The vast majority (86.7%) of C-suite and other executives say they expect the number of cyberattacks targeting their organizations to increase over the next 12 months, according to a recent Deloitte poll. And while 64.8% of polled executives say that ransomware is a cyber threat posing major concern to their organizations over the next 12 months, only 33.3% say that their organizations have simulated ransomware attacks to prepare for such an incident.
Tim Wade, Technical Director, CTO Team at Vectra, says, "Awareness of security issues by the C-Level has increased in recent times if for no other reason than the impossibility of ignoring ransomware attacks – security programs that routinely failed to detect adversaries whose modius operandi was simply data exfiltration without environmental disruption could continue their ineffectiveness without cause for course correction. Ransomware changed that. C-Level support is essential to prepare an organization to withstand a ransomware attack because it involves the will to fundamentally change the way legacy IT is conducted – shifting from a set-and-forget preventative security posture, to one that emphasizes resilience by detection and responding to an attack before material damage is done. Without top-cover, this paradigm shift in how an organization manages cyber risk will almost certainly die on the vine."
However, getting security buy-in no easy task. It is always challenging for executives who may only see the problem in terms of costs for new tools or personnel, explains Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows. Nikkel says, "It may be a case of spelling out the threat regarding potential losses in a ransomware attack. No one thinks they will be a target until they become a target, and it is at that point that building a response plan is too late."
Today's ransomware payouts far outweigh the cost of developing incident response capabilities, having playbooks planned and practiced, or developing security policies to combat the problem, Nikkel adds. "Security teams may have to show the potential return on investment for a security tool or procedure, compared to the possible repercussions — essentially that a "stitch in time saves nine." Once you consider the thousands to millions of dollars required to respond to an incident and the potential public fallout, a small early investment can have some actual savings that the C-level should consider."