9 August, 2022

Subscribe Advertise About Us

Board preparation is key to fighting the ransomware threat

Board members must be clear on how their organisation’s data and IT infrastructure is being protected from the growing ransomware threat—and whether to pay up in the event of an attack.

ransomware threat

Image: Nawadoln/Shutterstock

Ransomware is one of the most debilitating forms of cyber-attack, often catching companies unaware and ultimately causing them long-term financial and reputational harm. Unfortunately, in 2019 there has been a massive upsurge in large companies being targeted.

In one recent example a virus hit Johannesburg’s City Power, the primary electricity supplier for South Africa’s economic hub, encrypting all of its databases, applications and network. In another, Norsk Hydro announced that it is facing a price tag of £75m after recovering from a ransomware attack that froze staff computers and halted production lines.

Once ransomware takes hold of a single device entire networks can quickly become infected. Just one click is all that’s needed for confidential information and other crucial aspects of a company’s operations to be made inaccessible.

Ransomware will often make its way onto a system as a malicious weblink or email attachment. If a network is not properly protected an entire organisation’s IT infrastructure will end up becoming infected.

Just one click is all that’s needed for confidential information and other crucial aspects of a company’s operations to be made inaccessible

There are two main types of ransomware: crypto and locker. If an illegitimate application is opened, crypto-ransomware will seek to encrypt all of the files, folders and hard drives, promising to reinstate data only after a ransom has been paid. As the name suggests, locker-ransomware poses a similar threat by locking users out of devices and systems.

In the face of these developments, boards cannot afford to be complacent over organisational security strategies.

Top teams should have a detailed view of what the impact of a breach will be and understand who will take the lead if service as normal is interrupted. They should also be prepared to lead long-term strategic planning to protect operations against the continually evolving ransomware threat.

To pay or not to pay?

One of the biggest challenges to confront is the ethical dilemma of whether an organisation should pay a ransom or not. This is no easy decision. Average ransom amounts are currently in the region of around £10,000, often with a 24-hour countdown attached to them before all data or access is irretrievably lost.

This means the board debate over whether to pay a ransom needs to be had long before an IT network is held hostage.

At the same time transparency can be vital. Business leaders need to prioritise security while insisting that all frontline employees do the same. People are inevitably the weakest link in cybersecurity and so they need to know when there has been a breach, what action is being taken and how their work will be impacted.

Cybersecurity cannot be solved by simply buying in more technology as a quick fix. It is about taking a strategic approach to budget allocation and decision-making that delivers genuine improvement.

Be prepared to ask the difficult questions of your IT team. If they believe they have the necessary expertise and software to deal with any ransomware threat, then put this to the test. Bring in a third-party company that is fully qualified and capable of pushing process and practise with an unannounced attack.

The board debate over whether to pay a ransom needs to be had long before an IT network is held hostage

A culture of security should be fostered throughout the workplace. Staff need to be educated and trained to keep software applications and systems updated; backup files regularly; and segment networks to ensure sensitive data is only accessible as necessary.

The ideal organisational culture sees managers and staff taking a second-nature approach to keeping information safe and viewing security as a positive force. This necessitates a check-list that boards can become familiar with and adhere to as part of their regular order of business.

If the organisation falls victim to a ransomware threat it is vital to act quickly. Wherever possible, ensure that the incident is contained while the business continues to operate. Then, prepare to notify all relevant stakeholders, including insurers, regulators, lawyers, the police and clients as is necessary and practicable.

Training should prepare board members for “what if?” scenarios along with clear roles and responsibilities in case of a cyber-attack. How will an organisation respond to its networks being compromised or customers being unable to access online services?

These issues should be a standing agenda item at board meetings, if only to confirm that no changes are needed since the previous review.

The threat landscape is constantly moving and, while it may be unrealistic to ask executives to follow the details of every twist and turn that happens, they can encourage IT managers or the COO to join external organisations and forums where information and good practice is shared. This can be used to provide regular updates that are specifically prepared for the executive.

The organisation should develop a corporate ransomware policy and turn the strategic principles agreed by the board into a working tactical plan.

Worryingly, research shows that a third of companies believe that it has become more cost-effective for them to simply pay a ransom than invest in proper security systems and training.

Unfortunately this creates a catch-22 where businesses continue to pay and ransomware grows as a popular money-making tactic for criminals—only encouraging the problem further. It is up to boards to decide where the line will be drawn.

Professor Kamal Bechkoum is head of business and technology at the University of Gloucestershire.

Related Posts

  • LSE brings Schapiro to the board
    June 11, 2015

    Mary Schapiro, the former chairman of the SEC, the US financial watchdog, has been appointed a non-executive director to London Stock Exchange Group. Schapiro headed the SEC from 2009 to 2012 and has also served as chairman of Financial Industry Regulatory Authority in the US. Under Schapiro the SEC was noted for improving its enforcement programme and since 2009 has recovered $11bn in "disgorgements and penalties". Schapiro is also a non-executive at General electric Co and is vice chairman of the Sustainability Accounting Standards Board.  

  • Setting the pace: how to ensure your board is fit for the future
    August 7, 2019
    man running, future fit

    EY’s latest whitepaper looks at the key actions boards should take now to ensure they set the pace—or risk falling behind.

  • The need to nurture business culture is here to stay
    December 7, 2016
    boardroom

    Nurturing the right business culture is critical, but needn’t be something to shy away from. Jérémie Guillerme of stakeholder communications consultancy Black Sun sets out some advice to get you on the right road.

  • Why the whole board needs to be on top of risk management
    January 9, 2017

    Companies with greater board risk oversight involvement achieve better operating performance, says Thomas Keusch.

For thoughtful journalism, expert insights on corporate governance and an extensive library of reports, guides and tools to help boards and directors navigate the complexities of their roles, subscribe to Board Agenda

, , , , , ,