Four (4) Questions All CFOs Should Be Asking Their Organisations About Ransomware Preparedness and Data Resiliency

Four (4) Questions All CFOs Should Be Asking Their Organisations About Ransomware Preparedness and Data Resiliency

I’m not sure why organisations continue to fall victim to ransomware. It might be because the wrong risk-based questions are being asked within the organisation.

The answer to the question “Are we protected and secure?” isn’t necessarily black and white. The truth is that cyber-attacks continue to evolve, and therefore, so must your security. Being “protected and secure” is now fluid.

In order to understand your risk posture to new cyberthreats, you will need to look at the issue from the bottom up while contemplating the worst possible outcome of a cyber incident as well as how fast your organisation can recover from one.

With typical cyber incidents, the worst possible outcome is a catastrophic data breach. While this is very bad, the organisation carries on. Ransomware, however, has changed the game. The worst possible outcome is now having your organisation’s operations temporarily crippled by ransomware, for days, weeks or months.

If COVID-19 taught the world anything, it is that Black Swan events will happen.

Exploring the option of holding cryptocurrency on the books in the event you need to pay off the attacker(s) might not be the best way to address the Black Swan. Based on recent volatility, that could be an expensive backup plan.

By using the roadmap below to uncover your hidden risks and weaknesses, you could potentially avoid a disaster for your organisation that has impacted many recognisable names over the last two years…

Assess the BIG Risk: Your business is crippled and offline. How long can you survive?

In the past, cyber-attacks used to consist of a breach under which organisations could carry on. Ransomware has changed all that.

Ransomware encrypts your data, thereby restricting and removing your access to it.
Operations may continue to limp along afterwards, or could come to a complete standstill. How long could your organisation survive if forced into a standstill? One day? One week? One month?

The answer to this question will be the very first question your CEO or leadership team will want to know after an attack. It’s better to have an answer to that question before an attack even happens when things are calm, as opposed to in a panic state. Because you might not like or be able to swallow the answer.

Assess: If we are breached, where are the risks and threats?

Start with ensuring your organisation has identified the most critical processes that depend on technology.

Digital transformation initiatives continue to push organisations away from manual processes. Such initiatives often result in improved organisational effectiveness, efficiencies and improved customer experiences, to name a few. COVID-19 accelerated these initiatives.

This is generally good and progressive. It also increases your risk exposure.

A cyber-attack may render processes that are 100% digital to completely inoperable, either through a manual process impossible to execute or because the organisation’s memory does not exist with a manual process.

Identify the processes that depend on technology, because with a manual (ie. paper-based) workaround is not sufficient. Determine which ones are mission critical.

For your critical processes, perform a comprehensive mapping of dependencies across technology platforms, suppliers, people and data. Assign an executive the title of Risk Owner. In doing so, you will start to understand your risk and what areas must not fall.

Review the report and assumptions. Test them. Test them regularly.

Assess: Can our controls prevent, contain, or minimize a breach?

Dive deeper into the organisation. Ensure your key people understand their risk management responsibilities associated with cyber security. And that the controls existing with key suppliers and external stakeholders as well as your internal technology architecture can stop a fast-moving threat.

Areas to Explore:

  • Do business process owners understand the cyber risks?

The answer to this question is often “no.” Closing your risk exposure means your process owners need to both manage and mitigate the cyber risk.

Start with assessing if process owners understand the risks, and how to deal with systemic vulnerabilities. For example, do they have line-of-sight over the risk health of the key controls on the systems they own? Have they set up the right controls? If not, why not? Are there any identified vulnerabilities and risks that exist on the system which are unresolved?

If vulnerabilities exist, why are they not closed? Funding? Acceptance? Agreement on severity? Try full sentences to flush out the questions regarding Funding, Acceptance, Agreement on severity.

If you are not getting satisfactory responses, ask “Do we have a common framework for cyber risk decision making?” If there is no such framework, put one in place and re-run the assessment with the business process owners.

Are our internal infrastructures designed to prevent the spread of an attack?

Currently, the simple best practise is to create compartments or divisions between networks to ensure that when one area is attacked, the rest of the organisation does not fall, too. By doing so, you could be mitigating potential damage across the organisation.

  • Assess: Do our suppliers align and match our risk and security posture?

It is common to find key suppliers who have an operational role within a critical process, or a support role (such as an equipment vendor who can remotely connect to diagnose issues). The supplier may even manage the whole process.

The threat exists because sometimes your suppliers have “all keys to the kingdom”. This provides the opportunity for the introduction of ransomware threats to the environment, sometimes by accident. If this happens to your organisation, you wouldn’t be the first to fall to an attacker via one of your partners (just ask Kaseya and Solarwinds).

Additional questions to explore:

  • Are key suppliers clearly identified? What are our baseline expectations? Are these contracted and monitored?
  • Do we need to request their (who?) cyber risk plan and if so, have we tested it?

Assess: Can we Recover on your Terms?.

It should go without saying that you never want to put your faith and dependency into the hands of a cybercriminal. Did you know that only about 8% of organisations get access to all their data after a ransomware attack?

To ensure a ransomware attack does not cripple your organisation, you need to ensure your data is resilient. Ensure the individual cyber risk assessments (including restoration testing) have been performed on your organisation’s critical processes. Ask for the report from the owners.

While this comes across as tedious, painstaking work that often gets pushed down as other seemingly more urgent items come up, nothing becomes more critical than after an attack. Test the restoration process on your terms, not the cyber criminals’ (when you may have to cross your fingers for good luck). This will expose your weaknesses.

In a perfect world, your organisation may be able to recover within hours after an attack because your recovery plan executes as expected. Many do not test the efficacy of such a plan, and therefore, often learn much too late that their backup plans failed.

  • How can you ensure your data is recoverable within a few hours?

One of the most common strategies for protecting critical operational technology / industrial systems is to use an air gap, which is a system completely isolated from and without a connection to other systems. For data backup, this is critical for ransomware recovery, and needs to be tested to ensure ransomware cannot ‘jump the (air) gap’.

Ransomware is a scary proposition. However, it can be mitigated with the right precautions and risk management practises in place. It requires the proper process controls, technologies and recovery plans. Spend the time today to assess preparedness in order to avoid the potential panic and scramble, tomorrow.

Are Ransomware Attacks Getting Worse? Yes They Are. And the Reason May Surprise You.

Are Ransomware Attacks Getting Worse? Yes They Are. And the Reason May Surprise You.

Just like every business and sector, cybercrime is transforming.

Gone are the days whereby a single, lone hacker posed a significant threat to your organisation. Cybercrime is evolving, shifting from that lone hacker to a coordinated crime syndicate that operates much like a startup. Unlike law abiding startups, these cybercriminal organisations are funded for the sole purpose to extort from you. Several have produced returns in the hundreds of millions of dollars.

The toolset to extort is constantly evolving too, moving away from individually built software to one that can be purchased as a ‘Ransomware-as-a-Service’ offering obtained off the darkweb for a percentage of the bounty. Sadly for society, it has never been easier to get into the cybercrime game, and never more rewarding. There is still a high volume of easy ‘prey’ targets that will pay. Organisations keep paying the ransoms, so the criminals keep continuing to attack, all the while improving their skills of extraction. It’s just supply and demand, sadly basic economics that pays into their favour.

Recently, how the criminals secure paying customers may have been their greatest insight.

Hackers typically extract data from an organisation and then hoped for a big pay day by selling that customer data on the open market to the highest bidder. Hackers learned that this approach was fraught with limitations. Organisations became better at shutting down extraction attempts, so hackers could not get much data to sell. Negotiating with buyers was challenging, risky, and lengthy, leading to outcomes that didn’t produce the expected payoff.

With ransomware, the security game changed.

Rather than spend too much time extracting data from an organisation and then hope for a big pay day by selling that customer data on the open market to the highest bidder, cyber criminals found that they could limit both their “no data extracted” risk along with removing the challenges of a no or small payoff with one small tweak: Ransomware.

Now, cyber criminals had an instant ‘highest bidder’ willing to pay now – the compromised organisation. Criminals figured out that ransomware creates a built-in buyer with deep pockets – You and your cyber insurance policy. 96.88% of all ransomware infections take four hours to successfully infiltrate their target – with the fastest infections being completed in under 45 minutes. The urgency of recovering the data quickly so that the organisation can continue their ongoing operations makes them the most willing buyer.

According to Wired Magazine (Jan 2021), the business of ransomware has set its sights on those wealthy organisations willing to pay to save their reputations. If this is you, then you should be aware of the scope of the costs during the pandemic. Also be aware only 8% of Organisations that pay a ransom get back all of their data and that 80% who paid a ransom experienced another attack.

The 2021 State of Security found that for a UK-based organisation, the average cost of a breach in 2021 is $4.67M, up 19.7% from 2020. The costs include detection and escalation (29%), lost business (38%), post breach response (27%), and notification (6%).

With the plethora of headlines, why are organisations (still) falling victim to cybercrime (and be forced to pay)? Do you ever wonder how they get it so wrong?

Perhaps a better question might be ‘Why does ransomware succeed when the outcomes are known to be so bad’?

Unfortunately, when it comes to a ransomware attack, organisations often are forced to pay the high ransom demanded by the crime syndicate because organisations learn after the attack that they were in fact highly exposed, not protected and now don’t control their data or destiny.

Some organisations think they can take the easy route by being all too willing to pay the ransom and then make a claim against their cyber insurance policy. In some cases, leaders are simply too trusting of the criminals and believe these criminals will cooperate by releasing and unlocking the data. And this too trusting approach has cost many their jobs, as 32% have been removed either by dismissal or resignation after a breach. Ouch!

Unfortunately, negotiating with cyber criminals is often a lost cause. It is believed only 8% of businesses that pay a ransom get back all of their data. These are not good outcomes!

Worse, criminals don’t release your data immediately. The average length of time to get the control of the data is 21 days. That’s a long time to wait, all the while the organisation is disrupted and compromised in its ability to function properly. 21 days is too long to wait without access to the data after the fee has been paid. It’s certainly not the instant response many executives expect — all the while dealing with a downtime that’s potentially could damage the organisation even more through lost revenues and reputation risk.

What are the Warning Signs that You Could Be Next?

Based on our own informal discussions and research, we’ve seen some definite patterns that, if spotted in your organisation, could serve as an indicator that you will be more prone to a successful cyber-attack:

False belief: Won’t happen here. Think again. Ask the Scottish Environmental Protection Agency. Or Serco. Or Northern Rail. Or Accenture if it won’t happen here. All were ransomware attack victims in 2021. The new best practise is to assume you are already compromised. Doing so will drive new thinking, new priorities and prevent you from being the next victim of ransomware.

“My data is already backed up”: Many organisations are under the false assumption they have ‘copy’ of their data and can quickly restore after a disruption. And many of those same organisations find out the hard way that their ‘backed up’ data cannot or will not restore (and get forced into paying a high ransom). Only 57 percent of businesses are successful in recovering their data using a backup. Not all back up data is the same. At TES, we know the difference.

Security near the bottom of the action list. The pandemic changed views on cyber security. Unfortunately, the impact created opportunities for cyber criminals, as more than 75% of IT teams said cybersecurity took a “backseat to business continuity during the pandemic”

Relying too much on cyber insurance. Cyber insurance should be the last line of defence, not the first. Have strong security practises and compliance should mean that you will never need to activate your policy. And, just like other forms of insurance, sometimes not all your costs are covered. 42% of cyber insurance claims did not cover all the losses, meaning organisations had to pay in the end.

Ignoring the human factor. The same study that found cyber security took a backseat enabling to support WFH also found that more than 30% of workers under the age of 24 admitted to outright bypassing certain corporate security policies to get work done.

There is Time. You Can Avoid a Successful Attack

Security is a multi-layer approach like medieval castles. High, hard-to-scale walls, surrounded by moats, and with roaming guards to spot and kill an intruder. Multiple systems working together for one goal.

As with all security issues, there is rarely a “silver bullet” or singular step that will fully mitigate the problem. Multiple steps are needed to be able to reasonably defend again ransomware. Some steps are designed to prevent ransomware to taking hold, with other steps reduce the impact of a breach.

Given the ubiquitous and sophistication of cyber-attacks, the best position to take is to assume you are compromised. This will change the mindset inside the organisation and change the priorities to ensure the damage and risk will be minimised. If compromised, this mindset could ensure you can avoid the high cost of a successful attack by deploying the right protections, training, detection systems and response plans within the organisation.

Next Masterclass: Just Say “No” to Hackers > How to Minimize the Risk of High Cost and High Operational Impact of Ransomware

Cybersecurity is complex but does not have to be with the right strategy. This #TEStalk masterclass outlines a framework that can be implemented to deploy the right mindsets, protections, detections and other tech infrastructures to minimise the risk and impact of ransomware. Register for free