When facing a ransomware attack, the first question chief information security officers are often asked is, “Should we pay the ransom?”
Debates about whether to pay up have raged on in the security community for years. Most security professionals are steadfast in the belief that enterprises should never pay cybercriminals, as doing so will lead to further attacks.
Not to mention, there’s no guarantee that attackers will follow up on their promise to help recover systems after they receive the money. Still, there have been multiple examples of organizations admitting to paying up after they, or their cyberinsurance carrier, determined that the ransom demand was less than the cost of recovery.
Ransomware is a clear and present danger to enterprises globally, but whether to pay the ransom isn’t the first question that boards of directors, chief executives, and chief information officers should be asking the CISO in the face of an attack – because if that question arises, then it’s already too late. Instead, initial questions should be focused on the impact of the attack and how fast business outcomes and processes can be restored through existing protocols.
It’s critical that ransomware is treated as a business decision, meaning that enterprise leaders choose to invest, rather than waiting until their hand is forced. Security and risk leaders must prompt business leadership to act on ransomware now by evaluating a different set of questions and investment decisions – before the threat becomes reality. Here are three critical questions that CISOs can aim to answer now, in collaboration with business leadership, to prepare for future threats:
How do we prioritize business continuity through a ransomware attack?
Organizations typically look at business continuity as an enterprise prioritization exercise. In the case of ransomware, this means judging individual outcomes and their ability to continue functioning if certain systems lock up.
For example, can the finance department complete the quarterly close (a critical business outcome) if they are hit by ransomware four days before the end of the quarter? Or will the customer service team be able to access account information and field calls if their laptops are unusable?
Many business processes today do not have defined alternate or manual procedures. The CISO should work with the CIO and line-of-business leadership to understand what operations will grind to halt if computers go away. Then, after presenting these outcomes to business leadership, the business will need to decide how to invest in continuity for specific, prioritized outcomes. This means either investing in alternate procedures or in the backup and restore capabilities to ensure that critical systems can be restored to functionality as quickly as possible.
How fast will we patch systems supporting our critical business outcomes and processes?
Days to patch is directly correlated with an enterprise’s level of protection against ransomware. The faster an organization can patch, the less time that its systems are available for exploitation. However, enabling faster patching requires more people and more resources, and hence a larger business investment.
Patching is not a monolith, and every system cannot be patched simultaneously. Therefore, some systems will be patched first – meaning the business outcomes that those systems support will be more protected that those that are patched later. Prioritizing the speed and cost of patching systems based on business outcomes enables security leaders to address ransomware in a business context. Security leaders should work with business stakeholders to determine the outcomes and processes that will need to be most protected, and therefore patched first.
How do we prioritize the business outcomes and processes that should have a full restore test?
Everybody backs up, but very few organizations regularly test their restore capabilities. In fact, the first time that most organizations test restore is after they’ve been hit by ransomware. Ability to restore is the single biggest factor determining if ransomware takes a couple of hours to clean up or devastates the organization.
Whether restore works as intended is the single biggest factor in whether a ransomware attack devastates the organization or takes a few hours to clean up. Testing restore can be expensive and risky, but it must be treated as a business decision. Security leaders should help executives understand the connection between ransomware readiness and restore capabilities, to demonstrate the business case for investing in more restore tests.
Determine the percentage of business outcomes and processes that have undergone a full restore test in the last year, and work alongside business leadership to evaluate how this aligns with the organization’s risk appetite. Prioritize full restore tests for the business outcomes and processes that have been identified as mission-critical for the organization.
Most organizations treat cybersecurity like magic and security people like wizards. Executives give the wizards some money, they cast spells and the organization is protected. If the organization is attacked, then it’s the wizards’ fault.
This thinking has led to some poor cybersecurity investment decisions, but it doesn’t need to be this way. Using these questions, security and risk leaders can help guide executive leadership to creating cybersecurity priorities and making investments based on levels of protection in a business context.
It’s time to treat cybersecurity as a business decision, and ransomware is the place to start.
Paul Proctor is a distinguished research vice president at Gartner Inc. He wrote this article for SiliconANGLE. Proctor and other Gartner analysts will provide the latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summit 2021, taking place virtually Nov. 16-18 in the Americas.