CISOs Are Worrying About Ransomware: Here’s What They Should Do About It

If you’re a CISO, you will face at least one major disruptive cyber attack in your career. The data is compelling. Our CISO Report indicates that a staggering 90% of respondents reported suffering at least one disruptive attack in their organization over the last year. Breaking down those numbers a little bit further, 43% said that they’ve experienced a significant attack at least once, 34% “a couple of times” and 13% “several times.”

The top three biggest concerns for CISOs were: social engineering attacks (40%), OT/IOT compromise (37%) and ransomware (33%) — threats that are not only featured prominently in the media, but are also financially devastating. They also carry the potential of long-term brand and reputational damage.

While ransomware came third on this list of concerns (79% said they treat ransomware like any other potential cyber threat), CISOs are eyeing it with increased caution. It’s clear that ransomware is continuing to emerge and evolve as a costly thorn in the side of CEOs, CISOs and security professionals alike. Knowing this, CISOs will have a chance to ramp up cyber defenses and be more strategic in their approach, as they continue to find ways to minimize its impact — or avoid being a target altogether.

Ransomware: A lucrative proposition

Dodging ransomware may be easier said than done, however — all but 4% of our respondents reported suffering an attack, with 52% experiencing one that significantly impacted their business systems and operations. And while 46% maintained that they were able to remediate the ransomware with minimal impact to their systems, 65% said that they have a low level of confidence in their ability to detect and respond to future attacks. That doesn’t bode well.

Clearly, 96% of CISOs reporting to fall victim to ransomware is significant. But brace yourself — 83% of those who answered said they paid the ransom. Of those who paid, 18% paid the ransom directly, 37% paid through cyber insurance and 28% paid through a third party.

And it’s not cheap. The most significant number paid somewhere between $25,000 to $99,999 (44%), while more than half of respondents paid more than $100,000. And  9% of respondents (or one in 11) even paid $1 million or more. That’s a hefty payout for ransomware gangs — and many desperate organizations gamble with their reputations in the hope of decrypting their data, recovering their systems and preventing the release of sensitive material.

CISOs are keenly aware of the risks; the majority (69%) maintain that paying a ransom makes them vulnerable to legal exposure in the future. Those that pay likely do a cost- benefit analysis, and conclude that the risk is worth making the threat disappear and avoiding exposure. Yet even after payment, organizations are often unable to fully recover their lost capabilities — there’s no honor among thieves. And cyber insurance is no silver bullet; 62% say it doesn’t cover them in a ransomware situation. It’s also difficult to obtain and, when it does apply, often falls short of full reimbursement.

A strategic approach to cyber defense

Don’t think boards aren’t watching. Seventy-three percent of CISOs say they feel that their governing body/board of directors is overly concerned about ransomware and the potential threat it poses to their organization. And the majority of CISOs (71%) say that when they faced successful ransomware attacks, the governing body/board required regular updates as they sought to resolve the issue. That scrutiny likely won’t go away anytime soon. 

For CISOs, effectively addressing ransomware will require a more strategic, proactive, and thorough approach to cyber defense (read: check, double-check and triple check your systems). While there are no guarantees, you can put the odds in your favor by making sure you have offline, regularly-tested, segregated back-ups. Designate maintenance responsibility, do tabletop exercises to practice your response plans and conduct regular checks to ensure backups are successful.

It will also behoove CISOs to run board-level exercises to exert some real-yet-safe pressure on those systems. Bring threat scenarios up often and early with your board and leadership — as well as with your security teams. And when you are faced with an actual ransomware threat, have the requisite incident management practices and protocols in place to ensure everything runs smoothly without resorting to panic mode. 

Meanwhile, CISOs and their teams have cited gaps within security controls (29%), incident response and/or communications process issues (29%), and gaps within data sources used for security monitoring (28%) as the primary reasons for their most disruptive breaches of all kinds. On a more optimistic note, however, these gaps also will lead to increased opportunities to invest in better and more comprehensive monitoring across your organization.

It’s safe to say that ransomware isn’t going away anytime soon. It will evolve, and already is evolving into new and more destructive iterations. But part of the resilience journey is simply being prepared. And CISOs will also be able to leverage its inevitable presence to better educate their leadership and board, promote best security practices throughout their organization, and ensure sustained security investments in the future. 

For more insight on how fellow cybersecurity leaders today are thinking about ransomware, AI, boardroom communication and more, read the full CISO Report.