These four steps can mitigate your risk and be the difference between a quick response to a cyberattack and one that grows unwieldy.
Cybercrime continues to be a top risk globally for businesses. The threat continues to grow for organizations of every size, and the attacks are getting more sophisticated. Ransomware, in particular, has become the highest cyber threat facing businesses today and has become extremely lucrative for cybercriminals, so companies need to put precautionary systems in place.
Damages from ransomware attacks will cost organizations approximately $20 billion in 2021. Of course, more than just ransom money is at stake for companies. The true cost of a ransomware attacks may include business interruption, computer forensic costs, defense costs, privacy breach notification costs, fines and penalties, and harm to your business reputation.
At the same time, it’s challenging for leaders to gain an understanding of the full scope of a loss. Many companies don’t understand how a ransomware attack will affect their balance sheet or operations.
There’s no silver bullet to guarantee protection, but if you combine technology with people, processes and external support, you’ll be in the best possible position. Here are our recommendations to best prepare for and mitigate the damage from a ransomware attack.
1. Cycle through the cyber loop
Cybersecurity strategy is circular, rather than linear, in nature; you need to continually cycle through the four stages of assessment, quantification, insurance and incident response readiness.
Assessment results allow for strategic decisions to be made in the context of an organization’s culture and risk tolerance and mitigation. There are multiple assessment services available, from general scans for your system’s weak points to more detailed evaluations such as external vulnerability assessments and penetration testing. Some providers allow you to benchmark your preparedness against peer organizations and receive customized remedial recommendations.
To gain a better understanding of the financial impact of a cybersecurity attack, you should conduct a loss quantification study. A number of different methodologies and tools are available that range from sophisticated cyber risk benchmarks to management-oriented approaches. Typically, large organizations have more success quantifying cyber risks, but small companies need to make it a priority, as they're often the targets of cyberattacks.
It’s crucial that insurance is part of your preparedness discussions so you can be sure the policy will indemnify you for the potential loss. Cyber insurance is a valuable tool, and many insurers offer their clients value-added mitigation services.
2. Create—and test—your response plan
Every organization needs to have an Incident Response (IR) Plan in place for ransomware attacks, and all cyber incidents. The IR Plan should be established, rehearsed and tested to ensure your organization is well-aligned and makes the right critical steps to mitigate ransomware losses should an attack occur. Waiting until after an attack to make those decisions, when stresses are high and minutes count, is not recommended.
Having an established IR strategy that encompasses people, processes and technology can mean the difference between managing a crisis and losing the fight against the attackers. Data forensic and IR consultants should be retained prior to an incident, and should be agreed upon by your cyber insurance carrier – in fact, your insurer will have pre-approved third-party response professionals in such areas as forensic incident response, legal counsel, crisis communications and ransom negotiation and payment.
Testing the IR Plan is critical. Create and adhere to a testing schedule of at least once or twice a year. Organizations often overlook this step, but having a strong plan does nothing if you haven’t tested it to gauge its effectiveness. Top cybersecurity IR consultants recommend hiring an outside vendor to help you run tabletop simulations, some of which will include a law firm, a forensic firm or both.
3. Integrate cyber preparedness into your culture
Rank-and-file employees, as well as the C-suite, are on the front lines of protecting your company from ransomware attacks and all other cyber incidents. To ensure employees stay vigilant, there must be a cultural shift regarding the approach to cybersecurity.
In the past, cyber risks were viewed as being solely an IT issue. But today, the risks are too great for one team to handle. Both leaders and employees need to adopt a risk control mentality in their day-to-day job, which often means slowing down to take an extra moment before opening an email or attachment, to make sure it’s safe.
Cybersecurity and phishing training also need to be creative, exciting and engaging and not punitive. Such training is too often a one-and-done event during new employee onboarding instead of occurring multiple times a year for the entire workforce. The most prepared organizations use an online platform that’s gamified, to engage employees in learning about high-risk areas and what happens if they click on certain links. Practice is key: as with any other skill, employees’ ability to identify risks (and attention given to cybersecurity overall) diminishes with the time that passes between trainings.
Trainings are important for reasons beyond the attacks themselves. Cyber insurance underwriters are looking for reassurance that your cyber strategy includes the proper policies and procedures, and also that you’re taking cultural steps to mitigate your risk.
4. Cyber insurance is a must, but it is not enough
Cyber insurance and risk transfer solutions are essential for any business; however, they are just part of the cybersecurity equation. Your organization’s resilience to a ransomware attack depends on a stable of retained third-party incident response vendors already in place to help mitigate business interruption costs and critical loss of reputation when every minute counts. If you suffer an attack, you won’t have the time or presence of mind to research vendors and negotiate contracts. Those contacts are available through your cyber insurer, who will have a pre-qualified network of cybersecurity professionals and services at your disposal.
This material has been prepared for informational purposes only and should not be relied upon for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.
 CNA CyberPrep