Ransomware is not solely a technology or security problem. A ransomware attack is far more significant than merely a technology breach, as it can affect an entire business.
In the immediate aftermath of a ransomware attack, organisations should adjust mindsets around the role of security for both technical and business decisions. The existing recovery strategies tuned to traditional business continuity plans are insufficient.
Our research found that attacks are on the rise and that 20% of costs associated with all incidents were attributed to brand reputation damage. The recommendation? Get the balance right between security efforts and alignment with the business strategy. Overall, a modern ransomware and extortion response should be treated as a business risk prioritising effective crisis management across the enterprise.
The need for greater alignment
Here are three key challenges that highlight the need for greater alignment between security and the business before, during and after a cyber crisis event:
Traditional crisis response plans need to evolve – ransomware is a business risk, not simply a security problem
Recovery strategies in traditional business continuity and disaster recovery plans are no longer enough to deal with modern ransomware attacks. Security teams’ current approach to incident response typically involves solving the technical investigation aspects of an attack, but attacks are not just a security problem. The incident response must also consider critical business processes and how they impact recovery priorities. Prioritising and stabilising essential operations and systems can help prevent additional downstream financial, reputational, operational and physical impacts.
Organisations should evolve traditional business continuity and incident response approaches and develop one cohesive plan that identifies the priorities for the whole business, problem-solve the big picture and better prepare for swift and inclusive business recovery. By adopting a robust communications plan, leaders can tackle ransomware for what it is—a crisis that needs to be handled in a business-focused manner.
Existing crisis communications plans lack the transparency and agility to adapt to new cyber complexities.
Ransomware incidents are disruptive and need an effective communications plan. Regular updates shared with internal and external stakeholders are essential to get ahead of any unfolding story. Understanding the unique demands of an industry, its regulations and notifications and disclosures that apply are fundamental.
Organisations must be open and honest about what has happened and what happens next and collaborate with security professionals, legal teams and the organisation’s broader ecosystem to ensure a structured approach and that they act transparently. Key questions include what happened when it happened, what we know, who was impacted and how, what are we doing about it, and what is next.
Ransomware is borderless – it impacts the enterprise, extended ecosystem and multiple stakeholders.
Ransomware has become a persistent threat, with law enforcement and the government becoming increasingly involved. Threat actors have evolved tactics, such as stealing data and extorting a victim by threatening to disclose stolen data. Today, attackers can buy access and malware and execute a ransomware attack by becoming an “affiliate” of a ransomware-as-a-service (RaaS) program available on criminal forums.
The compressed transformation has often extended the attack surface, evidenced by the triple-digit increase in attacks observed in 2021. Therefore, any crisis response strategy should consider the stakeholders affected, such as customers, corporate subsidiaries, suppliers, trusted third parties, financial investments, and merger and acquisition targets.
Get the CEO and board on board
Testing and validating attack prevention, detection, response and recovery is a way of life for most organisations. Still, drawing on the CEO and Board can enhance this practical step.
Tabletop exercises are generally undertaken by security personnel. By evolving such practices to include executive-level simulations, organisations can test their defences against a typical ransomware attack and introduce the risk and adrenalin of a “real-life” attack scenario. For example, executives may be told three lines of business are down due to an attack where a threat actor asks for $10-million.
Executives are asked to determine in real-time which business should be recovered, how they communicate their response and who is responsible for making those decisions.
To make the process easier, Accenture has developed the following ransomware response and recovery approach to handling cyber crisis communications:
- Triage and prepare: Identify impacted parties and align on reporting objectives, tone, timing, audience and notification requirements.
- Develop and approve: Develop messaging aligned to the communications strategy, identify mediums for each stakeholder group and obtain approvals.
- Posture and deploy: Reinforce messaging, train employees, set up monitoring and deploy a vertically integrated communications task force.
- Monitor and evaluate: Employ an agile approach to evaluating and iterating through updates based on defined metrics, sentiment analysis, media outreach, and financial and brand impact.
So, ask yourself, are you ready? The evolution of ransomware and extortion events requires a different way of thinking – business- and security-focused. With more agile, robust and transparent crisis management capabilities, organisations can handle ransomware events better and improve overall cyber resilience.