Ransomware: When Policy Matters Most
Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program's defensive architecture and arsenal, available assets, and policies and procedures that together inform critical processes.
Ransomware crystalizes the value of this pillared approach, and in particular, points to the necessity for a focus on policy.
Poorly Trained People Can Create Ransomware Risks
CISOs value the people who comprise and support critical programs. Any component of a program that isn't automated relies on personnel to develop, configure, operate, and maintain it. Any automated component achieves a state of confidence only because personnel test and confirm that steady state.
"Processes inform a cybersecurity team about how to get things done as well as indisputable clarity on the organization's expectations."
People form the core of every successful cybersecurity program. Quality cybersecurity professionals are hard to find and retain, and modern CISOs therefore emphasize recruiting and retention as a key objective for their cybersecurity programs.
!["Report]("/wp-content/uploads/2023/01/Report-Assess-Your-Sensitive-Content-Communications-Privacy-and-Compliance.jpg" "\"Report")
Technology
CISOs also value the technology that we deploy to protect and defend our organization's assets, information, and operations. In simple terms, CISOs can't deliver on the expectations set by organizations without technology that is current, usable, designed, and devoted to the cybersecurity mission. Technology must be properly configured and maintained, but first those technical parts and pieces must be procured—as a product or service—and deployed.
Most CISOs have a significant collection of technology with specific cybersecurity tasks: secure the organization's network or endpoints, protect data, observe, collect, and detect potential indicators. The list of available technology is growing, and CISOs' choices are only constrained by budgets and detailed design conflicts.
When developing their cybersecurity risk management strategy, CISOs must ensure that this list of available technologies is reflected in it.
Processes and Policy
The third pillar, processes, is the one that is typically deemphasized, or worse, sometimes entirely neglected.
Processes include how a cybersecurity organization operates, its procedures and policies, and finally standards and guidelines. Processes inform a cybersecurity team about how to get things done as well as indisputable clarity on the organization's expectations.
"Policy, by comparison, is the place where an organization exhibits its rules for all cybersecurity engagement. Policy lies at the nexus of procedure and culture."
To begin, processes define an organization's behavioral expectations; not just how an organization operates, but why it operates that way. They are documented rules of behavior. Policy, by comparison, is the place where an organization exhibits its rules for all cybersecurity engagement.
Policy lies at the nexus of procedure and culture. What are an organization's compliance considerations? What are approved behaviors for activity monitoring, log collection, and behavioral observation? What are the limits of the organization's risk tolerance?
Most policy is established outside of the CISO's organization. Policy—with a capital P—is owned by the broader organization and fostered by the organization's leadership. Policy at this level can define an organization, and so it makes sense that the most senior level of an organization must approve it. Most organizations have a limited number of policies at this level, because each of them matters so much. A subset of these policies may even require approval and stewardship by an organization's board of directors.
!["Webinar]("/wp-content/uploads/2023/01/Webinar-What-Are-the-Key-Trends-and-Benchmarks-You-Need-to-Know-About-Sensitive-Content-Communications.jpg" "\"What")
Ransomware and Its Impact on Processes and Policy
As the unprecedented risk of ransomware continues to pervade every business, CISOs have redoubled their efforts to attract and train ever more capable cybersecurity teams. They have also identified gaps in their technology set and filled in as many of those gaps as possible, to detect and react to ransomware attempts early and comprehensively.
While people and technology try to mitigate the risk or impact of ransomware, policy development or redevelopment for ransomware tends to lag. Some organizations have no particular ransomware policy at all. Others have a basic policy that may fail to serve the organization when it is pressed to make critical ransomware-related decisions.
"It's not sufficient for most organizations to stipulate that, if confronted with a successful ransomware attack, they will or won't pay."
These decisions aren't easy, and each option needs to be informed by a clear understanding of its implications. A smart organization, for example, contemplates the ransomware scenarios it may someday face, long before the first evidence of an actual attack. The organization then articulates and adopts policy that guides its response to each scenario. If organizations haven't done so already, they should develop or redevelop ransomware policy right now.
Ransomware scenarios appear, on the surface, fairly binary: pay or don't pay.
It's not sufficient for most organizations to stipulate that, if confronted with a successful ransomware attack, they will or won't pay. While some organizations may have a blanket "never pay" policy, there are still details or conditions they should consider: the size of the ransomware demand, the organization's ability to respond with mitigations, recalls, and restores, and the organization's culture and mission. More on this in a moment.
By contrast, for an organization to adopt an "always pay" policy in all ransomware cases, it must assume worst-case scenarios in which the ransom demand may exceed the organization's ability to pay. More reasonably, an organization's policy to pay would need to be capped at some amount so that the organization could actually afford to pay. Otherwise, you have an untenable policy.
An organization with an "always pay" policy arguably doesn't have much confidence in its organization's—or its CISO's—ability to weather a successful ransomware attack. Could an organization recall and restore all its data and systems? Are there viable, tested backups that could serve as trustworthy replicas of the production environment? Are the backup, recall, and restore processes themselves reliable?
An organization that has an "always pay" policy doesn't have much faith in its ability to withstand the storm. If it had any faith, then its policy wouldn't be to always pay, but instead to pay in certain conditions and not to pay in other conditions.
The reliability of the ransomware attackers and the financial structure behind them matters, too. Would an "always pay" policy make sense if cryptocurrency intermediaries assess the attackers are unreliable and that, even if they get paid, they may not release some or any of the ransomed assets?
What if the criminal was simply inept, very good at encrypting things, but not very good at decrypting them? What would an organization do if it paid the ransom but was unable to get whole after? That is a bridge no organization wants to cross.
"An organization with an 'always pay' policy arguably doesn't have much confidence in its organization's—or its CISO's—ability to weather a successful ransomware attack."
More recently, we've seen a hybrid kind of ransomware attack, which combines asset encryption (data and systems) and possible data exfiltration (a copy of the organization's data has been stolen). An organization's ransomware policy becomes much more complicated in this scenario.
Would it be okay to "always pay" to receive a decryption key for an organization's data even if a copy of that data was already available on the dark web?
An alternative to an "always pay" policy is a "never pay" policy. Such a policy can be equally challenging to abide. There are well-publicized examples of ransomware victims that flatly refused to pay a ransom under any conditions.
Such a policy position places enormous faith in an organization's ability to restore to a workable production state in all cases; that is, regardless of what data and systems have been encrypted, what operations have been disrupted, or what degree of impact severity the organization experiences, it will not pay any amount to recover, but instead, will in all cases rely on its backup/recall/restore processes to get whole.
While a "never pay" policy may align with an organization's culture, the inherent pain caused by unknowns in the recovery process likely can't be calculated in advance. Thus, an organization with a "never pay" policy says that, regardless of surprises in backup processes, regardless of failures in recalls and restores, regardless of any eventuality other than success, the organization is willing to accept every potential outcome.
A "never pay" policy also assumes that an organization is prepared to weather a different kind of storm—potentially of its own making. Processes don't always work as expected, technology fails more often than any of us plan for, and people under stress sometimes make mistakes. Establishing a "never pay" policy means that an organization is willing to accept surprises, detours, and failures of every kind along the way to a state of recovery that may not satisfy the organization's needs.
There are happy mediums, of course, including policies that are neither so loose that they are unworkable nor so tight as to restrict granular considerations for "what-ifs." An organization may decide to pay up to a specific, previously defined amount, or it may decide to never pay unless the potential impact, as projected or calculated, is more than an organization can reasonably bear.
"A 'never pay' policy also assumes that an organization is prepared to weather a different kind of storm—potentially of its own making."
The critical path for an organization's ransomware policy discussion runs right through the boardroom. No two organizations are the same, and generic policy should be filtered out early in that discussion. Every organization should decide what matters most, appreciating that often organizational imperatives conflict with organizational culture.
It's crucial that every organization establish and understand its position on ransomware. It is equally critical that organizations establish and understand this position before an attack, not in the heat of a fire but before the flame starts.
Frequently Asked Questions
Cybersecurity Risk Management is a strategic approach used by organizations to identify, assess, and prioritize potential threats to their digital assets, such as hardware, systems, customer data, and intellectual property. It involves conducting a risk assessment to identify the most significant threats and creating a plan to address them, which may include preventive measures like firewalls and antivirus software. This process also requires regular monitoring and updating to account for new threats and organizational changes. The ultimate goal of Cybersecurity Risk Management is to safeguard the organization’s information assets, reputation, and legal standing, making it a crucial component of any organization’s overall risk management strategy.
The key components of a Cybersecurity Risk Management program include risk identification, risk assessment, risk mitigation, and continuous monitoring. It also involves developing a cybersecurity policy, implementing security controls, and conducting regular audits and reviews.
Organizations can mitigate cybersecurity risks through several strategies. These include implementing strong access control measures like robust passwords and multi-factor authentication, regularly updating and patching systems to fix known vulnerabilities, and conducting employee training to recognize potential threats. The use of security software, such as antivirus and anti-malware programs, can help detect and eliminate threats, while regular data backups can mitigate damage from data breaches or ransomware attacks. Having an incident response plan can minimize damage during a cybersecurity incident, and regular risk assessments can identify and address potential vulnerabilities. Lastly, compliance with industry standards and regulations, such as the Cybersecurity Maturity Model Certification (CMMC) and National Institute of Standards and Technology (NIST) standards, can further help organizations mitigate cybersecurity risks.
A risk assessment is a crucial part of Cybersecurity Risk Management. It involves identifying potential threats and vulnerabilities, assessing the potential impact and likelihood of these risks, and prioritizing them based on their severity. This helps in developing effective strategies to mitigate these risks.
Continuous monitoring is a vital component of Cybersecurity Risk Management, providing real-time observation and analysis of system components to detect security anomalies. This enables immediate threat detection and response, helping to prevent or minimize damage. It also ensures compliance with cybersecurity standards and regulations, allowing organizations to quickly address any areas of non-compliance. By tracking system performance, continuous monitoring aids in identifying potential vulnerabilities, while the data gathered informs decision-making processes about resource allocation, risk management strategies, and security controls.
Additional Resources