The plague of successful attacks means ransomware is no longer the threat that “shall not be named” in the Boardroom. Here’s what to tell your Board of Directors when they ask.
The world can debate what will be the long term consequences of the plague of ransomware attacks on critical infrastructure in recent months. One thing that can’t be debated is that the recent, high profile attacks on critical infrastructure operators put ransomware on the agenda of corporate leaders and boards of directors. In 2021, no corporate officer can plausibly claim to be ignorant of ransomware or its risk to technology, data and connectivity-dependent organizations of all stripes.
In other words: if your executive team or Board of Directors hasn’t asked you specifically about the threat posed by ransomware, they will...and soon. You need to be prepared to answer those questions; to explain your organization’s ransomware planning; and - finally - to seek the Board’s help where it is needed. Here are some tips on what to say, what not to say and when to ask for help.
We Have A Plan
The single most important message you can convey to your Board of Directors as a management team is that you have a plan for ransomware. In other words, you need to show that you understand the threat posed by disruptive ransomware - in all its dimensions - and that you and the rest of management have taken steps to prepare your organization for the eventuality (note: not the possibility) of an attack.
What does that mean practically? Regardless of the kind of organization you run, it means walking your Board of Directors through the process you have followed to identify and secure sensitive IT assets and data from cyber attacks of all kinds, including ransomware. Incidents like the Colonial Pipeline hack illustrate how ransomware attacks can disrupt operations, even when the ransomware doesn’t compromise operational technology (OT). That means spotting nascent attacks early and preventing the attackers from extending their reach to vital systems is key.
An accurate IT asset inventory is critical in preventing breaches - as the attack on the Colonial Pipeline illustrates. (That attack began with an attack on a VPN server that had escaped notice by Colonial’s IT team.) Ransomware groups commonly leverage commodity attacks against known software vulnerabilities. So, you should be able to point to robust software patching processes that ensure known vulnerabilities are patched in a timely manner. Also, you should have extensive network- and endpoint monitoring that gives your IT security team eyes in the field to detect compromises of individual workstations, or evidence of account hijacking and lateral movement.
Finally, and most critically for ransomware, you should demonstrate to the Board that you have given thought to- and implemented comprehensive controls on authentication. Attacks on user accounts are often the first signs of an emerging attack. You also need to have robust data backup and recovery procedures that include physical and cloud-based backups of sensitive on premises and cloud-based systems.
This Ship Has A Captain
When it comes to defending against a ransomware attack, “people” and “process” are just as important as “technology” - if not more important. A key message for your Board of Directors should be that, in the event of a ransomware attack, your organization has a clear leadership structure in place with ultimate decision making authority in a few trusted hands with clear lines of reporting from the top down to the foot soldiers involved in incident response.
As McKinsey has noted, cyber attacks frequently require a “whole of company” approach that includes IT and security teams, but also legal, finance and human resources. Organizations that haven’t thought through such a complex operation in advance may fall down in an actual event, when team members will be under intense pressure to act.
Ideally, your organization will have a plan in place and conduct drills, like table top exercises, to walk the principles through likely ransomware scenarios. It is important that each team member knows their role and is familiar with the common contingencies that ransomware attacks create. Your Board should be briefed on this plan, understand their own role(s) in it and have the opportunity to provide input and feedback necessary to fine-tune your response plan.
We’re Managing Our Risk
The other critical message to your Board of Directors is that your organization understands and has mitigated the known risks that a ransomware attack presents. Risk mitigation can take many forms. Cyber insurance is one and, at this late date, is a “must have.” Management should be in a position to make assurances that your cyber insurance policy is comprehensive and appropriate for your organization. That means it should cover the cost of recovery and incident response and also anticipate other likely costs of ransomware attacks. For example, ransomware gangs commonly tailor ransom demands to the victim’s revenues. Insurance should be adequate to cover that likely exigency and not contain carve-outs or exclusions that will leave your firm holding the bag in the event of an attack.
Cyber insurance aside, managing risk is also about thinking ahead. Establishing relationships with third party incident response organizations is crucial. Having contracts in place with incident response specialists in advance of an attack will speed your recovery and give your organization the luxury of assessing different offerings in the marketplace. Similarly, you should enlist the services of a “crisis PR” firm in advance of any incident so that the necessary people and talents are in place before they are needed.
Finally, managing the risk of ransomware requires organizations to think through the issue of ransoms. Colonial and JBS showed that paying the ransom is something that even large, wealthy firms may resort to out of expedience, necessity, or both. But the Senate hearing featuring Colonial Pipeline CEO Joseph Blount also underscored that the topic of ransomware payments to cyber criminals is fraught. As more than one Senator pointed out: the FBI discourages firms from paying ransoms. And companies making payments to cybercriminal groups based in sanctioned countries may run afoul of Office of Foreign Assets Control (OFAC) rules and incur large penalties.
Regardless, organizations need to think through their position on paying ransom in advance of an event. Additionally, you may contract with a firm that specializes in ransom negotiations. This is a worst-case scenario, but your Board will want to see that you’ve thought through every contingency.
We Need Your Help
Finally, management should involve the Board of Directors directly in planning around cybersecurity and ransomware. As with other business decisions, management should seek the Board’s guidance and expertise on how best to manage the competing demands of ransomware. Among them: maximum security vs. business agility and innovation, sunk costs in legacy IT infrastructure vs. the need to modernize and eliminate cyber risk, balancing competing security and compliance demands and identifying opportunities for organizational growth and investment that will enhance cyber resilience. Rather than painting a rosy picture for your Board when it comes to cybersecurity and cyber risks related to ransomware, management should look for ways to leverage the Board’s expertise and connections to help hedge against today’s risks and invest in the future.