Skip to content

31 May, 2023

Subscribe Advertise About Us
  • My Account
  • Register
  • Log In
  • Log Out

Board Agenda

  • Governance
  • Strategy
  • Risk
  • Ethics
  • News
    • Categories

      • View All
      • Board Moves
    • ESG battle

      ‘Change fiduciary laws’ to end ESG battle in US

      Academics suggest a truce between left and right, based on separating political issues from investment...

    • McDonald's antibiotics News round-up: this week in governance

      Investors challenge McDonald’s over antibiotic use; Norges Bank’s ESG push criticised; diversity box-ticking; revolt at...

    • boost audit Corporate governance code review boosts internal controls

      UK watchdog’s proposals include giving audit committees greater reporting responsibilities and addressing ‘overboarding’.

  • Insight
    • Categories

      • View all
      • Governance
      • Strategy
      • Risk
      • Ethics
      • Board Expertise
      • finance
      • Technology
    • Climate finance

      How climate change alters the financial landscape

      To achieve sustainability, companies and boards will need to look not only to their operations,...

    • generative AI

      Five AI issues to consider right now

      We may not know what AI will mean for us all in the long term,...

    • sexual misconduct

      How to prevent sexual misconduct in your organisation

      Revelations about the CBI may be shocking, but there is no place for complacency and...

  • Comment
      • View all
    • hybrid AGM

      Hybrid AGMs maximise shareholder participation

      Avoid virtual-only annual general meetings: although pragmatic in an emergency, they water down shareholders’ rights.

    • ESG break up ESG: Should E and S break up with G?

      In the world of investing, maturity has revealed significant practical shortcomings in combining environmental, social...

    • controlling shareholders The politics and geopolitics of controlling shareholders

      Shareholders with a controlling interest influence not only financial matters but can also wield great...

  • Interviews
      • View All Interviews
      • Podcasts
      • Webinars
    • information resilience IT transformation sees boards moving to ‘continuous’ management

      Data analytics available on demand requires a resilient—and selective—approach to sharing information, a webinar panel...

    • life sciences podcast Reform of NHS levy ‘harms UK competitiveness’

      Boards in the pharmaceutical and life sciences sector face increasingly difficult decisions, according to a...

    • Board priorities 2023 Board priorities 2023: tact, trust and transparency

      We asked key figures what would help boards this year. The answers ranged from 'smarter...

  • Careers
      • View all
      • Selection
      • Board Moves
    • board survey 2023 Board appointments fell sharply in 2022

      Companies appear to be sticking with experienced leaders—to the detriment of progress—suggests FTSE 350 boardroom...

    • diversity statistics Diversity statistics challenged by new scorecard

      Companies can ‘hit the target, but miss the point’, say academics researching a more ‘holistic’...

    • CEO turnover CEO turnover rises steeply

      The researchers say political changes and business difficulties may have accelerated turnover, which has risen...

  • Resource Centre
      • White Paper Downloads
      • Book Reviews
      • Corporate & Advisory Services
    • Mazars c-suite 2023

      Mazars C-suite barometer 2023

      The Mazars C-suite barometer is based on responses from more than 800 C-suite executives from...

    • CFO Career Survey Report

      Our survey, in December 2022, of almost 200 CFOs across the public, private and non-profit...

    • The Engagement Appeal: The Path to Inclusive Investor Engagement

      The Engagement Appeal: The Path to Inclusive Investor Engagement

      The Path to Inclusive Investor Engagement highlights the need for greater engagement between companies and...

  • Events
  • Search by topic
    • Governance
    • Strategy
    • Risk
    • Ethics
    • Regulation
    • ESG
    • Investor Relations
    • Selection
    • Board Expertise
    • finance
    • Technology

Board preparation is key to fighting the ransomware threat

by Kamal Bechkoum on August 5, 2019

Board members must be clear on how their organisation’s data and IT infrastructure is being protected from the growing ransomware threat—and whether to pay up in the event of an attack.

ransomware threat

Image: Nawadoln/Shutterstock

Ransomware is one of the most debilitating forms of cyber-attack, often catching companies unaware and ultimately causing them long-term financial and reputational harm. Unfortunately, in 2019 there has been a massive upsurge in large companies being targeted.

In one recent example a virus hit Johannesburg’s City Power, the primary electricity supplier for South Africa’s economic hub, encrypting all of its databases, applications and network. In another, Norsk Hydro announced that it is facing a price tag of £75m after recovering from a ransomware attack that froze staff computers and halted production lines.

Once ransomware takes hold of a single device entire networks can quickly become infected. Just one click is all that’s needed for confidential information and other crucial aspects of a company’s operations to be made inaccessible.

Ransomware will often make its way onto a system as a malicious weblink or email attachment. If a network is not properly protected an entire organisation’s IT infrastructure will end up becoming infected.

Just one click is all that’s needed for confidential information and other crucial aspects of a company’s operations to be made inaccessible

There are two main types of ransomware: crypto and locker. If an illegitimate application is opened, crypto-ransomware will seek to encrypt all of the files, folders and hard drives, promising to reinstate data only after a ransom has been paid. As the name suggests, locker-ransomware poses a similar threat by locking users out of devices and systems.

In the face of these developments, boards cannot afford to be complacent over organisational security strategies.

Top teams should have a detailed view of what the impact of a breach will be and understand who will take the lead if service as normal is interrupted. They should also be prepared to lead long-term strategic planning to protect operations against the continually evolving ransomware threat.

To pay or not to pay?

One of the biggest challenges to confront is the ethical dilemma of whether an organisation should pay a ransom or not. This is no easy decision. Average ransom amounts are currently in the region of around £10,000, often with a 24-hour countdown attached to them before all data or access is irretrievably lost.

This means the board debate over whether to pay a ransom needs to be had long before an IT network is held hostage.

At the same time transparency can be vital. Business leaders need to prioritise security while insisting that all frontline employees do the same. People are inevitably the weakest link in cybersecurity and so they need to know when there has been a breach, what action is being taken and how their work will be impacted.

Cybersecurity cannot be solved by simply buying in more technology as a quick fix. It is about taking a strategic approach to budget allocation and decision-making that delivers genuine improvement.

Be prepared to ask the difficult questions of your IT team. If they believe they have the necessary expertise and software to deal with any ransomware threat, then put this to the test. Bring in a third-party company that is fully qualified and capable of pushing process and practise with an unannounced attack.

The board debate over whether to pay a ransom needs to be had long before an IT network is held hostage

A culture of security should be fostered throughout the workplace. Staff need to be educated and trained to keep software applications and systems updated; backup files regularly; and segment networks to ensure sensitive data is only accessible as necessary.

The ideal organisational culture sees managers and staff taking a second-nature approach to keeping information safe and viewing security as a positive force. This necessitates a check-list that boards can become familiar with and adhere to as part of their regular order of business.

If the organisation falls victim to a ransomware threat it is vital to act quickly. Wherever possible, ensure that the incident is contained while the business continues to operate. Then, prepare to notify all relevant stakeholders, including insurers, regulators, lawyers, the police and clients as is necessary and practicable.

Training should prepare board members for “what if?” scenarios along with clear roles and responsibilities in case of a cyber-attack. How will an organisation respond to its networks being compromised or customers being unable to access online services?

These issues should be a standing agenda item at board meetings, if only to confirm that no changes are needed since the previous review.

The threat landscape is constantly moving and, while it may be unrealistic to ask executives to follow the details of every twist and turn that happens, they can encourage IT managers or the COO to join external organisations and forums where information and good practice is shared. This can be used to provide regular updates that are specifically prepared for the executive.

The organisation should develop a corporate ransomware policy and turn the strategic principles agreed by the board into a working tactical plan.

Worryingly, research shows that a third of companies believe that it has become more cost-effective for them to simply pay a ransom than invest in proper security systems and training.

Unfortunately this creates a catch-22 where businesses continue to pay and ransomware grows as a popular money-making tactic for criminals—only encouraging the problem further. It is up to boards to decide where the line will be drawn.

Professor Kamal Bechkoum is head of business and technology at the University of Gloucestershire.

  • Facebook
  • Twitter
  • Google+
  • LinkedIn
  • Mail

Related Posts

  • Ann-marie Murphy joins The Gym Group board
    April 22, 2022
    The Gym Group logo

    Murphy joined the company in April 2018 as director of people and development, and became chief operating officer earlier this year.

  • Nokia appoints three new non-executive directors to the board
    April 13, 2022
    Nokia logo on building in Espoo, Finland

    Lisa Hook, Thomas Saueressig and Kai Öistämö have been elected to the Nokia board following the company AGM last week.

  • Rio Tinto names Dominic Barton as next chair of the board
    December 22, 2021
    Rio Tinto

    Barton has been Canada’s ambassador to China since 2019 and is a former global managing partner at McKinsey.

  • Ian Dyson named as new chair of the board at Asos
    October 15, 2021
    ASOS package

    Nick Beighton will be stepping down as CEO of the online fashion retailer, while Jørgen Lindemann joins as non-executive director.

For thoughtful journalism, expert insights on corporate governance and an extensive library of reports, guides and tools to help boards and directors navigate the complexities of their roles, subscribe to Board Agenda

board expertise, cybercrime, cybersecurity, data breaches, Kamal Bechkoum, ransomware, technology risk

Search


Sign up to our Newsletter

Receive independent news, thoughtful journalism & expert insights about leadership, corporate governance & key boardroom issues straight to your inbox every week.

SIGN UP

Follow Us

 

 

 

 

Most Popular

  • Corporate governance code review boosts internal controls
  • News round-up: this week in governance
  • New audit committee standards finalised
  • ESG: Should E and S break up with G?
  • Five AI issues to consider right now

Featured Partner Profile

Diligent

Diligent

Diligent Corporation, which was founded in 2001, is headquartered in New York, NY with a European HQ in London. Diligent’s modern governance platform empowers leaders and teams at every level of the organisation to digitally transform and create ...

Featured Partner Resources

The Engagement Appeal: The Path to Inclusive Investor Engagement

The Engagement Appeal: The Path to Inclusive Investor Engagement

This is the inaugural white paper from The Engagem...

Stakeholder Engagement: A Roadmap for UK Plc Boards

This guide aims to provide directors and their col...

Digital Boards: How Technology Adoption is Driving Culture Change and Resiliency

Digital tools proved their worth to boards during ...
Leadership in AI report

Leadership in AI

This report from Board Agenda and Mazars, in assoc...
Director's Guide to Internal Investigations

A Director's Guide to Conducting Internal Investigations

An internal investigation must be handled meticulo...
 

ADVERTISE – FREE CORPORATE LISTING

FREE - Add your company profile to our Corporate & Advisory Directory.
ADD

ADVERTISE – PROMOTE YOUR REPORTS & WHITEPAPERS

FREE - Add your company profile to our Corporate & Advisory Directory.
Add Resource

Register Free

Register to receive free article views, selected resource downloads, and all the latest news alerts straight to your inbox. Register


  • Editors & Contributors
  • Editorial Advisory Board
  • Corporate & Advisory Services
  • Media Marketing Solutions
  • Contact Us
  • Careers
  • Board Director Network
  • Terms & Conditions
  • Privacy Policy
  • Cookies
  • Sitemap
|