High ranking business executives say ransomware is a major concern to them but their organizations are unprepared to do anything about it.
Those were the findings of a poll released Monday by global consulting and advisory services firm Deloitte.
Nearly two-thirds (64.8 percent) of the 50 C-level and other executives polled by Deloitte revealed that ransomware will be a major concern to their organizations over the next 12 months, but only a third of the corporate leaders have simulated an attack to prepare for such an incident.
“Over the past 12 to 18 months, executives across industries and sectors have witnessed — and increasingly experienced first-hand — the jaw-dropping frequency, sophistication, cost and both economic and operational impacts of ransomware attacks,” Deloitte Managing Director Curt Aubley said in a statement.
“As some ransomware can evade antivirus tools and attackers find more ways to pressure victims to pay ransoms, these attacks often have national and global repercussions,” he continued. “There’s no time to waste when it comes to honing and testing incident response programs for ransomware and other cyber events.”
Security by Obscurity
Most organizations believe in security through obscurity, observed Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.
“They simply don’t think they will be noticed by hackers if they keep their heads down,” she told TechNewsWorld.
That head-in-the-sand attitude is especially prevalent among smaller and less mature organizations, noted Allie Mellen, a security and risk analyst at Forrester Research.
“Ransomware is an equal opportunity attack,” she told TechNewsWorld. “It targets large and small businesses equally.”
“There are a number of ransomware groups that just target whatever they can get,” she continued. “They’re very opportunistic.”
“We’ve seen groups that specifically shy away from big game hunting because of the potential geopolitical impact it can have,” she said. “They’re attacking smaller organizations or individual consumers.”
“Those attacks aren’t as high profile now because of the publicity the ransomware attacks on larger organizations are getting,” she added.
Chenxi Wang, founder and general partner of Rain Capital, a venture capital firm in San Francisco, maintained most C-level executives are putting ransomware in an IT silo and underestimate its threat to an entire business.
“Many do not yet consider ransomware threats a cross-function business issue for them to be actively involved in,” she told TechNewsWorld.
Translating cyber risk into business risk is a general problem, noted Brandon Hoffman, chief security officer for Intel 471, a cybercrime intelligence provider in Dallas.
“In the past, the sky lining of cyber events has been viewed as gambits to obtain budget for a business unit without a clearly defined ROI,” he told TechNewsWorld.
“The current exposure and coverage related to ransomware doesn’t appear to have significantly moved the needle,” he said.
“It may also be that executive teams feel that their cyber insurance is the gap coverage to areas they can’t really operationally fix, but this viewpoint is equally dangerous,” Hoffman added.
Chris Clements, vice president of solutions architecture for Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz. agreed that a defense strategy that leans on cyber insurance is a short-sighted one.
“Cyber insurance may pay out to help offset the costs of paying a ransom, but that’s never guaranteed,” he told TechNewsWorld.
“Very often a ransomware attack means that business stops completely; rendering the victim unable to deliver service to their customers,” he said. “I don’t think enough executives take that into account when planning their cybersecurity strategy.”
“Your business could come to an abrupt stop and may not restart for days or even weeks afterward leaving employees idle, customers without products or services, and significant revenue losses,” he explained.
“The same way that car insurance isn’t a substitute for seatbelts or airbags,” he continued, “cybersecurity insurance isn’t a replacement for implementing critical security controls.”
“Recognizing the seriousness of the ransomware threat is easy,” added Cherise Esparza, CPO, CTO and co-founder of SecurityGate, a cybersecurity software company in Houston.
“What isn’t easy is connecting the threat back to the business risk and impact, then trying to determine if the threat is likely enough to warrant resources to protect against it,” she told TechNewsWorld.
Better Access to Brass
Communication may also play a role in the gap between awareness and preparedness.
“One of the main disconnects among today’s security leaders is communication upstream with the C-level,” observed Chuck Everette, director of cybersecurity advocacy at Deep Instinct, a deep learning cybersecurity company in New York City.
“The typical tenure for today’s security leaders and CISOs is only around 12 months,” he told TechNewsWorld. “Due to the short amount of time they are in the role, communication upstream is not always streamlined or efficient because they have not built the relationships or trust at the C-level or board level.”
However, he added that security leaders have greater access to the top brass in their companies than ever before.
“There has been a shift of where security leaders report to within organizations,” he explained.
“In the past, they reported to CFOs or CIOs, but now they are starting to report directly to the CEO, which is where they should be,” he said.
“Security leaders today must have that influence and visibility with the CEOs to properly advise them of the threats to their company and how to mitigate them,” he continued. “This type of information cannot be filtered or diluted.”
Personal Accountability Needed?
One way to close the awareness-preparedness gap is to give C-level executives a taste of life during a crisis.
“I’ve seen enterprises rapidly elevate their protection efficacy after training has included war gaming using executive-level cyber-ranges,” observed Gunter Ollmann, CISO of Devo Technology, a logging and security analytics company in Cambridge, Mass.
“Having the executive team spend a day actively responding to a ransomware incident that includes mock press interviews, releasing update emails to customers and partners, and crisis management, seems to focus minds and reinforces that a cyber incident affects all parts of the business,” he told TechNewsWorld.
However, more than better communication and empathy may be needed to close the awareness-preparedness gap.
“Organizations will not adjust executive management culture and priorities until they’re held personally accountable for data breaches and disruptions in operations caused by ransom-based malware,” said Simon Aldama, principal security advisor at Netenrich, a San Jose, Calif.-based IT and digital security operations company.
“Change is driven when an executive’s personal well-being and finances are directly affected,” he told TechNewsWorld.