joe, an IRS audit is a hassle (at best). And in the corporate world, the word itself is sure to draw ire. But Drata’s Troy Fine talks about the nuances of cybersecurity audits and why companies should welcome rather than fear them.


Neither size nor location matters. Every organization is vulnerable. Ransomware threat actors often focus on disruption. They no longer remain silent for months inside a company’s technology systems, awaiting the payoff of exfiltrating data. Emphasizing velocity, their model is to rapidly penetrate, exfiltrate and encrypt and then demand ransom, all within a matter of minutes.

Ransomware, which once consisted of automated malware that haphazardly encrypted data, is now far more sophisticated. Current ransomware campaigns initially use live-off- the-land techniques combined with specialty tools that are highly obfuscated to avoid detection. Dwell times average four to six weeks as attackers curate data exfiltration for maximum impact. Victims refusing to pay extortion must prepare for public disclosures of exfiltrated data. Bottom line, rogue players end up controlling the enterprise.

The economics of ransomware are evolving. Ransomware as a Service (RaaS), an offering of pay-for-use malware, can be invoked to encrypt systems and collect the ransom, shortening cycles between campaigns. Similarly, attackers running campaigns can buy access to networks through an open marketplace. Boutique services have evolved among security providers to negotiate and pay ransom on behalf of clients. In the U.S., several state legislatures are considering banning ransomware payments, while the FBI is advising the U.S. Congress against bans.

Navigating these complex, often competing trends often requires expertise with deep understanding of the business. As attacks and the attackers themselves increase in sophistication and consequences continue to magnify, companies must learn and respond in kind. To confidently adapt to this evolving threat landscape, they must combine operational resilience, cyber threat intelligence and cybersecurity. But this is not easy. There are many moving parts to building a strong, coherent and dynamic cyber defense system that responds to the attack landscape with focus and speed. 

Here are some examples of these moving parts:

Compromise point Security measure
User reuses credentials on websites Security awareness training
Culture of compliance
Attacker finds credentials or access for sale Cyber threat intelligence
Password policy controls
Vulnerability management
Attacker accesses vulnerable systems Multi-factor authentication
Geo-fencing
Advanced threat protection
Attacker acquires privileged identity Advanced threat protection
Strong access management
Privileged identity/access management
Attacker curates collection of data to steal Data loss prevention
Intrusion detection systems
Endpoint detection and response
Attacker triggers ransomware Endpoint detection and response
Backup hygiene
Cyber insurance

Given the complexity and dynamics of ransomware exposures, following are four suggestions for senior executives and board members to consider as they focus on helping their organizations meet the challenge of analyzing risk and protecting critical assets:

Prepare the chief information security officer (CISO) for success. As CISOs perform a role so essential to the hygiene and security of some of the enterprise’s most important assets, it is an imperative that they be positioned for success by the C-suite and the board. Some CISOs find the prospect of addressing the board intimidating and may not feel they are up to the task. Their subject matter is complex and nuanced and they are often allocated limited time to brief the board. Others may perceive they can’t get traction on budget requests and are not in a position to self-advocate, a perspective the CEO, CFO and CIO should lend to the conversation.

Most CISOs recognize that they must speak in a manner that resonates with the board and CEO by framing the conversation at the proper level. But they may lack the strategic communication skills that are important in the boardroom and C-suite.

My view: It’s a two-way street for both leaders and the CISO. Leaders should:

  • Instill confidence in the CISO by clarifying expectations, educating themselves on the issues, allowing sufficient agenda time for discussion, and paying attention when additional resources and budget are requested.
  • Assist the CISO in focusing preparations, priorities and metrics for the boardroom and C-suite by conveying their concerns.
  • Understand and approve the criteria for recruiting and hiring the CISO and succession planning for the position.

As for communicating with the board:

  • Under the auspices of the board or committee chair, the board should let the CISO deliver the message in response to stated expectations and take questions requiring a more detailed response offline if limited agenda time is allotted to the cyber discussion.
  • The CISO should be positioned as a strategic partner at the board level, with necessary interfaces between meetings with interested directors and active support from the board chair and CEO.
  • The CISO should be the education officer for the board to understand the gravity of ransomware and related security issues.

CISO candidates should have a strategic view and not be mired in operational response. This perspective would help them understand better the language of the boardroom and delineate content that has value. Brevity and conciseness rule the day.

Organize the board for effective cybersecurity oversight. When a ransomware attack occurs, the full board often owns the matter and is engaged until the issue is resolved and structural integrity of the system is restored. Going forward, the maintenance of that integrity is typically the primary focus of a designated committee of the board.

While the CISO owns the plumbing underlying operational response and management is responsible for its effectiveness, directors should expect to gain confidence from the CISO’s briefings that the response plan going forward and any third-party vendors engaged to assist in its implementation reflect the lessons learned from past attacks and continuing assessments of the threat landscape.

The board should periodically assess whether it needs access to additional expertise — either as a member of or an objective adviser to the board. Relevant options for structuring board inquiries depend on the severity of the threat landscape, the role of technology in executing the company’s business strategy, and the sensitivity of the systems and data supporting the business model.

Don’t forget third parties when asking the right questions. Many boards and senior executives seek to understand how ransomware attacks have occurred and whether those same methods could be exploited in their organizations. The importance of asking the right questions on situational awareness, strategy and operations, insider threats, incident response, and other related topics cannot be underestimated and is well documented as a priority. There are several tools included in an NACD publication on cyber risk oversight that recommends relevant questions. 

For ransomware, directors should focus on compromise assessment and incident response and preparedness, with emphasis on the end-to-end enterprise:

  • A ransomware attack on third parties handling mission-critical systems and sensitive data can stop the show just like a direct attack on the company.
  • If attackers discover the third party’s access privileges to company systems and data, the company itself could come under attack.

Support the conversation with a dashboard of appropriate metrics. The CISO’s reporting and metrics should inform their board communications and be integrated into the overall enterprise risk management dashboard.

Relevant metrics might include:

  • The number of system vulnerabilities
  • The length of time required to implement patches
  • The number of breaches
  • Attacker dwell time (the length of time it takes to detect a breach)
  • The length of time it takes to respond to a breach, once known
  • The length of time it takes to remediate audit findings
  • The percentage of breaches perpetrated through third parties
  • The number of violations of security protocols.

Attacker dwell time is particularly important to a ransomware attack because the longer attackers remain in a network undetected, the more likely they will find system resources they can leverage for ransom.

Today’s ransomware attackers are well-funded, business savvy and deeply experienced in cybersecurity hacking methods. And they’re playing tough. While the board is not responsible for day-to-day operational details, its duty-of-care responsibilities in cyberspace are important given the sensitivity of data and the value to shareholders of the company’s intellectual property, reputation and brand image. This applies to executive management as well in supporting the CISO.


nurturing reputation

Reputation Is Your Company’s Most Precious Asset. How Can You Nurture and Preserve It?

by Jim DeLoach
September 28, 2022

Reputation is like a ticket to the big game. Show it at the door, or you won’t get in. It is also irreplaceable. Lose it, and it’s game over. Protiviti’s Jim DeLoach offers four tips for nurturing and preserving your company’s most precious asset — its reputation.


Questions for executive management and the board

Following are some suggested questions that senior management and boards of directors may consider, based on the cyber threat landscape inherent in the company’s operations:

  • Do we have effective security controls in place designed to prevent or limit the impact of ransomware?
    • Are cyber controls in place to protect our privileged access accounts?
    • How often are these controls tested? Are tabletop exercises of likely attack activity, given the increasing  sophistication of likely threat actors, performed periodically to ensure defenses can detect a breach and respond timely?
    • ­What is our backup strategy to mitigate ransomware? For example, do we have a consistent backup cadence? Are backups stored in off-site locations?
    • Should we be impacted by a ransomware attack, what is our incident response plan? How broadly is the plan shared within our organization? Do we have a provider on retainer in the event we are a victim of ransomware?
  • Do we know where our critical systems and data reside, the critical assets that we simply cannot afford to lose or have taken away, and/or systems for which unplanned shutdowns cannot be tolerated? Do we have the processes in place for operational resilience? Do we have 24/7 defense and monitoring against a ransomware event?
  • Does the company have cyber insurance with provisions for extortion coverage, including investigatory costs, negotiations costs, ransom payments and other incidental losses?
  • Have we defined expectations for the CISO and operational management in the cyber space and established clear accountabilities for performance?
    • If the organization has a risk appetite statement, are the board’s expectations for cybersecurity and ransomware attacks incorporated therein?
    • Do the metrics reported to senior management and the board provide supporting key performance and risk indicators as to how the top priority cyber risks are being managed? Do the metrics address areas that inform the CISO’s communications with the C-suite and in the boardroom?
    • Can we effectively quantify the impact of a ransomware event?
  • Does the transition to remote or hybrid work arrangements and reliance on virtual B2C experiences increase the risk of targeted criminal ransomware attacks and advanced persistent threats? Are we addressing the risk of criminals exploiting remote workers? Does our third-party risk management program consider potential exposure to ransomware attacks?

 


Tags: Board Risk OversightCyber Risk
Previous Post

Unethical People, Bad Apples & the Effect on Corporate Compliance

Next Post

The Hottest Compliance Takes of 2022

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

news roundup green bars

In-House Counsel Salary Increases Slow

by Staff and Wire Reports
May 2, 2025

Majority of execs predict rise in fincrime in ’25

data abstract green purple

66% of CISOs Worry Cyber Threats Are More Advanced Than Companies’ Defenses

by Staff and Wire Reports
April 25, 2025

US business sector falling behind in adoption of renewable energy

robot hand pointing to sky

Agentic AI Can Be Force Multiplier — for Criminals, Too

by Steve Durbin
April 21, 2025

How polymorphic malware and synthetic identities are creating unprecedented attack vectors

data abstract pixelated

GenAI Adoption Surging in Professional Services

by Staff and Wire Reports
April 18, 2025

Fewer than 1 in 3 organizations consistently meet cyber compliance standards

Next Post
hottest takes

The Hottest Compliance Takes of 2022

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights