When the subject is ransomware, we usually think of smaller municipalities and school districts, which often don't have the resources to fend off increasingly sophisticated cyberattacks. But enterprises are increasingly under attack by ransomware criminals, which is very likely why the subject came up so often at the recent National Association of Corporate Directors (NACD) Global Leaders’ Summit.
The meeting included several panels on cybersecurity, and every one I attended included some questions and discussion about ransomware. That’s a good thing. It shows that directors and board members know their companies are increasingly at risk.
If anything, ransomware attacks aimed at the enterprise are probably under-reported. Public companies may not have to report such attacks, even if they are successful, unless data is stolen. If the data is encrypted and held for ransom, reporting requirements likely don’t apply.
A growing problem for the enterprise
A recent report from Malwarebytes found that while ransomware targeting consumers has declined sharply, attacks on businesses have increased dramatically—from near 2.8 million in the first quarter of 2018 to around 9.5 million in the first quarter of 2019.
Apple chipmaker TSMC had to temporarily halt manufacturing because of a WannaCry infection, with losses estimated at up to $250 million. Then came NotPetya, which caused an estimated $10 billion in losses globally. Other companies hit included FedEx (a $400 million loss), Merck ($870 million) and Saint-Gobain, a French construction company ($384 million). Keep in mind these estimates include lost sales, data recovery efforts and the cost of improving cyber defenses as well as paying ransoms.
So what should directors and board members do?
One clear takeaway is to come to grips with two things: First, current security solutions may weed out a portion of the ransomware links and attachments sent to your employees—which some security professionals consider an organization’s weakest link—but it’s unlikely those solutions will do a complete job. Second, there are ways to improve protection against ransomware without adding tons of new tools or trying to recruit specialized talent. One strategy is a Security-as-a-Service approach.
Ask your security teams about their ransomware strategy
If they tell you, "We're good to go," ask if they depend solely on an anti-virus solution. Hopefully not, because most organizations hit by ransomware are already running an anti-virus product. If your security people talk about advanced endpoint technology, patching, threat intelligence, improved email filtering, account resetting, blocking outbound connections to the source of the ransomware, or searching email across all accounts for ransomware links or objects … well, all that’s a good start.
The truth is, it should be all of the above, which is why many organizations are now looking into Security-as-a-Service. The beauty of this approach is that you don't have to recruit new security talent, build new capabilities or try to integrate new tools. Instead, you consume security literally as-a-service, just as you would other utilities, with anti-ransomware (and other security capabilities) updated regularly as the provider’s intelligence and capabilities grow.
In my experience, security-as-a-service not only can work, it does work. For more, check out this video:
About Bob Kress
As the co-COO and Global Quality and Risk officer at Accenture Security, Kress is responsible for identifying, assessing and managing risk in Accenture's Security business, along with overseeing the quality of Security services delivered to clients. He is also responsible for Accenture Security offerings to Boards of Directors and serves as the Midwest Region Security lead. Kress is a trusted C-level advisor for Accenture’s clients. Combine this with his work with many members of the NACD, and it’s clear he enjoys a high-level view of this landscape.
This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative. The opinions, statements, and assessments in this article are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates.
This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.