Countering ransomware: how to build the right cyber governance strategy
Despite what vendors and analysts may say, no single technical solution (or sum of technical solutions) provides complete protection against every cyberthreat. That is why this article does not aim to answer the question of deploying an EDR, an NDR or any type of technological hybridization, but rather how to define the optimal cyber governance strategy – aka the “what if” strategy – that companies should adopt to counter this increasing threat.
The goal is to reduce as much as possible the various cyber risks that threaten the perimeter in order to limit their probability of occurrence and to control their impacts if necessary.
Cyber governance consists of developing a strategy with three focus areas:
- Understand the various cyber risks to a company’s perimeter
- Anticipating and limiting both their probability of occurrence and impact, should they occur
- Preparing for the occurrence of these risks and an attack by operationally defining the who, when and what of managing this crisis
The importance of ransomware governance
Ransomware attacks use at least three different psychological levers to increase the impact of an attack on their victims:
Authority: The attack takes the form of a surprise hostage situation on the company’s data. The instructions are limited and very directive, or even associated with threats of destruction.
Isolation: The immediate consequences of the attack are a withdrawal of the company away from its customers, partners and suppliers. Some attacks even encourage the company not to reach out for assistance by the competent authorities.
Urgency: An ultimatum is frequently part of the operating mode, employed before data dissemination or destruction of the information systems to reinforce the panic effect.
Cyber governance relies on understanding these levers to build a strategy of anticipation and support for effective crisis management.
How to build the right governance strategy against ransomware
Cybersecurity governance: best practices
A crisis management exercise is the best way to develop and train for cyber governance. These exercises should be conducted at multiple levels:
- For IT and operations only
- For IT and operations, along with management and communication teams
- Company-wide (including all employees)
These exercises do not need to be conducted in secret or organized as surprise drills. On the contrary, all communication around them must encourage employees to mobilize and contribute. Each exercise is the subject of a briefing and feedback conducted by the technical teams, management and staff representatives.
Another good practice is to organize this knowledge and resources under a crisis management plan. It becomes a critical asset of the enterprise, which must be protected. This plan must consolidate essential technical procedures (such as first aid) and heavier procedures (like the activation of resilience infrastructures) to enable teams to execute the strategy.
Sharing knowledge and feedback is key in anticipating and preparing for this type of crisis. The lever of isolation (driven by the shame of sharing one’s weaknesses) is used heavily by attackers, who note that very few victims/defenders will share their knowledge and best practices concerning modes of action. Peer-to-peer information sharing should be encouraged and, joint crisis exercises can even be organized.
Stay ahead of ransomware with the perfect governance strategy
When it comes to ransomware, the worst strategy is improvisation. Attackers want you to believe that you have no choice and that you must submit to their demands. Cyber governance is the perfect way to build an alternative to this situation and regain the advantage! It is a vital part of the enterprise’s resilience approach — consolidating and making sense of all the cyber technologies we deploy and operate — and answering the question, “What if?“
About the author
Senior Cybersecurity Manager and Consultant, Atos
Jean-Baptiste Voron has been working for ten years with the Chief Information Security Officers of major French groups on new cybersecurity issues.
With Atos since 2012 as an expert consultant in IT security governance and strategy, he is now responsible for the portfolio of cybersecurity offerings in France and leads the team in charge of cybersecurity pre-sales covering a range of more than fifty technologies and partners.
He frequently works with Atos’ strategic clients internationally in the design and deployment of cybersecurity solutions. Jean-Baptiste holds a PhD in IT security (joint US/French thesis) and a master’s degree in complex systems and applications from Pierre & Marie Curie University.