Four (4) Questions All CFOs Should Be Asking Their Organisations About Ransomware Preparedness and Data Resiliency

I’m not sure why organisations continue to fall victim to ransomware. It might be because the wrong risk-based questions are being asked within the organisation.

The answer to the question “Are we protected and secure?” isn’t necessarily black and white. The truth is that cyber-attacks continue to evolve, and therefore, so must your security. Being “protected and secure” is now fluid.

In order to understand your risk posture to new cyberthreats, you will need to look at the issue from the bottom up while contemplating the worst possible outcome of a cyber incident as well as how fast your organisation can recover from one.

With typical cyber incidents, the worst possible outcome is a catastrophic data breach. While this is very bad, the organisation carries on. Ransomware, however, has changed the game. The worst possible outcome is now having your organisation’s operations temporarily crippled by ransomware, for days, weeks or months.

If COVID-19 taught the world anything, it is that Black Swan events will happen.

Exploring the option of holding cryptocurrency on the books in the event you need to pay off the attacker(s) might not be the best way to address the Black Swan. Based on recent volatility, that could be an expensive backup plan.

By using the roadmap below to uncover your hidden risks and weaknesses, you could potentially avoid a disaster for your organisation that has impacted many recognisable names over the last two years…

Assess the BIG Risk: Your business is crippled and offline. How long can you survive?

In the past, cyber-attacks used to consist of a breach under which organisations could carry on. Ransomware has changed all that.

Ransomware encrypts your data, thereby restricting and removing your access to it.
Operations may continue to limp along afterwards, or could come to a complete standstill. How long could your organisation survive if forced into a standstill? One day? One week? One month?

The answer to this question will be the very first question your CEO or leadership team will want to know after an attack. It’s better to have an answer to that question before an attack even happens when things are calm, as opposed to in a panic state. Because you might not like or be able to swallow the answer.

Assess: If we are breached, where are the risks and threats?

Start with ensuring your organisation has identified the most critical processes that depend on technology.

Digital transformation initiatives continue to push organisations away from manual processes. Such initiatives often result in improved organisational effectiveness, efficiencies and improved customer experiences, to name a few. COVID-19 accelerated these initiatives.

This is generally good and progressive. It also increases your risk exposure.

A cyber-attack may render processes that are 100% digital to completely inoperable, either through a manual process impossible to execute or because the organisation’s memory does not exist with a manual process.

Identify the processes that depend on technology, because with a manual (ie. paper-based) workaround is not sufficient. Determine which ones are mission critical.

For your critical processes, perform a comprehensive mapping of dependencies across technology platforms, suppliers, people and data. Assign an executive the title of Risk Owner. In doing so, you will start to understand your risk and what areas must not fall.

Review the report and assumptions. Test them. Test them regularly.

Assess: Can our controls prevent, contain, or minimize a breach?

Dive deeper into the organisation. Ensure your key people understand their risk management responsibilities associated with cyber security. And that the controls existing with key suppliers and external stakeholders as well as your internal technology architecture can stop a fast-moving threat.

Areas to Explore:

  • Do business process owners understand the cyber risks?

The answer to this question is often “no.” Closing your risk exposure means your process owners need to both manage and mitigate the cyber risk.

Start with assessing if process owners understand the risks, and how to deal with systemic vulnerabilities. For example, do they have line-of-sight over the risk health of the key controls on the systems they own? Have they set up the right controls? If not, why not? Are there any identified vulnerabilities and risks that exist on the system which are unresolved?

If vulnerabilities exist, why are they not closed? Funding? Acceptance? Agreement on severity? Try full sentences to flush out the questions regarding Funding, Acceptance, Agreement on severity.

If you are not getting satisfactory responses, ask “Do we have a common framework for cyber risk decision making?” If there is no such framework, put one in place and re-run the assessment with the business process owners.

Are our internal infrastructures designed to prevent the spread of an attack?

Currently, the simple best practise is to create compartments or divisions between networks to ensure that when one area is attacked, the rest of the organisation does not fall, too. By doing so, you could be mitigating potential damage across the organisation.

  • Assess: Do our suppliers align and match our risk and security posture?

It is common to find key suppliers who have an operational role within a critical process, or a support role (such as an equipment vendor who can remotely connect to diagnose issues). The supplier may even manage the whole process.

The threat exists because sometimes your suppliers have “all keys to the kingdom”. This provides the opportunity for the introduction of ransomware threats to the environment, sometimes by accident. If this happens to your organisation, you wouldn’t be the first to fall to an attacker via one of your partners (just ask Kaseya and Solarwinds).

Additional questions to explore:

  • Are key suppliers clearly identified? What are our baseline expectations? Are these contracted and monitored?
  • Do we need to request their (who?) cyber risk plan and if so, have we tested it?

Assess: Can we Recover on your Terms?.

It should go without saying that you never want to put your faith and dependency into the hands of a cybercriminal. Did you know that only about 8% of organisations get access to all their data after a ransomware attack?

To ensure a ransomware attack does not cripple your organisation, you need to ensure your data is resilient. Ensure the individual cyber risk assessments (including restoration testing) have been performed on your organisation’s critical processes. Ask for the report from the owners.

While this comes across as tedious, painstaking work that often gets pushed down as other seemingly more urgent items come up, nothing becomes more critical than after an attack. Test the restoration process on your terms, not the cyber criminals’ (when you may have to cross your fingers for good luck). This will expose your weaknesses.

In a perfect world, your organisation may be able to recover within hours after an attack because your recovery plan executes as expected. Many do not test the efficacy of such a plan, and therefore, often learn much too late that their backup plans failed.

  • How can you ensure your data is recoverable within a few hours?

One of the most common strategies for protecting critical operational technology / industrial systems is to use an air gap, which is a system completely isolated from and without a connection to other systems. For data backup, this is critical for ransomware recovery, and needs to be tested to ensure ransomware cannot ‘jump the (air) gap’.

Ransomware is a scary proposition. However, it can be mitigated with the right precautions and risk management practises in place. It requires the proper process controls, technologies and recovery plans. Spend the time today to assess preparedness in order to avoid the potential panic and scramble, tomorrow.