C-suite executives and business leaders are most concerned about being exposed to regulatory sanctions, such as fines, over and above the loss of data or intellectual property (IP) and other consequences, in the wake of a ransomware attack, according to new data from cyber pro association (ISC)².
In a study titled Ransomware in the C-Suite: What cybersecurity leaders need to know about what executives need to hear, (ISC)² set out to provide its members in the trenches with insights into what their bosses are thinking, and how leadership perceive their organisations’ readiness to deal with a ransomware attack.
“With this study, we wanted to provide deeper insights from executives who are ultimately responsible for protecting their organisations from ransomware,” said Clar Rosso, CEO of (ISC)².
“The study gives cyber security professionals a window into what their C-suite cares about when it comes to the potential impact of ransomware,” she said. “Knowing this, and by tailoring their ransomware education and risk reporting accordingly, security teams can get the support they need to mitigate this high-profile risk to their organisation.”
(ISC)² found that high levels of confidence in the overall preparedness of security teams, which has in fact grown slightly during 2021 despite the spike in ransomware hits during the period – 71% feel they are well prepared, up from 69% last year.
In terms of dealing with the fall-out from a ransomware attack, 38% feared regulatory sanctions the most, followed by IP and data loss (34%).
These were followed equally by concerns about loss of confidence among employees, loss of business due to systems outages, uncertainty about the organisations’ ability to recover data even if they paid a ransom, and reputational harm.
(ISC)² also asked C-suite respondents about the most critical information they need from their cyber teams on ransomware. The top concerns here were ensuring data backup and restoration plans were not impacted (38%), restoring minimum viable ops following an attack (33%), and preparation to engage with law enforcement (32%).
(ISC)² said its data also showed strong willingness to invest in security technology and staff where needed, but perhaps more importantly also underscored an evident need for clear and frequent communications between security leaders and key executives.
To this end, (ISC)² has listed five actions security leaders can take:
To increase communication and reporting to organisational leadership;
To temper overconfidence if or as needed;
To tailor messaging appropriately;
To properly develop business cases for cyber investment, whether in tech or people;
And to make it clear that defending against ransomware is a collective responsibility that does not just fall to security teams.
Ransomware is thought to have cost UK organisations almost £350m per annum, with the average cost of a cyber attack coming in at just over £4,100, according to figures from cyber firm Core to Cloud.
Investment required
At a recent event hosted by the firm, attendees heard how one of the best preventative strategies against ransomware is to detect and defend against it from the earliest stages of an attack, but that doing so requires more investment in cutting-edge defences rather than relying on legacy threat intelligence technology that uses information derived from commodity or other known attacks.
“The key to ending ransomware attacks is to minimise the period between the moment when a ransom ops attack first infiltrates an environment and the moment when the security team can detect and end it,” said Cybereason senior sales engineer Adrian Culley, a speaker at the event.
Core to Cloud said defenders should concentrate on four key pillars to minimise damage from ransomware attacks:
Visibility – maintaining a holistic view of the network at all times to uncover hidden threats and better understand what needs protecting;
Validation – conducting regular penetration and stress testing;
Governance and control – implementing clear measures to ensure a consistent cyber strategy across the organisation;
Incident response, implementing a clear and organised approach to event management should the worst happen.