The ransomware problem appears unrelenting. In 2023, the total ransom payments from victims are estimated to have accumulated to around $1.1 billion. This is the highest level on record, indicating that the ransomware problem has not ebbed away despite reports in previous years that show declines in ransomware cases.
Certainly, organizations need to do something about ransomware attacks. Successful attacks have serious consequences that are not only limited to financial losses from ransom payments. They also cause operational interruptions or delays, which can lead to significantly reduced productivity. Moreover, successful ransomware attacks can cause reputational damage.
Everyone in an organization has a role to play in addressing the ransomware problem. However, aside from the cybersecurity department, the CEO is expected to be more involved in the efforts to fend off ransomware. With the CEO’s authority and direct influence over how an organization operates, the CEO can do a lot to improve the effectiveness of anti-ransomware efforts.
Imposing A No-ransom Policy
Arguably the biggest reason why ransomware continues to be a viable cyber attack (for cybercriminals) is the payment of ransom. Perpetrators are enticed to launch more attacks because they get something out of their malevolent actions. If everyone maintains a strong policy of refusing to pay any ransom, the attack ceases to be rewarding.
Unfortunately, this is easier said than done. Business leaders who are desperate to restore their operations as soon as possible will always be tempted to take the easy way out. They have to weigh their options carefully and logically decide to pay the ransom if it means cutting the losses significantly.
CEOs who are serious about ending the ransomware problem should look past the payment of ransom as an option. There are better ways to deal with the ransomware threat. Besides, there is no certainty that the attacker’s decryption will be fast enough to restore operations quickly. For example, in the high-profile Colonial Pipeline ransomware attack, the company reportedly paid a $5 million ransom but they had to rely on their own backups to restore their data because of the painfully slow decryption process of the perpetrator.
Implementing Robust Cybersecurity Measures
The decision on what security policies to enforce and tools usually falls under the purview of the Chief Information Officer (CIO) or Chief Information Security Officer (CISO). However, they may discuss the details of their organization’s security posture plan with the CEO and COO to align their focus, especially when it comes to the expenditure and sourcing of security solution providers.
CEOs may not have the expertise in cybersecurity, but they decide on how to efficiently allocate their organization’s resources. Also, their insights are important in assessing how viable the implementation of security measures will be. Not everything related to security can be fully relegated to the CIO. CEOs work with CIOs as well as legal and compliance teams and sometimes with external consultants. It is particularly important for new organizations with highly technical operations to tap all the knowledge and experience they can get to ensure that they have adequate cyber defenses.
Incident Response Plan Formulation
There is no perfect cyber defense system. Breaches are not completely preventable. That’s why incident response plans are vital. It is important to know what to do in case a ransomware manages to successfully encrypt files. CEOs should see to it that such an incident response plan is in place. The cybersecurity team usually prepares this plan without the business leadership directing it. However, it is advisable for the CEO to examine this plan and make sure that it is understandable to members of the organization who are not as tech-savvy as the cybersecurity team.
The incident response plan is not just for the cybersecurity team. Everyone in the organization should be aware of it and know what their roles are in addressing an ongoing ransomware attack. For example, as soon as the ransomware infection is detected, everyone who has access to data should be able to isolate whatever uninfected data they have. Also, it is necessary to have robust documentation and reporting mechanisms to facilitate the investigation of the attack and plug the vulnerabilities that may have been overlooked.
Regular Backups And Recovery Plans
In addition to validating the incident response plan, the CEO should also make sure that there are fully functional data backups and data recovery plans. Again, these are expected to have already been set up in most cases. However, it does not hurt to be emphatic about data backups and recovery plans. These are the biggest weapons against ransomware attacks. Organizations that have complete and dependable data backups can easily recover from such an attack.
It’s important, though, to make sure that the data backups are also properly secured. They have to be encrypted and stored in a reliable cloud server or on-premise storage. Additionally, the recovery plan should provide for the rapid retrieval of data to minimize the disruption and restore business operations as soon as possible.
Establishing oversight and accountability
It is not enough that rules and policies are implemented and that there are cyber protection tools put in place. CEOs should also make sure that there is proper enforcement and optimized use of the available solutions. It is important to conduct regular security assessments to plug all possible vulnerabilities that can be used to introduce ransomware and other malicious software into the organization’s network.
CEOs can also ensure that cybersecurity is a staple part of the discussions at the board level. Issues about cybersecurity should not only be discussed whenever there are breaches or other major security incidents encountered. It is important to have regular discussions about the organization’s security concerns and ensure that cybersecurity is made a priority, not just an afterthought. Cybersecurity is not just about policies. Resources also need to be allocated to sustain good security practices. CEOs should see to it that executives are held accountable for the implementation of effective cybersecurity measures.
Providing Adequate Cybersecurity Training
One way CEOs can demonstrate a strong commitment to combating cyber threats is by providing systematized cybersecurity awareness and education to employees and others in their organizations. This is well within the functions and authorities of a CEO. Everyone should have a reasonable level of proficiency in dealing with ransomware and other threats. Cybersecurity, after all, is a shared responsibility. It cannot be the sole responsibility of a specific department or personnel.
Fighting Ransomware with An Administrative Function
The fight against ransomware has technical and administrative components. The former is handled by the cybersecurity team. The latter is something CEOs can have a more active role in. They don’t necessarily have to be directly at the forefront of the battle against ransomware. They just need to make sure that they provide clear and authoritative guidance on how their organization should take the problem of ransomware and other cyber threats seriously.