The real risk of business disruption, brand damage, and potential liabilities caused by ransomware attacks has elevated cybersecurity from a technical or operational issue normally handled by security teams, to a major Board level priority and discussion. Even the most sophisticated and mature organizations that once believed their cybersecurity defenses were robust are now rethinking their preparedness and response capabilities required to address the imminent threat of ransomware attacks. Without a robust strategy to prepare for, respond to, and recover from ransomware attacks, organizations are left with significant exposure to financial, brand, and operational risk.
To address these challenges, the Rubrik Data Security Summit brought together leaders from both the private and public sectors to discuss how we can address the rise in ransomware. Jeffrey Phelan, Public Sector CTO at Rubrik, led a discussion with JP Calderon, SVP and CISO of PvH Corporation, Ron Pleasco, Partner of DLA Piper, and Don Clewley, Director of IT Security and Infrastructure of CHC Helicopter.
Here they discussed how different organization’s Board of Directors are tackling conversations on ransomware, including security, legal, risk management, and cyber insurance.
A Security Perspective:
Conversations in Boardroom meetings about cyber resilience have not shifted compared to the exponential rise in ransomware attacks over the past several years. As attacks have increased, the general consensus from Boards is still split by about 50/50 on if they should pay the ransom.
Boards have been learning more about security best practices by working with cybersecurity experts. Despite that, there is still a lot of work left to educate Boards on the principles of a Zero Trust approach to securing your data. Historically, CISOs and other cybersecurity leaders have struggled to communicate with Boards in a language they can understand. In an effort to educate Boards on the need for zero trust, leaders need to articulate a practical cyber resiliency plan to address the Board’s business concerns.
A Legal Perspective:
As organizations continue to increase their digital footprint, this increases exposure to cybersecurity risk as well.
Despite cybersecurity being a top issue for Boards, there is “Board Fatigue” on the topic. The main challenges for the disconnect are:
The lack of preparedness for modern cyber threats.
Having the cyber preparedness discussion after an attack rather than before.
Boards and C-level want a playbook for attacks.
Whether or not to pay the ransomware after a cyber attack.
Companies within the industrial goods and services sector are major targets because of their sensitivity to outages and greater likelihood of paying ransoms. Service providers are also an attractive target because of the impact outages will have on their network of customers. When manufacturers need to be working around the clock, any amount of time offline costs the organization. Because of this, organizations in this sector without proper data security are more likely to pay the ransom in hopes that it gets their operation back up and running as quickly as possible.
A Risk Management Perspective:
AI and Machine Learning can be powerful tools for Boards to utilize. It is critical to assess what opportunities there are to get ahead of ransomware. It is also critical for Boards to avoid having “data protection fatigue.” The capabilities of cyber hackers are continuously evolving, which is why Boards are constantly hearing how they need to take preventative action in order to prepare for these threats.
Boards cannot dismiss the threats brought on by ransomware gangs as they continue to increase throughout many industries. In order to best protect their data, Boards should prepare a cyber resilience and ransomware recovery plan to address those weaknesses. Cyber hygiene will be important for staying on top of threats in addition to practicing recovering data in the event of an attack.
A Cyber Insurance Perspective:
Cyber insurance companies were forced to reevaluate how they underwrite the risks after cutting their losses in ransomware payoffs. To combat this, insurance companies are hiring cyber experts to go deep on their questionnaires before underwriting policies. Surface-level questions no longer provide enough information to insurance companies.
It is not just enough anymore to request insurance without verification. When organizations are hit with multiple ransomware attacks, cyber insurance premiums will increase if you even qualify for a plan. Insurance companies are going to start needing to ask for proof on the insurance questionnaires to properly quantify what companies mean in their answers.
Company Boards Must Act Now
The explosive growth of ransomware attacks has caught companies by surprise and Boards have not yet felt the sense of urgency around ransomware. Boards who are laggards will eventually catch up as standards for risk measurement and best practices to mitigate threats allow Boards to understand what is at stake.
In an effort to create an industry standard for measuring risks, insurance companies need to establish a weighting system in order to provide visibility and transparency on all levels. One goal could be for companies to gain muscle memory around these prevention and recovery plans.
But mitigating the growing risk of ransomware does not require waiting for industry standards and guidance. Company boards must act now to start thinking about preparedness and response strategies for ransomware. To learn more, view the Data Security Summit on-demand here.