Recent high-profile ransomware attacks have seen victims succumb to the demands of attackers and pay the ransom. Any executive can sympathize with the urge to recover sensitive company data, and can probably understand the impulse to simply fold, hand over the ransom, and move on.
However, giving in to cybercriminals’ demands is bad policy, and it doesn’t make you safer. Instead, enterprises should refuse to pay ransoms. Whatever promise of discretion, when it gets out that you paid up, other attackers will know your company is an easy mark. Alongside with this refusal to pay, executive leaders should confront ransomware by making the digital risk a board-level issue. CEOs must lead the way in getting their organizations behind a single, coherent ransomware policy. These threats are not simply an IT issue. It’s a whole company issue. Here are some practical steps to follow for greater security.
Don’t Pay Up
Recently, CWT, a US travel management firm, paid a hefty sum of $4.5 million to ransomware hackers. This came after the criminals stole reams of sensitive corporate files, and allegedly knocked 30,000 of CWT’s computers offline. Using a strain of ransomware called Ragnar Locker, the attackers encrypted computer files and rendered them unusable until the company gave in to their demands. To add insult to injury, the attackers left the chat online, despite promising to delete it, in which a CWT representative negotiated with the hackers.
Meanwhile, fitness brand Garmin is believed to have paid an even heftier ransom of $10-million ransom, after attackers took data hostage and forced its services to go offline. Reports suggest that Garmin was hit by WastedLocker, a ransomware strain created by Russia-based hacking group Evil Corp. The attack put Garmin’s wearables, apps, website, and call centers offline for several days.
When hit with ransomware, this is option one: Pay the ransom, free the data that has been taken hostage.
The big problem with this approach is that it signals that you are willing to pay. Across the internet, in the eyes of cybercriminals, your organization is now seen as a viable target. You make your enterprise attractive to more attacks, from either the same hackers or another group. This is why fully half of ransomware victims suffer repeat attacks.
Have a plan, and be transparent
Norsk Hydro is one of the world’s largest aluminium companies. In 2019, it suffered a major ransomware attack (using the strain LockerGoga). The attackers held the company’s data hostage, disrupted production, affected 35,000 employees across 40 countries, and incurred around $71 million dollars in damages.
Unlike CWT and Garmin, Norsk Hydro didn’t fold. Instead, it decided that they wouldn’t be paying the ransom. Instead, they were open and public about the attack – a decision that was applauded by security experts around the world – and they brought in an external cybersecurity team to help them restore their operations using manual backups.
“Transparency is core to the Norsk Hydro culture,” says Halvor Molland, senior VP of Media Relations. “We wanted to help other industries learn from our experience. This way, they can be better prepared for situations like this and not have to go through what we did.”
“Paying the ransom will not help you out of the situation,” said Torstein Gimnes Are, Norsk Hydro’s corporate information security officer. “You will need to rebuild your infrastructure to be safe and be sure that the attacker is not still part of it.” Instead of paying, Norsk accepted the breach, and restored their data through trusted back-up servers.
Norsk’s response to a ransomware attack represents the alternative to folding and paying up. Yes, damage was done. Yes, data was lost. However, by refusing to negotiate, Norsk signalled to the cybercriminal world that they cannot be held ransom.
Developing an Anti-Ransomware Executive Stance
Ransomware hackers spend many hours planning, testing, and executing attacks. If they think that an enterprise is unwilling to pay, they are unlikely to target them, for fear of wasting their time. By contrast, if you have a reputation as a ransom payer, you make yourself a very attractive target. In the long run, acquiescing to ransomware attackers only sets you up for more trouble in the future.
However, stoically refusing to pay ransoms as repeated data breaches occur is hardly an attractive stance. The best protection against ransomware is proactive prevention. And to combat the scourge of ransomware – which accounts for 27% of all malware incidents – executives cannot regard ransomware as an issue to be solved solely by the CISO or CIO. Instead, combating ransomware needs to become a board-level concern. This way, an anti-ransomware stance can be built into the foundations of the enterprise tech stack.
When ransomware is made a board-level priority, it makes decision-making easier. Everyone is on the same page, everyone knows the plan, and their part in it. To combat ransomware, the following things need to happen.
- Data backups need to happen like clockwork, as often as possible. They need to be combined with backup and restore drills.
- Third party cloud channels – a rapidly growing source of ransomware attacks – need to be constantly monitored for threats with advanced digital risk protection software. Unlike email, which has a $3B security industry, cloud channels are weak, and cybercriminals know it.
- Endpoints need to be constantly watched for IOAs (Indicators of Attack). An endpoint detection and response (EDR) solution is critical.
When a CEO takes on and owns these and other anti-ransomware principles, they can drive policy, and take a personal hand in protecting their organization from multi-million dollar damages.
Commentary by Jim Zuffoletti. Here’s what you’ve missed?
World’s Best Cities For Street Food-Obsessed Travellers.
World’s Best Cities For Shopping.
World’s Safest Cities.
World’s Most Economically Influential Cities.
Add CEOWORLD magazine to your Google News feed.
Follow CEOWORLD magazine headlines on: Google News, LinkedIn, Twitter, and Facebook.
Thank you for supporting our journalism. Subscribe here.
For media queries, please contact: email@example.com