5 minute read 8 Oct 2021
A high angle view of rafters on a river

How COOs and CISOs can build ransomware-resilient operations together

By Richard Watson

EY Asia-Pacific Cybersecurity Risk Advisory Leader

Cybersecurity leader in the EY Asia-Pacific region. Public speaker. Trusted advisor on cyber risk and digital trust. Golfer, traveler and dad.

Contributors
5 minute read 8 Oct 2021

A ransomware attack is a matter of if, not when. For COOs and CISOs, detection and response are key to achieving ransom resilience.

In brief
  • COOs need to involve the CISO and cybersecurity team in the design phase of their new technology initiatives.
  • COOs need to consider several factors when deciding whether to pay a ransom.
  • COOs need to work closely with the CISO to build a ransom-resistant detection and response plan.

For years, chief operating officers (COOs), like other function leaders across the enterprise, have, at times, faced resistance from their cybersecurity teams when considering the implementation of new technology. Chief information security officers (CISOs), meanwhile, feel undervalued as protectors of the organization. This dynamic has created an environment where COOs either avoid, subvert or completely ignore the cybersecurity team. And cyber attackers know it. With ransomware attacks on the rise, it’s time for COOs and CISOs to shift their perspectives toward cybersecurity and strengthen their relationship to combat a common foe.

In this article, we outline why ransomware attacks are on the rise and why it’s so important that COOs and CISOs work together to develop a detection and response plan to disrupt the cyber attackers, while shifting the culture so that cybersecurity is top-of-mind for every employee across the organization.  

Ransomware has become a threat actor’s weapon of choice

Prior to the COVID-19 pandemic, chief operating officers (COOs), were already dealing with multiple disruptions, not the least of which were massive-scale digital transformations. During the pandemic, digital transformations hit warp speed to maintain business continuity and build resilience. Organizations basically packed years of transformation into 12 months.

According to the EY Global Information Security Survey 2021, 81% of executives surveyed say that the pandemic forced organizations to bypass cybersecurity processes. At the same time, 77% of respondents say they have seen an increase in the number of disruptive attacks over the last 12 months, up from 59% over the previous 12 months.

Our experience with clients indicates that ransomware has become the cyber attacker’s method of choice for data breaches. These attacks take advantage of security gaps across people, process and technology. And the consequences can be significant.

To pay or not to pay? This isn’t the only question

Because a ransomware incident is not a reportable event in most jurisdictions, there are few statistics on how many organizations pay the ransom, although this is changing. Some jurisdictions, such as Australia and the US, are introducing or enacting legislation that makes reporting mandatory if ransoms are paid. Anecdotally, based on our experience with clients, we find that most organizations do pay because in many cases, it’s cheaper to pay than to recover.

However, paying is no guarantee that an organization will fully recover its data or that the attack will be a one-off event. Oftentimes, cyber attackers encrypt the organization’s systems in segments, requiring the organization to pay for individual keys that unlock each segment, not all of which may work.

Assume you will be attacked and be prepared to act

The first rule in building ransomware-resilient operations is to assume you will be attacked. It’s not a matter of if; it’s a matter of when. Further, having detection and response in place is key to disrupting and preventing ransomware attacks.

If you don’t have a policy or processes in place to act, start now. Test response processes and determine what your policy is for paying or not paying. Organizations tend to be binary when making this decision, but there are a number of intricacies and “what ifs” that you need to consider. For example, what if the threat actors exfiltrate data? Go after individual clients? Come back for a second extortion payment? There also needs to be a clear line of authority for crisis commanders, escalation paths for decision-making and initial decision boundary criteria that establish guardrails for handling the unique nature of a ransomware attack.

As an operational or cybersecurity leader, you will want to test the policy you develop to understand the risks and tradeoffs of the decision to pay or not to pay, who the stakeholders are, what the process will be, who will have the authority to make the decision to pay, and at what point the organization will have to disclose the attack.

Once the policy and processes are in place, as the CISO you will want to conduct, at least annually internal assessments of implemented controls to determine their effectiveness and basic maturity assessments of key controls to make certain that the organization can withstand a ransomware attack.

Having a detection and response plan is key to disrupting and preventing ransomware attacks.

Over the longer term, the COO and CISO will want to team to create a culture shift across the business that puts cybersecurity at the forefront of technology planning rather than in the background as an afterthought. Security by design, where security becomes embedded into the design process for every new technology initiative, is one of the best ways to protect the organization from cyber attacks generally and ransomware attacks specifically. Consider embedding a member of the cybersecurity team into technology projects at their inception, with the role of providing guidance around security architecture and controls throughout the project lifecycle.

According to the EY Global Information Security 2021, 57% of respondents believe the current cybersecurity crisis provides an opportunity for the cybersecurity function to raise its profile within the organization. However, as the CISO, you will need to more visibly position the cybersecurity function as a value-add part of every technology project.

GISS survey results

57%

of respondents believe the current cybersecurity crisis provides an opportunity for the cybersecurity function to raise its profile

As an operational or cybersecurity leader, you will want to test the policy you develop to understand the risks and tradeoffs of the decision to pay or not to pay, who the stakeholders are, what the process will be, who will have the authority to make the decision to pay, and at what point the organization will have to disclose the attack.

Once the policy and processes are in place, you will want to conduct, at least annually, internal assessments of implemented controls to determine their effectiveness and basic maturity assessments of key controls to make certain that the organization can withstand a ransomware attack.

Ultimately, to limit the impact of ransomware attacks, you will need to instill the company-wide importance that every worker at every level of the organization and across the ecosystem — from the board to the C-suite to management to entry-level employees to suppliers and partners — is responsible for thinking about the cybersecurity risks and acting to mitigate them. Create training programs to promote ransomware awareness.

Go from ransom-aware to ransom-resilient

The rise and acceleration of digital transformations are spreading the cyber attack surface, increasing the chances of a ransomware attack. By working together, COOs and CISOs can strengthen relationships between the business units and the cybersecurity function, and develop a cohesive detection and response plan for protection that takes an organization’s operations from ransom-aware to ransom-resilient.

Summary

The pressure to deliver digital transformation at speed, particularly during the pandemic, has led COOs to bypass cybersecurity processes. Not coincidentally, it’s at a time when cyber attacks are on the rise. Cyber threat actors are taking advantage of security gaps across people, technology and processes, and ransomware is their preferred method. COOs need to work closely with CISOs to prepare a detection and response plan, test it regularly, and create ransomware awareness across the organization.

About this article

By Richard Watson

EY Asia-Pacific Cybersecurity Risk Advisory Leader

Cybersecurity leader in the EY Asia-Pacific region. Public speaker. Trusted advisor on cyber risk and digital trust. Golfer, traveler and dad.

Contributors