Boardroom 101: How to brief C-Suites on ransomware

Ransomware is now one of the highest priorities for boards globally. C-Level personal accountability stands at an all-time high. In the past, boards largely focused on cyber risk compliance issues. This approach satisfied tick-box challenges but did not address the root causes. Today a new strategic direction has been borne out of the current world in which we operate. A scarcity of human and financial resources – coupled with the pandemic’s facilitation of global remote working – means that organisations are now considering an approach that builds cyber resilience via a culture of security. The current wisdom is that you cannot spend your way out of a security situation. And this is largely a good thing. With this in mind, it’s important that those in C-Suite positions are prepared for the potential questions that could follow a ransomware infection – from shareholders, legislators or lawmakers. Here’s some language to use when communicating with the C-Suite to help them prepare for the increasingly likely worst-case scenario, while planning for the best. Below, some of the likely questions are outlined. These are worth preparing for in advance of speaking to the board about cybersecurity: How will you rebuild, restore, and recover – and who will make the important decisions? Here, the important thing to consider is that the only real way to understand how an attack scenario will play out is by adhering to that old adage: practice makes perfect. Undergoing regular tabletop exercises that are relevant to the organisation will help the stakeholder anticipate the most likely attack scenarios. Security teams should also operate from a worst-case perspective that they have lost access to all of their data. This can best be understood by rebuilding the system from the ground up, which will also aid in establishing the attacker’s route into the network. Who has critical access rights? Understanding this will help to streamline the process for rebuilding and will make the process significantly less cumbersome. This best practice exercise will help organisations to understand who has access to the relevant data in the event that they need to recover from an infection. These assessments should take place more frequently than once a year and security teams should be prepared to tell the board when the exercise was last performed. How do you know the signs of a ransomware infection? The board will undoubtedly ask this question. If they are already spending money on security products which are failing to stop and to track a ransomware infection, then they are well within their rights to ask. For this reason, it is important to understand the company’s critical assets, access controls, and the direction to take if a breach does happen. Understanding these processes in advance will mean that in the worst case of an event, the board feels that there is an incident response process in place to limit the damage. How will you avoid knee-jerk or impulsive reactions? Do you have an incident response plan – and when was it last updated? The key thing is to view ransomware as no different from any other type of malware, adware, or spyware. The same incident response plans need to be applied to ransomware, with the third parties who can help with recovery on retainer so that they can move quickly if necessary. This will help to avoid the opportunities to make impulsive and rash decisions based on the emotional responses to a crisis such as ransomware. Most of these incidents attempt to capitalise on the fact that organisations have not been practising the basics – and countering this received wisdom is among the best forms of defence. For example, premature restoration could miss something, or could also delete crucial evidence for a potential internal or external audit which will be likely to happen at a later date. The temptation can be to wipe everything and start again, but this impulse needs to be avoided to preserve forensic evidence. When was the last time your backup and recovery process was tested? One of the questions the board needs to be asking regards the importance of practicing backup exercises. Despite it sounding paranoid, it is worth doing this on a quarterly basis. It can be done without the need for extensive (and expensive) levels of third-party reports, and will help to gain a better understanding of the most critical elements of data and systems before a serious event can occur. Conclusion: Fail to prepare, prepare to failIn post-breach scenarios, companies are prone to purchasing a lot of solutions, but we need to move past this band-aid approach. Hindsight can be a good thing – use time now for proactive planning. Use the rule of 5 Ps - plan, prepare and practice, practice, practice! Not being prepared in a ransomware scenario could make costs significantly higher. When I started my career in cybersecurity, it was virtually unheard of that an incident such as ransomware would have become a part of mainstream business conversations, but this is now the reality of the situation: the threat exists, it is persistent, and it is unlikely to go away any time soon. Understanding that most organisations will become a target and making sure that the board is confident that you can answer all of the questions above will go a long way in ensuring robust security leadership.Bindu Sundaresan is director at AT&T Cybersecurity.Read more: 11 crystal ball cyber predictions for 2022

Your cyber intelligence source

Boardroom 101: How to brief C-Suites on ransomware

Related content

Onwards and Upwards – The CISO Role is Evolving

Rapid7 Announce Intent to Acquire Noetic Cyber

CISOs Acknowledge Business Friction with Leaders

#infosec24: Three Days of Learning, Advancement and New Names

Everfox in Definitive Agreement to Acquire Garrison Technology

#AWSreInforce Establish Security Culture to Sustain Your Business

#Infosec24: Claire Williams Talks F1 Learning Points and Business Decisions

Upcoming Events

Boardroom 101: How to brief C-Suites on ransomware

Related content

Onwards and Upwards – The CISO Role is Evolving

Rapid7 Announce Intent to Acquire Noetic Cyber

CISOs Acknowledge Business Friction with Leaders

#infosec24: Three Days of Learning, Advancement and New Names

Everfox in Definitive Agreement to Acquire Garrison Technology

#AWSreInforce Establish Security Culture to Sustain Your Business

#Infosec24: Claire Williams Talks F1 Learning Points and Business Decisions

Upcoming Events

Confirm cancellation

Sign up benefits