Ransomware: Analysing Risk and Protecting Critical Assets

Ransomware is a current threat many people are struggling to understand and manage. Amid the headlines and uncertainty, how can the board respond strategically?

Reputation damage, hefty ransoms and business continuity are all concerns with ransomware. But the core of the conversation is about the potential loss of intellectual property and customer information and the specter of unpleasant dealings with criminals and other parties who may or may not be sponsored by nation-state actors. The market still doesn’t know the number and full scope of these attacks, as few companies victimised by them are eager to share their experiences. However, estimates of total ransomware costs in the United States run as high as $20 billion in 2021. Several things are clear: Few companies are fully protected and no company feels safe from ransomware. And every company, regardless of size or location, is vulnerable.

Today’s ransomware threat actors focus on disruption. Their model is to rapidly penetrate, exfiltrate, encrypt and then demand ransom, all within a matter of minutes. Victims refusing to pay extortion must prepare for public disclosures of exfiltrated data. Bottom line, rogue players end up controlling the enterprise.

As attacks, and the attackers themselves, become increasingly sophisticated and the consequences continue to magnify, companies must learn and respond in kind. To adapt confidently to this evolving threat landscape, they must combine operational resilience, cyber threat intelligence and cybersecurity. But this isn’t easy. There are many moving parts to consider when building a robust, coherent and dynamic cyber defense system that responds to the attack landscape with focus and speed.

Given the complexity and dynamics of ransomware exposures, what can board members do to help their organisations meet the challenge of analysing risk and protecting critical assets? Following are four suggestions:

As CISOs perform a role so essential to the hygiene and security of some of the enterprise’s most important assets, the board needs to do its part to instill confidence in the CISO by clarifying expectations, educating itself on the issues, allowing sufficient agenda time for discussion and paying attention when additional resources and budget are requested. By conveying their concerns, directors assist the CISO in focusing preparations, priorities and metrics for the boardroom. If the board allots limited agenda time to the cyber discussion, the board or committee chair should let the CISO deliver the message in response to the stated expectations and take questions requiring a more detailed response offline. Ideally, the CISO should be positioned as a strategic partner at the board level, with necessary interfaces between meetings with interested directors and active support from the board chair and CEO.

When a ransomware attack occurs, the full board often owns the matter and is engaged until the issue is resolved and the system’s structural integrity is restored. The maintenance of that integrity going forward is the primary focus of either the full board or a designated board committee. While the CISO owns the plumbing underlying operational response and management is responsible for its effectiveness, directors should expect to gain confidence from the CISO’s briefings that the response plan going forward and any third-party vendors engaged to assist in its implementation reflect the lessons learned from past attacks and continuing assessments of the threat landscape. As technology is now a strategic conversation, the board should periodically assess whether it needs access to additional expertise — either as a member of, or an objective adviser to, the board. Relevant options for structuring board inquiries depend on the severity of the threat landscape, the role of technology in executing the company’s business strategy, and the sensitivity of the systems and data supporting the business model.

Many boards seek to understand how ransomware attacks have occurred elsewhere and whether cybercriminals could exploit those same methods in their organisations. Directors should not underestimate the importance of asking the right questions of management on situational awareness, strategy and operations, insider threats, incident response, and related topics. For ransomware, directors should focus on compromise assessment and incident response and preparedness. But in addition, the focus should be on an end-to-end view of the enterprise. A ransomware attack on third parties handling mission-critical systems and sensitive data can stop the show, just as a direct attack on the company can.

Relevant metrics might include the number of system vulnerabilities, the length of time required to implement patches, the number of breaches, attacker dwell time (the length of time it takes to detect a breach), the length of time it takes to respond to a breach, the length of time it takes to remediate audit findings, percentage of breaches perpetrated through third parties and number of violations of security protocols. Attacker dwell time is particularly critical to a ransomware attack. The longer attackers remain undetected in a network, the more likely they will be able to find systems and resources they can leverage for ransom. The CISO’s reporting and metrics should inform board communications and be integrated into the overall enterprise risk management (ERM) dashboard.

Today’s ransomware attackers often are well-funded, possess business savvy and are highly skilled in hacking methods. And they’re playing tough. While the board isn’t responsible for day-to-day operational details, its duty-of-care responsibilities in the cyber space are significant given the sensitivity of data and the value to shareholders of the company’s intellectual property, reputation and brand image.

For more about how the board can respond strategically to ransomware exposures, read the article here.

(Board Perspectives — Issue 143)