BACKGROUND:
New poll results from Deloitte (press rls. & poll results linked at bottom) signal a vast majority (86.7%) ofC-suite and other executives say they expect the number of cyberattacks targeting their organizations to increase over the next 12 months. While 64.8% of polled executives say that ransomware is a cyber threat posing major concern to their organizations over the next 12 months, only 33.3% say that their organizations have simulated ransomware attacks to prepare for such an incident.
<p>It isn’t easy for the C-suite to connect the threat back to the business risk and impact; then trying to determine if the threat is likely enough to warrant resources to protect against it.</p>
<p>Safeguarding against a ransomware attack goes beyond one plug and play security solution. The depth of security controls extends to their people, process, and the technology in the infrastructure of that organization. A good starting place for the C-Suite team is to consider a Business Impact Analysis (BIA) assessment. A BIA can help an organization identify their \"crown jewels\" and help them figure out how to respond if the scenario of ransomware were to occur.</p>
<p>There is no board that is NOT aware of the cyber threats and attacks on enterprises. Where they miss is on what actions that these enterprises need to execute to actual secure their enterprise against a breach or limit the severity of the next breach. There’s a lack of focus on matters of prioritization.</p>
<p>The C-level assumes that issues such as security are being dealt with because they have budgeted resources for this activity. What is often not clear to the board is how much of these resources are being consumed by activities that are not contributing to the prevention of ransomware and other attacks – but instead are going to data collection and documentation or to compliance measures. Both activities need to be executed and quantified with efficiencies that help ensure compliance is being implemented in ways that allow team members to focus on security.</p>
<p>Many executives still have the mindset that their company is most likely not on the radar for threat actors, and think “Why would they want to come after us?”. And this mindset can be due to the misbelief that they are not in possession of customer information – so why would they be a target? They forget that threat actors deploying ransomware are in the business of corporate extortion – to sell you the decryption mechanisms once they’ve encrypted your data. </p>
<p>C-level awareness of security issues has grown since such issues have been in the mainstream media particularly as they affected critical infrastructure. Besides, organizations that are in regulated environments are expected to provide C-level support and participation and support. Organizations are beginning to come to terms with the fallout of not having good security controls, procedures and standards.</p>
<p>The C-suite’s role in security is important and includes the responsibility for helping to secure funding for security efforts along with mandating or prioritizing such efforts. The C-suite – with backing from the board of directors – understands the reputation fallout that could potentially occur in the event they become a target and it’s publicized.</p>
<p>Many C-level executives do not yet consider ransomware threats a cross-function business issue for them to be actively involved. Their awareness has increased a fair amount – mainly due to the increased media coverage of security breaches in recent times.</p>
<p>C-level support is extremely important in preparing an organization to withstand a ransomware attack. Support from the C-level signifies that the company is serious and committed in its ransomware defense. It also helps to secure the right amount of necessary resources for technology or process improvements.</p>
<p>Security through obscurity. That\’s what most organizations believe, or at least hope for. They simply don’t think they will be noticed by hackers if they keep their heads down. Plus, most senior leaders simply don’t know what they don’t know about security. They are reading news about enterprises and even governments paying millions of dollars to get their systems decrypted, and they wonder if the next article will be about their organization.</p>
<p>C-level executives who approach the problem of ransomware rationally, asks questions of IT staff and security professionals, and approves and implements realistic mitigation strategies will find their organization best prepared to detect early and resolve potential ransomware issues. They should stay informed of security/ransomware trends, and understand the costs and implications of system and network loss for ransom.</p>