Why crisis management is at the heart of ransomware resilience

Issue 4 2023 Security Services & Risk Management, Information Security

Ransomware is not solely a technology or security problem. A ransomware attack is far more significant than merely a technology breach, as it can affect an entire business. In the immediate aftermath of a ransomware attack, organisations should adjust mindsets around the role of security for both technical and business decisions. The existing recovery strategies, tuned to traditional business continuity plans, are insufficient.

Our research found that attacks are on the rise and that 20% of costs associated with all incidents were attributed to brand reputation damage. The recommendation? Get the balance right between security efforts and alignment with the business strategy. Overall, a modern ransomware and extortion response should be treated as a business risk, prioritising effective crisis management across the enterprise.

The need for greater alignment

Here are three key challenges that highlight the need for greater alignment between security and the business before, during and after a cyber crisis event:

1. Traditional crisis response plans need to evolve – ransomware is a business risk, not simply a security problem.

Recovery strategies in traditional business continuity and disaster recovery plans are no longer enough to deal with modern ransomware attacks. Security teams' current approach to incident response typically involves solving the technical investigation aspects of an attack, but attacks are not just a security problem. The incident response must also consider critical business processes and how they impact recovery priorities. Prioritising and stabilising essential operations and systems can help prevent additional downstream financial, reputational, operational and physical impacts.

Organisations should evolve traditional business continuity and incident response approaches and develop one cohesive plan that identifies the priorities for the whole business, problem-solve the big picture and better prepare for swift and inclusive business recovery. By adopting a robust communications plan, leaders can tackle ransomware for what it is—a crisis that needs to be handled in a business-focused manner.

2. Existing crisis communications plans lack the transparency and agility to adapt to new cyber complexities.

Ransomware incidents are disruptive and need an effective communications plan. Regular updates shared with internal and external stakeholders are essential to get ahead of any unfolding story. Understanding the unique demands of an industry, its regulations and notifications and disclosures that apply, are fundamental.

Organisations must be open and honest about what has happened and what happens next, and collaborate with security professionals, legal teams and the organisation's broader ecosystem to ensure a structured approach, ensuring that they act transparently. Key questions include what happened, when it happened, what we know, who was impacted and how, what are we doing about it, and what is next.

3. Ransomware is borderless – it impacts the enterprise, extended ecosystem and multiple stakeholders.

Ransomware has become a persistent threat, with law enforcement and the government becoming increasingly involved. Threat actors have evolved tactics, such as stealing data and extorting a victim by threatening to disclose stolen data. Today, attackers can buy access and malware and execute a ransomware attack by becoming an affiliate of a ransomware-as-a-service (RaaS) program available on criminal forums.

The compressed transformation has often extended the attack surface, evidenced by the triple-digit increase in attacks observed in 2021. Therefore, any crisis response strategy should consider the stakeholders affected, such as customers, corporate subsidiaries, suppliers, trusted third parties, financial investments, and merger and acquisition targets.

Get the CEO and board on board

Testing and validating attack prevention, detection, response and recovery is a way of life for most organisations. Still, drawing on the CEO and board can enhance this practical step. Tabletop exercises are generally undertaken by security personnel. By evolving such practices to include executive-level simulations, organisations can test their defences against a typical ransomware attack and introduce the risk and adrenalin of a ‘real-life’ attack scenario. For example, executives may be told three lines of business are down due to an attack where a threat actor asks for US$10 million. Executives are asked to determine in real time which business should be recovered, how they communicate their response and who is responsible for making those decisions.

To make the process easier, Accenture has developed the following ransomware response and recovery approach to handling cyber crisis communications:

• Triage and prepare: Identify impacted parties and align on reporting objectives, tone, timing, audience and notification requirements.

• Develop and approve: Develop messaging aligned to the communications strategy, identify mediums for each stakeholder group and obtain approvals.

• Posture and deploy: Reinforce messaging, train employees, set up monitoring and deploy a vertically integrated communications task force.

• Monitor and evaluate: Employ an agile approach to evaluating and iterating through updates based on defined metrics, sentiment analysis, media outreach, and financial and brand impact.

So, ask yourself, are you ready? The evolution of ransomware and extortion events requires a different way of thinking – business- and security-focused. With more agile, robust and transparent crisis management capabilities, organisations can handle ransomware events better and improve overall cyber resilience.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Identity recovery matters most
Security Services & Risk Management
As cyberattacks grow more targeted, more destructive, and increasingly aimed at the very fabric of trust within the enterprise, the ability to restore identities has become just as critical as restoring data.

Read more...
ISO 27701 helps demonstrate privacy compliance beyond POPIA
Security Services & Risk Management
ISO 27701 include privacy-specific controls and provides a structured way to manage Personally Identifiable Information (PII) throughout its lifecycle, giving organisations a way to demonstrate how privacy is managed.

Read more...
Echoes of 2018? Follow-up on Woolworths explosions
Technews Publishing News & Events Security Services & Risk Management Retail (Industry) Facilities & Building Management
SMART Security Solutions follows up with Jimmy Roodt to find out more about an old connection to the Woolworths bombings from 2018. The investigation remains ongoing.

Read more...
Increase in cyberattacks on the manufacturing sector
Security Services & Risk Management News & Events Industrial (Industry)
According to a new Kaspersky ICS CERT report, in the first quarter of 2026, the percentage of industrial control systems (ICS) on which malicious objects were blocked reached 19,6% globally.

Read more...
Next-generation cash-in-transit vehicle
News & Events Security Services & Risk Management
Fidelity Services Group has unveiled a new, purpose-engineered Cash-in-Transit (CIT) vehicle designed to redefine crew protection, deter threats, and enhance operational resilience in an increasingly complex criminal environment.

Read more...
The risk at the edge of South Africa’s agriculture supply chain
Security Services & Risk Management Agriculture (Industry) Logistics (Industry)
Research from ESET has found that a significant number of South African agritech operators and farmers continue to believe their companies are not attractive targets for cybercriminals. Unfortunately, that belief is precisely what makes them one.

Read more...
Sophos establishes South African legal entity to strengthen local operations
News & Events Information Security
Global cybersecurity company, Sophos, has announced the formation of its local legal entity, which will support local invoicing, partner enablement, compliance requirements and expanded regional investment.

Read more...
AURA partners with Discovery to launch Discovery 911
News & Events Security Services & Risk Management
AURA has announced a partnership with Discovery Insure to power the security-response component of its new Discovery 911 virtual panic-button offering, which is available through the Discovery Insure app.

Read more...
Break the silence on fraud
Security Services & Risk Management
We are entering a new era of fraud, one defined by groups that operate across borders, using advanced digital tools and impersonation tactics to deceive victims and wear down communities' trust and financial security.

Read more...
Africa’s white-collar crime landscape
Security Services & Risk Management
White-collar crime in Africa is no longer a predominantly domestic concern; it has expanded onto the international stage, and so too has the corporate exposure that accompanies it.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.