Tekisha Slack, CBCP, MSBC
ACP Communications/Marketing Committee xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Did you know that ransomware sales have increased by over 1,400% over the last two years1? I attended the 2018 Cyber Security Summit in Dallas. While all of the sessions were very informative, there was one panel session called ‘Ransomware: To Pay or Not Pay – This is the Question,’ that intrigued me. In spite of its cute title, this panel discussion session centered on a very scary subject – Ransomware! Ransomware is a type of malware that can block access to an organization’s systems, devices or files until a ransom is paid. Any type of organization can be vulnerable to “malicious actors’ or “cyber extortionist” who can use ransomware to encrypt or entirely erase crucial files or lock an organization’s systems altogether2 . The big question apparently is not how to pay ransomware but how to pay it without being exposed to future vulnerability. Ransomware is an operational risk for many organizations (interestingly, especially in the health care industry) however; there are tangible methods to manage this risk.
My current position in my organization does not require me to work closely on the IT side of things so perhaps, I was a bit uninformed but I had no idea that this was such a large operation. After this session, I casually polled a few of my colleagues and it turns out, many organizations have had to pay ransoms. The dirty little secret is this…cyber extortionist will hack into an organization’s system in order to expose vulnerabilities in their networks. Sometimes companies don’t want to disclose these exposed vulnerabilities because they don’t want it to be made public that their customer’s information could be at risk. I cringe to think about how often this happens. The catch here is that sometimes paying these ransoms no matter how small, can sometimes be the wrong thing to do. So then the question becomes…how does a targeted organization pay the ransom and not expose themselves to further vulnerabilities?
Continually backing up critical files to multiple locations including the Cloud should be a minimum! However, the panel outlined at least six other strategies and considerations to mitigate the risks associated with ransomware so companies won’t have to pay that ransom.
1. Employees are your weakest link. Sending emails with a malicious link or attachment are the most common ways that these cyber extortionists infect an organization’s network. Your people are ALWAYS your weakest link. No matter how much training they receive, the uncomfortable truth is that your people/employees will make you vulnerable to phishing because they will often click on those links or open those attachments and install those malicious apps on work devices. Not to say that training and awareness campaigns on phishing and malware don’t work but perhaps it’s time to get more creative with how you raise awareness of these threats with your employees. Engage your people in conversations that makes it personal and inspire employees to want to not make the organization vulnerable.
2. Personalize training and awareness programs. Provide your employees a common language so that they understand the risks involved. Use examples and scenarios in your training. People are often motivated to do the right thing when there is a vested interest in the outcome. Perhaps use a rewards system that will compensate employees to exercise more vigilance in this area. Another creative way of motivating employees to become more educated in this awareness is to offer tuition reimbursement and training credits to institutions such as the Global Cyber Institute which offers a series of classes that promote cybersecurity education, educating and training cyber-workforce.
3. Full Blown Architectural Adjustments. We are all probably aware that flat networks are a problem! They offer no redundancy, reduces speed and ultimately offer poor security, making it very easy for hackers to intercept data on your network. That being said, a full architectural adjustment might be in order to segment your network thereby, reducing the probability of your organization being the victim of ransomware.
4. Engage an Attorney. Ransomware is nothing but extortion in the cyber space. All 50 states have security breach notification laws that require an entity to disclose data breaches to notify customers and other affected parties about the breach. These laws also require that the organization take other steps to remediate any injuries caused by a breach. Most organizations probably don’t realize that if they pay the “wrong” ransom, they could be committing a crime! This is why it is important to engage an attorney to help navigate these sometimes murky waters.
5. Ransomware insurance. As previously mentioned, ransomware sales have increased by over 1,400% over the last two years! Ransomware is big business. Given the potential impact and probability of this specific threat, your organization may want to consider investing in ransomware insurance also commonly known as Cyber extortion coverage. This coverage is available under many cyber liability policies. It goes by various names. Examples are Extortion Threat Coverage and E-Threat Expenses Coverage. Cyber extortion is typically an optional coverage3 .
6. Board Level Responsibility. The FCC holds ransomware as a board level responsibility. In other words, an organization’s Board of Directors are ultimately accountable for safeguarding company or customer sensitive information. The Board needs to care for this possibility and make it their problem before a breach. Presenting this issue to your organization’s Board in terms of possible revenue impact and the possible tarnishing of the brand are usually a great way to get their attention.
As one member of the panel said “Ultimately, being mindful of the reality of your business will determine how you handle ransomware” No doubt that larger organizations already are well aware of and have implemented the strategies discussed here and have taken the proper actions that I’ve outlined. The overall point is that virtually no organization is safe from this type of extortion. So yes, it turns out that in the ransomware playground, we do negotiate with terrorists. However, it should be every organization’s goal to make it so that they don’t have to.
1Cyber Security Summit. Dallas: Connecting Senior Executives with the Leading Cyber Security Providers. CyberSummitUSA.com. Print.
3Author, Bonner, Marianne. (December 21, 2017). Insuring Against. Retrieved from http:// https://www.thebalancesmb.com/insuring-against-ransomware-and-other-cyber-extortion-4060470