Awareness matters, of course. If you’ve never even heard of an issue, you can’t do anything to prepare for it. And even if you know an issue exists, if you assume it’s rare and distant and unlikely to ever touch you, you won’t bother to do anything to help avoid it. But awareness is only helpful if it’s the first step. If you stop at knowing something’s possible and fail to do anything about it, that awareness isn’t doing you any favors.
And that’s where most executives now stand with ransomware. Deloitte recently shared the results of a poll in which 86.7% of executives said they expect their organization to experience an increase in cyberattacks in the next year. But only a third said they’d simulated a ransomware attack to ensure they’re prepared.
A ransomware attack is one of the last things any good executive wants to deal with, and yet many aren’t taking active steps to make sure their organizations are properly protected. “Many executives still have the mindset that their company is most likely not on the radar for threat actors,” explains Tom Garrubba, VP of Shared Assessments. They figure that other companies must look like juicier targets, especially those at organizations that don’t deal in particularly sensitive customer data.
But cybercriminals aren’t just after customer data. “Threat actors deploying ransomware are in the business of corporate extortion—to sell you the decryption mechanisms once they’ve encrypted your data,” points out Garrubba. That means all organizations are a potential target.
When it seems like you have thousands of other important concerns to prioritize, investing in the prevention of a possible disaster may feel like something to deal with later. But the risk of ransomware isn’t something to drag your feet on.
According to a report from SonicWall, the first half of 2021 saw a 151% increase in ransomware attacks from the previous year. Not only are ransomware attacks on the rise, but they’re getting worse for the victims. Shared Assessments’ experts have noted a rise in data exfiltration cases, which frequently require making multiple ransom payments to get clean data back, and even then still sometimes result in getting data that’s infected with new malware. And that’s if the hackers even return your data to you, Sophos research found that only 8% of companies that pay a ransom get all of their data back.
The cost of these attacks are staggering. The same Sophos report found that the average cost of recovering from a ransomware attack is now $1.85 million—twice what it was last year.
“Organizations are beginning to come to terms with the fallout of not having good security controls, procedures, and standards,” says Garrubba. Executives that know ransomware is a problem but hoped it was one they could push off to later must face the need to act now.
Your average executive isn’t necessarily a cybersecurity expert, so the best steps to take to prevent ransomware may not be obvious. Here are a few ways you can work to make your organization safer.
None of the organization’s good intentions around cybersecurity will amount to much unless the company provides not only clear mandates on what needs to be done but also the financial means to make sure those mandates are possible to carry out. “The C-suite is responsible for helping to secure funding for security efforts, along with mandating or prioritizing such efforts,” says Garrubba.
One of the most important steps an executive can take to make sure an organization can prepare is to approve the level of investment required to make it happen.
Your own infrastructure and systems are an important part of ransomware prevention, but they’re not the only way hackers can get in. Every vendor you work with or software tool you use introduces new vulnerabilities to your organization. Third-party risk management is a crucial component of any good ransomware prevention strategy. Make sure your company develops strong guidelines and procedures around minimizing third-party risk as much as possible.
Prevention is best, but hackers are smart and getting more creative every day. You can never assume you’re 100% protected. Instead, make sure everyone in your organization understands what to do in the case of an attack. Set up a clear plan of action that includes the specific steps to take, who’s in charge of what, and who to contact to help (e.g. authorities, cybersecurity experts you have on retainer, etc.)
If you do face a ransomware attack, an incident response plan won’t make everything OK, but it will help you minimize how bad it gets and ensure handling it is more manageable.
Recognizing vulnerabilities in your own system is hard because you’re not likely to look at it the way a cybercriminal does. Hire ethical hackers to do penetration testing to look for weaknesses you may have missed.
And set up regular cyberattack simulations to ensure everyone in your organization knows what role to play in the event an attack does happen. Creating a cyber incident response plan only helps if people remember what they’re supposed to do while under pressure. Simulations make the steps familiar, so everyone can more easily follow them. And just as importantly, a simulation gives you the chance to identify any flaws in the plan in advance so you can address them before they can hurt you.
In 2019, the city of Baltimore was hit by a ransomware attack that shut down critical systems for nearly 15 city departments. Overall, it cost the city over $18 million. That’s bad, but what makes it worse is that they were warned. City IT officials issued a report saying the city’s computer systems were “a natural target for hackers and a path for more attacks in the system,” and urging them to update their outdated systems.
The decision makers didn’t act on that information, and the consequences were far more costly than making the recommended updates or investing in prevention would have been. Don’t let your organization face the same fate. Make sure you match awareness with action before it’s too late.