Why crisis management is at the heart of ransomware resilience

Issue 4 2023 Security Services & Risk Management, Information Security

Ransomware is not solely a technology or security problem. A ransomware attack is far more significant than merely a technology breach, as it can affect an entire business. In the immediate aftermath of a ransomware attack, organisations should adjust mindsets around the role of security for both technical and business decisions. The existing recovery strategies, tuned to traditional business continuity plans, are insufficient.

Our research found that attacks are on the rise and that 20% of costs associated with all incidents were attributed to brand reputation damage. The recommendation? Get the balance right between security efforts and alignment with the business strategy. Overall, a modern ransomware and extortion response should be treated as a business risk, prioritising effective crisis management across the enterprise.

The need for greater alignment

Here are three key challenges that highlight the need for greater alignment between security and the business before, during and after a cyber crisis event:

1. Traditional crisis response plans need to evolve – ransomware is a business risk, not simply a security problem.

Recovery strategies in traditional business continuity and disaster recovery plans are no longer enough to deal with modern ransomware attacks. Security teams' current approach to incident response typically involves solving the technical investigation aspects of an attack, but attacks are not just a security problem. The incident response must also consider critical business processes and how they impact recovery priorities. Prioritising and stabilising essential operations and systems can help prevent additional downstream financial, reputational, operational and physical impacts.

Organisations should evolve traditional business continuity and incident response approaches and develop one cohesive plan that identifies the priorities for the whole business, problem-solve the big picture and better prepare for swift and inclusive business recovery. By adopting a robust communications plan, leaders can tackle ransomware for what it is—a crisis that needs to be handled in a business-focused manner.

2. Existing crisis communications plans lack the transparency and agility to adapt to new cyber complexities.

Ransomware incidents are disruptive and need an effective communications plan. Regular updates shared with internal and external stakeholders are essential to get ahead of any unfolding story. Understanding the unique demands of an industry, its regulations and notifications and disclosures that apply, are fundamental.

Organisations must be open and honest about what has happened and what happens next, and collaborate with security professionals, legal teams and the organisation's broader ecosystem to ensure a structured approach, ensuring that they act transparently. Key questions include what happened, when it happened, what we know, who was impacted and how, what are we doing about it, and what is next.

3. Ransomware is borderless – it impacts the enterprise, extended ecosystem and multiple stakeholders.

Ransomware has become a persistent threat, with law enforcement and the government becoming increasingly involved. Threat actors have evolved tactics, such as stealing data and extorting a victim by threatening to disclose stolen data. Today, attackers can buy access and malware and execute a ransomware attack by becoming an affiliate of a ransomware-as-a-service (RaaS) program available on criminal forums.

The compressed transformation has often extended the attack surface, evidenced by the triple-digit increase in attacks observed in 2021. Therefore, any crisis response strategy should consider the stakeholders affected, such as customers, corporate subsidiaries, suppliers, trusted third parties, financial investments, and merger and acquisition targets.

Get the CEO and board on board

Testing and validating attack prevention, detection, response and recovery is a way of life for most organisations. Still, drawing on the CEO and board can enhance this practical step. Tabletop exercises are generally undertaken by security personnel. By evolving such practices to include executive-level simulations, organisations can test their defences against a typical ransomware attack and introduce the risk and adrenalin of a ‘real-life’ attack scenario. For example, executives may be told three lines of business are down due to an attack where a threat actor asks for US$10 million. Executives are asked to determine in real time which business should be recovered, how they communicate their response and who is responsible for making those decisions.

To make the process easier, Accenture has developed the following ransomware response and recovery approach to handling cyber crisis communications:

• Triage and prepare: Identify impacted parties and align on reporting objectives, tone, timing, audience and notification requirements.

• Develop and approve: Develop messaging aligned to the communications strategy, identify mediums for each stakeholder group and obtain approvals.

• Posture and deploy: Reinforce messaging, train employees, set up monitoring and deploy a vertically integrated communications task force.

• Monitor and evaluate: Employ an agile approach to evaluating and iterating through updates based on defined metrics, sentiment analysis, media outreach, and financial and brand impact.

So, ask yourself, are you ready? The evolution of ransomware and extortion events requires a different way of thinking – business- and security-focused. With more agile, robust and transparent crisis management capabilities, organisations can handle ransomware events better and improve overall cyber resilience.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...
Addressing today’s mining challenges: cyber risks beyond IT
Editor's Choice Information Security Mining (Industry)
Despite the mining industry’s operational technology systems being vulnerable to cyberattacks, many decision-makers still see these threats as purely an IT issue, even though a breach could potentially disrupt mining operations.

Read more...
How to effectively share household devices
Smart Home Automation Information Security
Sharing electronic devices within a household is unavoidable. South African teens spend over eight hours per day online, making device sharing among family members commonplace. Fortunately, there are methods to guarantee safe usage for everyone.

Read more...
Unlocking new efficiencies in private security
Security Services & Risk Management Transport (Industry) Smart Home Automation Logistics (Industry)
Justin Manson, Sales Director at Webfleet, discusses how the urgent need to protect life, and to do so more efficiently, is driving continuous innovation in holistic home and residential security services in South Africa.

Read more...
Innovation and security go hand in hand
Technews Publishing Facilities & Building Management Security Services & Risk Management
In a world where the demand for tech innovation is matched only by the acceleration of cybersecurity threats, businesses face the challenge of balancing new product development and robust security measures.

Read more...
Fortinet establishes new point-of-presence in South Africa
News & Events Information Security
Fortinet has announced the launch of a new dedicated point-of-presence (POP) in Isando, Johannesburg, to expand the reach and availability of Fortinet Unified SASE for customers across South Africa and southern African countries.

Read more...
New tools for investigation and robust infrastructure security
News & Events Information Security
Cybereason continues to enhance its security platform, with recent updates introducing improvements in file search operations, investigation query results, and cloud workload protection, providing more granular data and faster key artefact identification.

Read more...
Bomb threat landscape in South Africa
Editor's Choice Security Services & Risk Management
Over the past 25 years, South Africa has faced thousands of bomb threats and explosive incidents annually, imposing a significant economic burden on the nation, costing billions of rand.

Read more...
Natural catastrophes and fire risks top concerns
Security Services & Risk Management Asset Management Residential Estate (Industry)
Natural disasters are the highest risk in the real estate industry, followed by fire and explosions, and then business interruption. Estates must prioritise risk management and take proactive measures to safeguard their assets, employees, and reputation.

Read more...