As the sophistication level of cyber attackers continues to rise, there’s probably not a business on Earth that isn’t at risk. While the day-to-day management of the cyber threat falls to others, as Protiviti’s Jim DeLoach explores, company boards need to have a strong hand here.
A ransomware attack is every organization’s nightmare. Even with concerted efforts to understand and manage the threat, the uncertainty created by must-read headlines of the chaos that high-profile attacks engender is troubling to senior executives and directors alike. Smart leaders know a strategic response is needed. The recent attack confirmed by a cloud solutions provider only serves as yet another reminder that no one is immune.
The Wannacry and NotPetya attacks in 2017 got everyone’s attention as to the potential devastation ransomware incidents leave in their wake. Since then, these attacks have continued unabated against one brand after another, and in 2021, the high-profile Colonial Pipeline and Kaseya attacks once again proved that the perpetrators of these crimes play for keeps. Reputation damage, hefty ransoms, business continuity and uncertainty about data recovery are all concerns. But the core of the conversation is about exposure to loss of intellectual property and customer information and the specter of unpleasant dealings with criminals and other parties who may or may not be sponsored by nation-states.
A survey of 280 technology leaders from organizations of all sizes that suffered a ransomware attack in 2021 disclosed that 97% of such attacks attempted to infect backup repositories and 53% of data was encrypted by the attacks. Interestingly, 52% of organizations paid the ransom and were able to recover their data, 24% paid the ransom but still could not recover their data and 19% recovered their data without paying ransom. To top it off, 52% of the survey respondents believe, as a key takeaway from the attack experience, that a significant improvement or complete overhaul is needed in the collaboration between cybersecurity and IT backup teams.
Notwithstanding the aforementioned poll, the market still does not know the number and full scope of these attacks, as relatively few companies victimized by them are eager to share their experiences. That said, estimates of total ransomware costs in the United States in 2021 run as high as $20 billion.
According to Coalition, a cybersecurity insurance provider, ransomware attack frequency and costs are down. This downward trend is attributable to organizations becoming more aware of ransomware and more stringent underwriting standards, leading them to implement better controls. These improvements have helped enterprises restore operations without paying ransom. One thing is clear: Few companies are fully protected — and no company feels safe.
Let’s face it: Nobody wants to be audited. For the average Joe, an IRS audit is a hassle (at best). And in the corporate world, the word itself is sure to draw ire. But Drata’s Troy Fine talks about the nuances of cybersecurity audits and why companies should welcome rather than fear them.
Neither size nor location matters. Every organization is vulnerable. Ransomware threat actors often focus on disruption. They no longer remain silent for months inside a company’s technology systems, awaiting the payoff of exfiltrating data. Emphasizing velocity, their model is to rapidly penetrate, exfiltrate and encrypt and then demand ransom, all within a matter of minutes.
Ransomware, which once consisted of automated malware that haphazardly encrypted data, is now far more sophisticated. Current ransomware campaigns initially use live-off- the-land techniques combined with specialty tools that are highly obfuscated to avoid detection. Dwell times average four to six weeks as attackers curate data exfiltration for maximum impact. Victims refusing to pay extortion must prepare for public disclosures of exfiltrated data. Bottom line, rogue players end up controlling the enterprise.
The economics of ransomware are evolving. Ransomware as a Service (RaaS), an offering of pay-for-use malware, can be invoked to encrypt systems and collect the ransom, shortening cycles between campaigns. Similarly, attackers running campaigns can buy access to networks through an open marketplace. Boutique services have evolved among security providers to negotiate and pay ransom on behalf of clients. In the U.S., several state legislatures are considering banning ransomware payments, while the FBI is advising the U.S. Congress against bans.
Navigating these complex, often competing trends often requires expertise with deep understanding of the business. As attacks and the attackers themselves increase in sophistication and consequences continue to magnify, companies must learn and respond in kind. To confidently adapt to this evolving threat landscape, they must combine operational resilience, cyber threat intelligence and cybersecurity. But this is not easy. There are many moving parts to building a strong, coherent and dynamic cyber defense system that responds to the attack landscape with focus and speed.
Here are some examples of these moving parts:
|Compromise point||Security measure|
|User reuses credentials on websites||Security awareness training|
|Culture of compliance|
|Attacker finds credentials or access for sale||Cyber threat intelligence|
|Password policy controls|
|Attacker accesses vulnerable systems||Multi-factor authentication|
|Advanced threat protection|
|Attacker acquires privileged identity||Advanced threat protection|
|Strong access management|
|Privileged identity/access management|
|Attacker curates collection of data to steal||Data loss prevention|
|Intrusion detection systems|
|Endpoint detection and response|
|Attacker triggers ransomware||Endpoint detection and response|
Given the complexity and dynamics of ransomware exposures, following are four suggestions for senior executives and board members to consider as they focus on helping their organizations meet the challenge of analyzing risk and protecting critical assets:
Prepare the chief information security officer (CISO) for success. As CISOs perform a role so essential to the hygiene and security of some of the enterprise’s most important assets, it is an imperative that they be positioned for success by the C-suite and the board. Some CISOs find the prospect of addressing the board intimidating and may not feel they are up to the task. Their subject matter is complex and nuanced and they are often allocated limited time to brief the board. Others may perceive they can’t get traction on budget requests and are not in a position to self-advocate, a perspective the CEO, CFO and CIO should lend to the conversation.
Most CISOs recognize that they must speak in a manner that resonates with the board and CEO by framing the conversation at the proper level. But they may lack the strategic communication skills that are important in the boardroom and C-suite.
My view: It’s a two-way street for both leaders and the CISO. Leaders should:
- Instill confidence in the CISO by clarifying expectations, educating themselves on the issues, allowing sufficient agenda time for discussion, and paying attention when additional resources and budget are requested.
- Assist the CISO in focusing preparations, priorities and metrics for the boardroom and C-suite by conveying their concerns.
- Understand and approve the criteria for recruiting and hiring the CISO and succession planning for the position.
As for communicating with the board:
- Under the auspices of the board or committee chair, the board should let the CISO deliver the message in response to stated expectations and take questions requiring a more detailed response offline if limited agenda time is allotted to the cyber discussion.
- The CISO should be positioned as a strategic partner at the board level, with necessary interfaces between meetings with interested directors and active support from the board chair and CEO.
- The CISO should be the education officer for the board to understand the gravity of ransomware and related security issues.
CISO candidates should have a strategic view and not be mired in operational response. This perspective would help them understand better the language of the boardroom and delineate content that has value. Brevity and conciseness rule the day.
Organize the board for effective cybersecurity oversight. When a ransomware attack occurs, the full board often owns the matter and is engaged until the issue is resolved and structural integrity of the system is restored. Going forward, the maintenance of that integrity is typically the primary focus of a designated committee of the board.
While the CISO owns the plumbing underlying operational response and management is responsible for its effectiveness, directors should expect to gain confidence from the CISO’s briefings that the response plan going forward and any third-party vendors engaged to assist in its implementation reflect the lessons learned from past attacks and continuing assessments of the threat landscape.
The board should periodically assess whether it needs access to additional expertise — either as a member of or an objective adviser to the board. Relevant options for structuring board inquiries depend on the severity of the threat landscape, the role of technology in executing the company’s business strategy, and the sensitivity of the systems and data supporting the business model.
Don’t forget third parties when asking the right questions. Many boards and senior executives seek to understand how ransomware attacks have occurred and whether those same methods could be exploited in their organizations. The importance of asking the right questions on situational awareness, strategy and operations, insider threats, incident response, and other related topics cannot be underestimated and is well documented as a priority. There are several tools included in an NACD publication on cyber risk oversight that recommends relevant questions.
For ransomware, directors should focus on compromise assessment and incident response and preparedness, with emphasis on the end-to-end enterprise:
- A ransomware attack on third parties handling mission-critical systems and sensitive data can stop the show just like a direct attack on the company.
- If attackers discover the third party’s access privileges to company systems and data, the company itself could come under attack.
Support the conversation with a dashboard of appropriate metrics. The CISO’s reporting and metrics should inform their board communications and be integrated into the overall enterprise risk management dashboard.
Relevant metrics might include:
- The number of system vulnerabilities
- The length of time required to implement patches
- The number of breaches
- Attacker dwell time (the length of time it takes to detect a breach)
- The length of time it takes to respond to a breach, once known
- The length of time it takes to remediate audit findings
- The percentage of breaches perpetrated through third parties
- The number of violations of security protocols.
Attacker dwell time is particularly important to a ransomware attack because the longer attackers remain in a network undetected, the more likely they will find system resources they can leverage for ransom.
Today’s ransomware attackers are well-funded, business savvy and deeply experienced in cybersecurity hacking methods. And they’re playing tough. While the board is not responsible for day-to-day operational details, its duty-of-care responsibilities in cyberspace are important given the sensitivity of data and the value to shareholders of the company’s intellectual property, reputation and brand image. This applies to executive management as well in supporting the CISO.
Reputation is like a ticket to the big game. Show it at the door, or you won’t get in. It is also irreplaceable. Lose it, and it’s game over. Protiviti’s Jim DeLoach offers four tips for nurturing and preserving your company’s most precious asset — its reputation.
Questions for executive management and the board
Following are some suggested questions that senior management and boards of directors may consider, based on the cyber threat landscape inherent in the company’s operations:
- Do we have effective security controls in place designed to prevent or limit the impact of ransomware?
- Are cyber controls in place to protect our privileged access accounts?
- How often are these controls tested? Are tabletop exercises of likely attack activity, given the increasing sophistication of likely threat actors, performed periodically to ensure defenses can detect a breach and respond timely?
- What is our backup strategy to mitigate ransomware? For example, do we have a consistent backup cadence? Are backups stored in off-site locations?
- Should we be impacted by a ransomware attack, what is our incident response plan? How broadly is the plan shared within our organization? Do we have a provider on retainer in the event we are a victim of ransomware?
- Do we know where our critical systems and data reside, the critical assets that we simply cannot afford to lose or have taken away, and/or systems for which unplanned shutdowns cannot be tolerated? Do we have the processes in place for operational resilience? Do we have 24/7 defense and monitoring against a ransomware event?
- Does the company have cyber insurance with provisions for extortion coverage, including investigatory costs, negotiations costs, ransom payments and other incidental losses?
- Have we defined expectations for the CISO and operational management in the cyber space and established clear accountabilities for performance?
- If the organization has a risk appetite statement, are the board’s expectations for cybersecurity and ransomware attacks incorporated therein?
- Do the metrics reported to senior management and the board provide supporting key performance and risk indicators as to how the top priority cyber risks are being managed? Do the metrics address areas that inform the CISO’s communications with the C-suite and in the boardroom?
- Can we effectively quantify the impact of a ransomware event?
- Does the transition to remote or hybrid work arrangements and reliance on virtual B2C experiences increase the risk of targeted criminal ransomware attacks and advanced persistent threats? Are we addressing the risk of criminals exploiting remote workers? Does our third-party risk management program consider potential exposure to ransomware attacks?