High ranking business executives say ransomware is a major concern to them but their organisations are unprepared to do anything about it.
Those were the findings of a poll released Monday by consulting and advisory services firm Deloitte.
Nearly two-thirds (64.8 percent) of the 50 C-level and other executives polled by Deloitte revealed that ransomware will be a major concern to their organisations over the next 12 months, but only a third of the corporate leaders have simulated an attack to prepare for such an incident.
“Over the past 12 to 18 months, executives across industries and sectors have witnessed — and increasingly experienced first-hand — the jaw-dropping frequency, sophistication, cost and both economic and operational impacts of ransomware attacks,” Deloitte Managing Director Curt Aubley said in a statement.
“As some ransomware can evade antivirus tools and attackers find more ways to pressure victims to pay ransoms, these attacks often have national and global repercussions,” he continued. “There’s no time to waste when it comes to honing and testing incident response programs for ransomware and other cyber events.”
Security by Obscurity
Most organisations believe in security through obscurity, observed Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.
“They simply don’t think they will be noticed by hackers if they keep their heads down,”
That head-in-the-sand attitude is especially prevalent among smaller and less mature organisations, noted Allie Mellen, a security and risk analyst at Forrester Research.
Ransomware is an equal opportunity attack. It targets large and small businesses equally. There are a number of ransomware groups that just target whatever they can get. They’re very opportunistic.
Groups specifically shy away from big game hunting because of the potential geopolitical impact it can have. They are attacking smaller organisations or individual consumers. Those attacks aren’t as high profile now because of the publicity the ransomware attacks on larger organisations are getting.
Chenxi Wang, founder and general partner of Rain Capital, a venture capital firm, maintained most C-level executives are putting ransomware in an IT silo and underestimate its threat to an entire business.
“Many do not yet consider ransomware threats a cross-function business issue for them to be actively involved in,”
Translating cyber risk into business risk is a general problem, noted Brandon Hoffman, chief security officer for Intel 471, a cybercrime intelligence provider.
“In the past, the sky lining of cyber events has been viewed as gambits to obtain budget for a business unit without a clearly defined ROI,”
“The current exposure and coverage related to ransomware doesn’t appear to have significantly moved the needle,”
“It may also be that executive teams feel that their cyber insurance is the gap coverage to areas they can’t really operationally fix, but this viewpoint is equally dangerous,” Hoffman added.
Chris Clements, vice president of solutions architecture for Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz. agreed that a defense strategy that leans on cyber insurance is a short-sighted one.
“Cyber insurance may pay out to help offset the costs of paying a ransom, but that’s never guaranteed,”
“Very often a ransomware attack means that business stops completely; rendering the victim unable to deliver service to their customers,” he said. “I don’t think enough executives take that into account when planning their cybersecurity strategy.”
“Your business could come to an abrupt stop and may not restart for days or even weeks afterward leaving employees idle, customers without products or services, and significant revenue losses,” he explained. Waikato DHB is a recent, local example of what happens.
“The same way that car insurance isn’t a substitute for seatbelts or airbags,” he continued, “cybersecurity insurance isn’t a replacement for implementing critical security controls.”
“Recognising the seriousness of the ransomware threat is easy,” added Cherise Esparza, CPO, CTO and co-founder of SecurityGate, a cybersecurity software company in Houston.
“What isn’t easy is connecting the threat back to the business risk and impact, then trying to determine if the threat is likely enough to warrant resources to protect against it,”
Personal Accountability Needed?
One way to close the awareness-preparedness gap is to give C-level executives a taste of life during a crisis.
Having the executive team spend a day actively responding to a ransomware incident that includes mock press interviews, releasing update emails to customers and partners, and crisis management, seems to focus minds and reinforces that a cyber incident affects all parts of the business.