The vast majority (86.7%) of C-suite and other executives say they expect the number of cyberattacks targeting their organizations to increase over the next 12 months, according to a recent Deloitte poll. And while 64.8% of polled executives say that ransomware is a cyber threat posing major concern to their organizations over the next 12 months, only 33.3% say that their organizations have simulated ransomware attacks to prepare for such an incident.
More than 50 C-suite and other executives were polled online during a webcast held on June 24, 2021 about cyber threat detection and response. Participating executives held leadership roles in areas including corporate boards (36.7%), IT (34.4%), risk management (12.2%) and security and privacy (6.7%).
According to Deloitte, questions leaders can ask to gauge their organizations' ransomware preparedness include:
- Does our organization's cyber incident response plan address ransomware attacks specifically? Leading organizations have developed and tested cyber incident response plans, but not every organization has one and not all directly address the nuances of ransomware attacks.
- Has our organization considered adopting Zero Trust to help bolster cybersecurity against ransomware and other threats? Removing automatic or inherited trust given to users, workloads, networks, and devices can help organizations shore-up security gaps created by digital transformation, M&A activity, rapid cloud adoption and continued remote work that ransomware actors frequently take advantage of.
- Does our organization fully appreciate how ransomware attackers could exploit our use of emerging technologies to propagate attacks? Are we leveraging emerging technologies to better protect our organization from those threats? Certain technologies that companies are implementing as part of their digital transformations appear to benefit attackers in a number of ways, but defenders can use them to their organization's advantage as well. It's important for companies to understand how these technologies may increase their cyber risk exposure and how defenders could use them to improve security.
- How does our organization test for ransomware vulnerabilities? Frequent penetration testing can help identify attack surface vulnerabilities and paths to critical systems and assets, while business continuity/disaster recovery testing can confirm that redundant backups are ready to support business resiliency if needed. As ransomware can propagate throughout a technology infrastructure, traditional backup and recovery plans may not be sufficient. Further, testing ransomware incident response plans via simulations or other approaches can help leaders across an organization build "muscle memory" around roles, responsibilities and protocols in the event of an attack.
- Does our organization conduct threat hunting to help manage ransomware risk? Leading organizations are starting to take the offensive in cyber risk management by proactively working to identify new attack patterns and new attackers before they can potentially cause damage. By uncovering undetected ransomware, malware or other cyber threats, potential effects can be investigated and remediated in a timely manner.
Tim Wade, Technical Director, CTO Team at Vectra, says, "Awareness of security issues by the C-Level has increased in recent times if for no other reason than the impossibility of ignoring ransomware attacks – security programs that routinely failed to detect adversaries whose modius operandi was simply data exfiltration without environmental disruption could continue their ineffectiveness without cause for course correction. Ransomware changed that. C-Level support is essential to prepare an organization to withstand a ransomware attack because it involves the will to fundamentally change the way legacy IT is conducted – shifting from a set-and-forget preventative security posture, to one that emphasizes resilience by detection and responding to an attack before material damage is done. Without top-cover, this paradigm shift in how an organization manages cyber risk will almost certainly die on the vine."
However, getting security buy-in no easy task. It is always challenging for executives who may only see the problem in terms of costs for new tools or personnel, explains Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows. Nikkel says, "It may be a case of spelling out the threat regarding potential losses in a ransomware attack. No one thinks they will be a target until they become a target, and it is at that point that building a response plan is too late."
Today's ransomware payouts far outweigh the cost of developing incident response capabilities, having playbooks planned and practiced, or developing security policies to combat the problem, Nikkel adds. "Security teams may have to show the potential return on investment for a security tool or procedure, compared to the possible repercussions — essentially that a "stitch in time saves nine." Once you consider the thousands to millions of dollars required to respond to an incident and the potential public fallout, a small early investment can have some actual savings that the C-level should consider."