A ransomware attack is no company’s idea of a good time, but I do sense one positive development emerging from the epidemic of attacks we’ve witnessed this year: Boards and senior management agree that they must move beyond a compliance-centric approach to cybersecurity, in favor of something focused much more on the fundamental security needs that modern organizations have.
I know what many of you are thinking: “Our enterprise already worries about cybersecurity all the time!” That’s true, but far too many businesses have tended to worry about cybersecurity in a certain way — the compliance way. And that’s no longer enough to keep a business safe and successful.
Even though ransomware is an operational disruption, it can trigger both operational and compliance consequences.
That is, for many years, boards and senior executives wanted assurance that the business complied with all its regulatory obligations for privacy and data security: state data privacy laws, HIPAA requirements, PCI DSS standards for credit card data, FedRAMP security rules for bidding on government contracts, and so forth.
Complying with regulatory obligations was the goal. If the enterprise met those expectations, then at least the business could say it had done what regulators asked it to do. Even if a data breach still happened — and happen they have, with alarming frequency — the company could suffer through a few quarters of higher costs and unhappy customers, while plowing ahead with normal business activity and waiting for the share price to rebound.
Ransomware is different. It disables your ability to operate, which costs you money; and you need to pay more money on top of that to get your data back — if the attackers give you that access at all. Who cares that you’re in full regulatory compliance when that disaster happens? Not the board or your customers, that’s for sure.
As one cybersecurity guru recently said to me, “It’s easier to solve for compliance than to solve for cybersecurity, because you know when the next audit is coming; so compliance is what we do. Cybersecurity is a game of whack-a-mole.”
That’s true, but the urgency of ransomware attacks means that we still need to solve the game of whack-a-mole somehow. So how can organizations do that, and what role should compliance officers play?
We will need more collaboration.
The biggest challenge will be defining who does what within your organization, and then understanding how various business functions will work together to achieve strong cybersecurity.
For example, you might need to maintain backup data centers (the IT department’s job), scan for malware (the IT security team’s job), assure correct contract terms with tech vendors you use (legal or procurement’s job), and gather employee certifications that everyone has taken cybersecurity training (compliance or HR’s job).
A good strategy here is to use cybersecurity frameworks such as those provided by NIST or ISO, to define necessary controls, policies, and procedures in a methodical way. Then assure that those jobs are assigned to specific people, who know their responsibilities and will be held accountable to them. (By the way, who leads this project at your business? Maybe the CISO; maybe a security committee. Whatever oversight solution you have, just have one.)
Develop better risk assessments.
Businesses will need to take a sharper look at their internal operations and ask: How could we fall victim to a cybersecurity attack, given how we work? That means you’ll need to conduct a thoughtful, comprehensive risk assessment with the most critical eye possible.
Plenty of risk assessments are premised on a different question: How could our enterprise violate the law, given how we work? Such analyses will never be unimportant, but operational risks are different than compliance risks. Your risk assessment needs to anticipate that reality.
That means a harder look at employee behaviors, and at the controls you use to enforce cybersecurity objectives: training, testing, onboarding of vendors, audits of vendors, and so forth. Are those controls sufficient for the latest threat landscape? Have you drilled a sufficiently “security aware” mindset into employees’ heads?
Build an integrated set of response plans.
One tricky part is that even though ransomware is an operational disruption, it can trigger both operational and compliance consequences — so your enterprise needs a response plan that encompasses both of those concerns.
For example, all firms want to resume operations as quickly as possible when a ransomware attack disables your business, but for banks and broker-dealer firms, it’s a regulatory requirement to have a plan for business continuity even amid such attacks. If your plan isn’t effective, you can face regulatory sanctions.
We also have the new executive order on cybersecurity from the current administration, which will require government contractors to report ransomware attacks and related cybersecurity disruptions. That could quickly pull a victim firm into a forensic investigation managed by one agency, plus legal action against the attackers launched by the Justice Department.
Well, what are your policies and procedures to cooperate with such a complex investigation? What about privacy concerns of personal data you might need to surrender? You’ll need response plans that give all these variables their due consideration. So think about what those plans should include, and who should be involved in drafting them.
Addressing these new, nebulous threats to cybersecurity won’t be easy. It will require more collaboration among compliance officers, security teams, and risk managers to develop “hardened” business operations that can withstand today’s threats and still achieve your company’s objectives.
That’s not a bad way for modern companies to work.