Privacy policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content.
You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Managing your cookies

Our website uses cookies. You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button.

Necessary cookies

These are essential for the user navigation and allow to give access to certain functionalities such as secured zones accesses. Without these cookies, it won’t be possible to provide the service.
Matomo on premise

Marketing cookies

These cookies are used to deliver advertisements more relevant for you, limit the number of times you see an advertisement; help measure the effectiveness of the advertising campaign; and understand people’s behavior after they view an advertisement.
Adobe Privacy policy | Marketo Privacy Policy | MRP Privacy Policy | AccountInsight Privacy Policy | Triblio Privacy Policy

Social media cookies

These cookies are used to measure the effectiveness of social media campaigns.
LinkedIn Policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Skip to main content

Countering ransomware: how to build the right cyber governance strategy

Despite what vendors and analysts may say, no single technical solution (or sum of technical solutions) provides complete protection against every cyberthreat. That is why this article does not aim to answer the question of deploying an EDR, an NDR or any type of technological hybridization, but rather how to define the optimal cyber governance strategy – aka the “what if” strategy – that companies should adopt to counter this increasing threat.

The goal is to reduce as much as possible the various cyber risks that threaten the perimeter in order to limit their probability of occurrence and to control their impacts if necessary.

Cyber governance consists of developing a strategy with three focus areas:

  1. Understand the various cyber risks to a company’s perimeter
  2. Anticipating and limiting both their probability of occurrence and impact, should they occur
  3. Preparing for the occurrence of these risks and an attack by operationally defining the who, when and what of managing this crisis

The importance of ransomware governance

Ransomware attacks use at least three different psychological levers to increase the impact of an attack on their victims:

1

Authority: The attack takes the form of a surprise hostage situation on the company’s data. The instructions are limited and very directive, or even associated with threats of destruction.

2

Isolation: The immediate consequences of the attack are a withdrawal of the company away from its customers, partners and suppliers. Some attacks even encourage the company not to reach out for assistance by the competent authorities.

3

Urgency: An ultimatum is frequently part of the operating mode, employed before data dissemination or destruction of the information systems to reinforce the panic effect.

Cyber governance relies on understanding these levers to build a strategy of anticipation and support for effective crisis management.

How to build the right governance strategy against ransomware

Phase 1: Knowledge is power

Without going back to the precepts of Sun Tzu, a ransomware attack takes place on familiar ground for the victim — their own. It is surprising that many organizations fail to realize the benefit in this. After all, who knows your turf better than you do? This is one of the advantages you must take advantage of.

Phase 1 is also known as the anticipation phase or the period before an attack — a very valuable preparatory phase. The first thing to do is to know your perimeter, your assets and your processes in order to make informed decisions during the crisis.

Some questions that you should be prepared to answer are:

  • Where is the inventory of workstations and servers?
  • What are the emergency contacts of customers, suppliers, partners, and authorities?
  • What are the backup cycles and recovery procedures?
  • What are your business processes and underlying IT chains?
  • What are the consequences of an interruption to the internet connection for these processes?
  • Who are the people needed to restore/rebuild the service? Who are their backups?

Identifying the weak points or vulnerabilities of your business and organization is also a very cost-effective preparatory action. By default, a ransomware attack will use the simplest means to propagate and trigger itself. Knowing your weaknesses allows you to increase detection and protection in these areas and limit the consequences of a possible attack.

Not all company employees are experienced IT users and experts. The concept of ransomware is probably not as clear to them as it is to you. And yet, a ransomware attack has a high chance of directly impacting them. In addition to the usual hygiene recommendations, which they may already be familiar with, it is essential to explain the consequences of such an attack and to prepare users for its effects. These could include such as inaccessible business processes, slower support functions and altered work methods. It is also key to keep users updated with an idea of the resolution timeline, how to identify a crisis communication channel, and the right contact people (to limit the isolation effect).

Phase 2: Execute the strategy

If all the procedures in the anticipation phase were followed properly, crisis management merely consists of executing these procedures. However, in a ransomware incident there are two major aspects of crisis management to focus on:

  • The orchestration of technical procedures must be carried out within a very clear and supervised framework of responsibility. Even if well prepared, crisis management is not automatic. Some decisions must still be taken, for which the responsibility framework is essential. For example, a crisis is not the ideal moment to brainstorm about who should have the right to cut the company off from the Internet or take down the website.
  • Even if all procedures have been prepared and rehearsed, a crisis generally requires teams to work 24/7 to restore the impacted services as quickly as possible. This mode of working, which is unusual in IT, requires human vigilance. It is essential to ensure that the most affected employees are rested and replaced during the crisis.

Cybersecurity governance: best practices

A crisis management exercise is the best way to develop and train for cyber governance. These exercises should be conducted at multiple levels:

  • For IT and operations only
  • For IT and operations, along with management and communication teams
  • Company-wide (including all employees)

These exercises do not need to be conducted in secret or organized as surprise drills. On the contrary, all communication around them must encourage employees to mobilize and contribute. Each exercise is the subject of a briefing and feedback conducted by the technical teams, management and staff representatives.

Another good practice is to organize this knowledge and resources under a crisis management plan. It becomes a critical asset of the enterprise, which must be protected. This plan must consolidate essential technical procedures (such as first aid) and heavier procedures (like the activation of resilience infrastructures) to enable teams to execute the strategy.

Sharing knowledge and feedback is key in anticipating and preparing for this type of crisis. The lever of isolation (driven by the shame of sharing one’s weaknesses) is used heavily by attackers, who note that very few victims/defenders will share their knowledge and best practices concerning modes of action. Peer-to-peer information sharing should be encouraged and, joint crisis exercises can even be organized.

Stay ahead of ransomware with the perfect governance strategy

When it comes to ransomware, the worst strategy is improvisation. Attackers want you to believe that you have no choice and that you must submit to their demands. Cyber governance is the perfect way to build an alternative to this situation and regain the advantage! It is a vital part of the enterprise’s resilience approach — consolidating and making sense of all the cyber technologies we deploy and operate — and answering the question, “What if?

Share this article

About the author

Jean-Baptiste Voron

Senior Cybersecurity Manager and Consultant, Atos

Jean-Baptiste Voron has been working for ten years with the Chief Information Security Officers of major French groups on new cybersecurity issues.
With Atos since 2012 as an expert consultant in IT security governance and strategy, he is now responsible for the portfolio of cybersecurity offerings in France and leads the team in charge of cybersecurity pre-sales covering a range of more than fifty technologies and partners.
He frequently works with Atos’ strategic clients internationally in the design and deployment of cybersecurity solutions. Jean-Baptiste holds a PhD in IT security (joint US/French thesis) and a master’s degree in complex systems and applications from Pierre & Marie Curie University.

Follow or contact Jean-Baptiste
Twitter Icon

All articles


The view from the attacker’s side – How ransom gangs operate and why they are so successful


The changing face of ransomware


The impact of ransomware attacks on business


The role of cybersecurity hygiene in a ransomware incident


Countering ransomware: how to build the right cyber governance strategy


How to protect your cloud from ransomware


Zero Trust: the key to stopping ransomware in its tracks


A comprehensive approach to ransomware defense


Cyber resilience against ransomware: fiction or reality?


How government and law enforcement can help prevent ransomware attacks


Ransomware infections: lessons learnt from the trenches


Batting ransomware: front-line insights from a CTO and a CISO