Why crisis management is at the heart of ransomware resilience

Issue 4 2023 Security Services & Risk Management, Information Security

Ransomware is not solely a technology or security problem. A ransomware attack is far more significant than merely a technology breach, as it can affect an entire business. In the immediate aftermath of a ransomware attack, organisations should adjust mindsets around the role of security for both technical and business decisions. The existing recovery strategies, tuned to traditional business continuity plans, are insufficient.

Our research found that attacks are on the rise and that 20% of costs associated with all incidents were attributed to brand reputation damage. The recommendation? Get the balance right between security efforts and alignment with the business strategy. Overall, a modern ransomware and extortion response should be treated as a business risk, prioritising effective crisis management across the enterprise.

The need for greater alignment

Here are three key challenges that highlight the need for greater alignment between security and the business before, during and after a cyber crisis event:

1. Traditional crisis response plans need to evolve – ransomware is a business risk, not simply a security problem.

Recovery strategies in traditional business continuity and disaster recovery plans are no longer enough to deal with modern ransomware attacks. Security teams' current approach to incident response typically involves solving the technical investigation aspects of an attack, but attacks are not just a security problem. The incident response must also consider critical business processes and how they impact recovery priorities. Prioritising and stabilising essential operations and systems can help prevent additional downstream financial, reputational, operational and physical impacts.

Organisations should evolve traditional business continuity and incident response approaches and develop one cohesive plan that identifies the priorities for the whole business, problem-solve the big picture and better prepare for swift and inclusive business recovery. By adopting a robust communications plan, leaders can tackle ransomware for what it is—a crisis that needs to be handled in a business-focused manner.

2. Existing crisis communications plans lack the transparency and agility to adapt to new cyber complexities.

Ransomware incidents are disruptive and need an effective communications plan. Regular updates shared with internal and external stakeholders are essential to get ahead of any unfolding story. Understanding the unique demands of an industry, its regulations and notifications and disclosures that apply, are fundamental.

Organisations must be open and honest about what has happened and what happens next, and collaborate with security professionals, legal teams and the organisation's broader ecosystem to ensure a structured approach, ensuring that they act transparently. Key questions include what happened, when it happened, what we know, who was impacted and how, what are we doing about it, and what is next.

3. Ransomware is borderless – it impacts the enterprise, extended ecosystem and multiple stakeholders.

Ransomware has become a persistent threat, with law enforcement and the government becoming increasingly involved. Threat actors have evolved tactics, such as stealing data and extorting a victim by threatening to disclose stolen data. Today, attackers can buy access and malware and execute a ransomware attack by becoming an affiliate of a ransomware-as-a-service (RaaS) program available on criminal forums.

The compressed transformation has often extended the attack surface, evidenced by the triple-digit increase in attacks observed in 2021. Therefore, any crisis response strategy should consider the stakeholders affected, such as customers, corporate subsidiaries, suppliers, trusted third parties, financial investments, and merger and acquisition targets.

Get the CEO and board on board

Testing and validating attack prevention, detection, response and recovery is a way of life for most organisations. Still, drawing on the CEO and board can enhance this practical step. Tabletop exercises are generally undertaken by security personnel. By evolving such practices to include executive-level simulations, organisations can test their defences against a typical ransomware attack and introduce the risk and adrenalin of a ‘real-life’ attack scenario. For example, executives may be told three lines of business are down due to an attack where a threat actor asks for US$10 million. Executives are asked to determine in real time which business should be recovered, how they communicate their response and who is responsible for making those decisions.

To make the process easier, Accenture has developed the following ransomware response and recovery approach to handling cyber crisis communications:

• Triage and prepare: Identify impacted parties and align on reporting objectives, tone, timing, audience and notification requirements.

• Develop and approve: Develop messaging aligned to the communications strategy, identify mediums for each stakeholder group and obtain approvals.

• Posture and deploy: Reinforce messaging, train employees, set up monitoring and deploy a vertically integrated communications task force.

• Monitor and evaluate: Employ an agile approach to evaluating and iterating through updates based on defined metrics, sentiment analysis, media outreach, and financial and brand impact.

So, ask yourself, are you ready? The evolution of ransomware and extortion events requires a different way of thinking – business- and security-focused. With more agile, robust and transparent crisis management capabilities, organisations can handle ransomware events better and improve overall cyber resilience.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Data resilience at VeeamON
Technews Publishing SMART Security Solutions Infrastructure Information Security
SMART Security Solutions attended the VeeamON Tour in Johannesburg in August to learn more about data resilience and Veeam’s initiatives to enhance data protection, both on-site and in the cloud.

Read more...
The role of drones in farm protection
Agriculture (Industry) Security Services & Risk Management
Laurence Palmer reminds us of the role drones play in agricultural security and offers a free security risk assessment template for downloading (link at the end of the article).

Read more...
SMART Surveillance Conference in Johannesburg
Arteco Global Africa Technews Publishing SMART Security Solutions Axis Communications SA neaMetrics Editor's Choice Surveillance Security Services & Risk Management Logistics (Industry) AI & Data Analytics
SMART Security Solutions hosted its annual SMART Surveillance Conference in Johannesburg in July, welcoming several guests, sponsors, and speakers for an informative and enjoyable day examining the evolution of the surveillance market.

Read more...
Secure data protection without hardware lock-in
Infrastructure Information Security News & Events
New Veeam Software Appliance empowers IT teams to achieve instant protection with Veeam’s fully preconfigured, software-only appliance, delivering enterprise-ready simplified deployment and operational efficiency, robust cyber resilience.

Read more...
Your Wi-Fi router is about to start watching you
News & Events Surveillance Security Services & Risk Management
Advanced algorithms are able to analyse your Wi-Fi signals and create a representation of your movements, turning your home's Wi-Fi into a motion detection and personal identification system.

Read more...
The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
SMARTpod talks to Sophos and Phishield
SMART Security Solutions Technews Publishing Sophos Videos Information Security News & Events
SMARTpod recently spoke with Pieter Nel, Sales Director for SADC at Sophos, and Sarel Lamprecht, MD at Phishield, about ransomware and their new cyber insurance partnership.

Read more...
Cybersecurity and insurance partnership for sub-Saharan Africa
Sophos News & Events Information Security Security Services & Risk Management
Sophos and Phishield Announce first-of-its-kind cybersecurity and insurance partnership for sub-Saharan Africa. The SMARTpod podcast, discussing the deal and the state of ransomware in South Africa and globally, is now also available.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.