What a Board Director needs to know about ransomware
Ransomware is one of the largest cyber threats facing any organization today. Ransomware targets organizations across all industries, including healthcare, finance, education and critical infrastructure. Ransomware attacks can be financially devastating and severely disrupt business operations.
The board of directors must be aware that the risk of ransomware can be significantly reduced via proper governance and risk management.
Ransomware is a type of malicious software that encrypts the victim's digital files and systems, making them inaccessible until a "ransom payment” is made (usually in Bitcoin or other cryptocurrency) in order for the victim organization to get a decryption key to recovering the files.
Most ransomware is ‘enterprise-wide’. This means it is not just one user or one machine that is affected but often the whole organizational network. Once cybercriminals have access to the systems, they typically take some time moving around, working out where critical data is saved and how backups are made and stored. Armed with this knowledge the cybercriminals can execute their ransomware attack whenever they see fit.
Ransomware attacks typically start by a user in the organization who gets tricked into downloading and opening an attachment in an email which looks familiar but actually comes from a cybercriminal. Some cybercriminals simulate a ransomware attack and just demand payment without actually encrypting all files or just encrypting some devices. Cybercriminals also perform a second extortion by first extract as many files from the organization network as possible before launching the ransomware encrypting the files, thus asking a first ransom for the decryption key, followed by a threat to publish all the sensitive data unless the victim organization pays a second ransom to the cybercriminals. And organizations and directors must remember that they are dealing with criminals and that they have no guarantee whatsoever that these cybercriminals will keep their promises to deliver the decryption keys, to not attack again or to not post/sell the organizational information later onwards.
Ransomware attacks can have severe consequences for victim organizations. Not only will there be financial losses via payments to cybercriminals, recovery costs and potential fines, but ransomware causes operational disruption via downtime and loss of productivity as systems are restored or data is missing. Furthermore, victim organizations can have reputational damage through loss of customer and employee trust and negative media coverage. Finally, ransomware can have legal and regulatory repercussions when sensitive personal data is published by cybercriminals leading to data breaches and non-compliance with data protection regulations.
In June 2017, Danish global shipping giant Maersk was hit by ransomware, causing over $300 million in damages and severe operational disruption. The board's commitment to rapid recovery and transparent communication helped Maersk rebuild trust and improve its cybersecurity posture. In May 2021, major U.S. fuel pipeline operator Colonial Pipeline suffered a ransomware attack that led to fuel shortages and significant operational disruption. The board’s prompt decision-making and coordination with federal authorities were crucial in mitigating the impact and restoring operations. In December 2022 the city of Antwerp was hit by a ransomware attack disrupting all digital services, including services provided to citizens, despite being warned in two separate security audit reports months before the actual ransomware attack took place. It costed around 100 million euro to repair all the damages and improve the cybersecurity maturity.
Boards need to take an active role overseeing cybersecurity measures since directors may be held personally responsible for cybersecurity failures that result in cyberattacks.
Ransomware represents a significant strategic risk. The board must ensure that the organisation has a comprehensive risk management framework that includes robust cybersecurity measures. This involves regular risk assessments, threat intelligence sharing, and scenario planning including testing.
The board also has a fiduciary duty to safeguard the organisation's assets and ensure its long-term viability. This includes overseeing the implementation of cybersecurity policies and ensuring accountability at all levels. Cybersecurity should be a regular item on the board’s agenda during the year.
Regulatory bodies are increasingly imposing strict cybersecurity requirements. The board must ensure that the organisation complies with relevant regulations, such as the General Data Protection Regulation (GDPR) in Europe and sector-specific guidelines like Network and Information Security Directive (NIS2) or Digital Operational Resilience Act (DORA).
The board must review if the proper proactive and reactive countermeasures are in place to avoid or lower the impact of ransomware on their organisation.
The best proactive countermeasure against ransomware are regular and secure backups, which are crucial for minimizing the impact of ransomware. The board should ensure that the organisation maintains up-to-date, tested backups of (critical) data and that these backups are stored securely and offline. IT systems can always be procured again with the vendor, but the data cannot.
The board should make sure adequate investment in cybersecurity infrastructure are allocated including security detection and response solutions, regular security audits and continuous network monitoring. The board must ensure that adequate investment in cybersecurity infrastructure are made.
Since human error is the most common entry point for ransomware, regular security awareness trainings must be in place to help employees recognise phishing attempts and other cybercriminal tactics. The board should promote a culture of cybersecurity awareness across the organisation, including for directors themselves, since the directors can also be a target of cybercriminals.
Vendors and third-party partners can also introduce ransomware into the organisation. The board should oversee the implementation of rigorous third-party risk management practices, including security assessments and contractual obligations for cybersecurity standards, and this on a regular basis, not just at approval.
Finally, if a ransomware attack does occur in the organisation, an effective incident response plan or playbook is critical. The board should ensure that such reactive ransomware plan or playbook is regularly updated, tested through simulations and that all employees are trained on their roles and responsibilities during a ransomware attack.
Ransom payments fund cybercriminal operations designed even more advanced methods of infiltrating vulnerable businesses, thus encouraging cybercriminals to continue their cyber-criminal actions. Paying a ransom also significantly increases the risk of becoming a second target, either by the same cybercriminal group, or by others. A ransom payment by either the organization, a negotiator or insurer could trigger questions as to whether payment constitutes funding criminal groups, terrorism, sanctioned organizations, rogue states and/or violating Anti-Money Laundering (AML) laws. What is the impact on operations if the organization does not pay a ransom? What is the level of confidence to successfully recover operations if the ransom is not paid? Paying a ransom is a risk-based decision. The various risks must be evaluated before deciding to pay a ransom to cybercriminals, especially when there is no guarantee on a positive outcome. Governments do strongly recommend not to pay ransom to cybercriminals for all these reasons. Hence importance of a clear ransomware strategy and investments in detection and resolution.
Ransomware poses a critical threat that requires the board of directors' vigilant oversight. By understanding the nature of ransomware, its impact and the necessary countermeasures to mitigate risk, the board can ensure the organization’s resilience against such ransomware attacks. This approach not only protects the organization’s assets but also enhances its reputation and long-term viability. The board must foster a culture of cybersecurity, prioritize strategic investments and maintain robust governance framework to combat the evolving ransomware threat effectively. By doing so, they will not only safeguard their organization but also fulfill their fiduciary responsibilities and build a resilient enterprise prepared for the ransomware challenge.
Ransomware is a board-level responsibility. Directors need to take the ransomware threat seriously and play an oversight role in implementing proactive and reactive countermeasures. Directors should ensure it is on the enterprise risk agenda.
You can also consult our Checklist for directors to challenge the ransomware risk Here you can download the Ransomware Playbook
For any comments, questions, queries on cybersecurity issues, you can get in touch with Sounding Board committee members here.