Cybersafetyconnections May 16, 2022, Vol#67
- Ransomware continued from last week and this time executive leadership team involvement is highlighted.
- Ransomware attacks have happened, are happening and will happen, and you need a cross disciplinary team and mode of communication when it happens.
- How the executive leadership team can get involved in the readiness plan.
Still on ransomware attacks from last week’s blog.
2021 and early 2022 were filled with incidents of cyberattacks and the organization’s public relations teams had to explain to the public how the cyber attack happened and how to regain the confidence of the consumer. A survey showed 37 percent of organizations suffered a cyberattack last year.
No More hands-off Policy
The executive leadership can no longer delegate the responsibility for cybersecurity to the Chief Information Security Officer (CISO). Whether true or not, according to a survey 40 percent of the public regard the CEO as being held responsible for a ransomware attack and 36 percent of those attacks could cause the loss of the C-suite talent.
The executive leadership team is taking a more active role in the ransomware scene and not just delegating it to CISO any longer.
And just because the executive leadership team gets involved in the cybersecurity program does not mean it would be successful. The involvement helps the executive leadership team take ownership, speak with confidence to the public, and sound like they know what they are talking about.
It is happening
As stated severally, it is not If but When the cyber attack would happen. Most cyberattack preparation is based on prevention techniques and does not respond in the event of a cyber attack. The ransomware attack has different stages and the executive leadership team can slow the speed and prevent the attack from succeeding. According to the author, this planning would center on quick response, tested containment techniques, and eradication.
Here are examples of the type of questions to ask according to the author.
- Does your team have standard operating procedures for a ransomware attack and regularly practice containment “battle drills” such as quickly changing all privileged account passwords throughout the entire enterprise?
- Do they have ways to quickly isolate a compromised network segment to preserve the integrity of the rest of the network?
- Is your team working toward zero-trust architecture?
- Does your team know where your critical data resides and is it encrypted at rest?
- Do they know what your business-critical services are, and what technical dependencies they have?
- Are your backups redundant and protected from casual access by a compromised administrator account?
Answering these hard questions could mean the difference between success and failure when a cyberattack is at hand.
It is not easy to build a cross-disciplinary incident response team on the spur of the moment. Most CISOs give the responsibility to organize how to handle the situation right away to a subordinate that they trust called an “incident commander. Check to ensure the incident commander has the right kind of people on the team. Being a busy executive means you have to decide how to be informed and find out if the incident commander and/or CISO understand what is necessary. Legal should be a part of the incident command team.
Because human error may occur during this crisis period with the stars on the team overextending themselves, there needs to be accountability for the pace the team is operating at. An estimated 10-12 hours per day is generally regarded as how long incident responders can stay productive mentally.
Is there a rest plan that works for the team and has redundancy as part of it in case there are personal emergencies in the care? Similar to how the military plan their personnel operations, first-class security operations centers (SOCs) make their emergency personnel planning in a way that each team member has one to two fully trained persons assigned to carry out their role.
Preparing for communication
The question of how to communicate internally during the attack is an important consideration. For internal communication, figure out how to send the notice. Do you have a way of communicating after hours and if the worst happens with the whole network being down, what other ways can you communicate?. Again back to the military personnel operating model, the plan should specify different levels of communication.
For external communications,24 hours is the timeline for media exposure for highly public firms. Find out if your communications and PR firm has a message template that can be used for initial notification. Having them ready can save time and ensure important details are not left out in emergencies. What are the major points that will help to take charge of the news cycle early?
In terms of approval authority, should the CEO look at it personally or can the head of corporate communications instruct the release? When there are teams that work directly with customers or help desk, is there a message that can be shared to keep them peaceful without giving out sensitive information?
CEO personal review may be necessary when there is a breach of sensitive data and can give corporate communications the authority to publish notification in all other cases if no CEO review is needed.
Legal should be involved in the communications in all the cases and work with corporate communications.
To Pay or Not to Pay Ransom?
Photo by courtesy graphic
Have you put in place a policy of not paying the ransom? This is not to say that a statement to this effect will keep off ransomware attacks. What has been noted is that organizations that paid ransom were targeted again since attackers believe their ransom payment may be certain. This was the case in a recent survey that showed that 80 percent of victims suffered a cyberattack again after paying the ransom.
If you cannot set a policy of non-payment, consider issues like payment would be legal when made to an OFAC sanctioned entity. Does your tool kit consist of a legal, cyber insurer, and maybe a professional ransomware negotiating firm? Legal should always be in the picture.
CEO Corner and Ransomware Readiness
According to the author,
- The executive leadership team can and should be closely involved with the development of the anti-ransomware plan.
- Attempted ransomware attacks are almost inevitable for the average organization today, but proper post-breach actions can allow excellent damage mitigation.
- Team structure and good communications plans matter just as much as strong cybersecurity tools and configuration.
In conclusion, paying the ransom is not a simple solution and no solution fits all situations’ paying ransom has been shown to make organizations a target of future attacks.
Subscribe to get the latest post.