For all the clever coding involved, most ransomware delivers a very crude, but deadly message when it strikes your company. Important company files are locked, and may be destroyed, unless you pay a specific ransom amount, anonymously, with a short deadline. At that point, the panic sets in. But if your top management, IT team and board of directors have devoted some time, thought and resources in advance, you’ll know how to respond (and might dodge the bullet altogether).
In my own recent boardroom experience, how boards should deal with cybersecurity is one of the hottest topics. I’ve been an evangelist for getting boards active in setting and assuring effective corporate digital policies. Much of this should be basic good governance for the 21st Century. Realize that a cyber-attack is now a matter of when, not if. Make your board digitally savvy so it can ask smart questions on technology, threats, and liabilities. Assure things like up-to-date platforms, software, and third-party testing.
I should note that the majority of company hacking attacks still involves these conventional threats — the cyber equivalent of smash-and-grab theft. However, the special dangers posed by digital hostage taking demands a unique corporate governance role. If regular hackers penetrate your systems to steal money or data, there are few shades of grey. There may be debates between IT and the rest of management on budgeting for safeguards (the board should be IT’s advocate and “nudger” on this, by the way). However, the priorities after a conventional breach are never in doubt — assess and limit the damages, and learn from the attack.
How Ransomware is Different
Ransomware is existentially different, and goes to the heart of a board’s governance and fiduciary role. Do we as a company pay a ransom demand, or do we take the moral high ground and say no? Your board needs to tackle this question, with its uncomfortable blend of technology and ethics, now, before an attack. The major ransomware strains, such as Petya and WannaCry, offer a short time frame (sometimes as little as 24 hours) to pay up or face the consequences. Convening a board meeting that quick to deal with a flash crisis would be both impractical and unwise. Further, the actual ransom itself can be oddly small. Would you really convene an emergency board session to discuss expending $1000?
Real-world board experiences with ransomware suggest a better way. I’ve seen ransom demands first-hand at one of my boards, and spoke with Bill Lenehan, CEO at Four Corners Property Trust, who’s also faced these traumas. Here are some board ideas specifically targeted at dealing with the unique threat of a ransomware attack:
— Get your ethical discussion out of the way now. Your top executives and IT staff need guidance from the boardroom on the big question of whether or not the company should submit. The call is not an easy one. Losing business (and perhaps the business itself) by taking the moral high ground is not your call as a shareholder fiduciary. Your number one mission is to protect the business for investors. That may involve the tough decision to pay up if it will save data or needed access.
“Boards need to provide guidance and support on how this is handled,” recalls Bill Lenehan. He finds laying out the issues directly to the board helps clarify their thinking. “I was talking with a 70-year old board chair, and said let me throw you a curve. You’re trying to close a $200 million acquisition, when suddenly your employees get a ransomware demand for a total of $3000. If you don’t pay, you jeopardize the deal, your relationship with numerous counterparties, and maybe the company itself. The response, “My God, I never thought of this!??”
Why Your Board Should Be Concerned
Hold this debate now at the board level, because when a hacker’s WARNING screen pops up, it’s too late for philosophy.
— Shape a corporate ransomware policy based on this discussion. Take the strategic principles the board has developed and turn them into a working tactical policy. Include functional steps, like who is to be notified, who makes the final payment decision, damage/cost tradeoffs to weigh, etc. Also, will you even be able to pay the crooks? It sounds distasteful, but assure that you have the mechanisms in place to quickly meet the ransom demands if you choose to.
“You don’t want to be scrambling to pay, figuring out how to practically make this work,” Bill Lenehan recalls from his own experience as CEO of Four Corners Property Trust. At 5:30 one morning, he received a text message from the company controller telling him there was a problem — a short-term ransomware attack was spreading globally. “Our board chairman was out of the country, hours behind us, so what do I do as CEO? Would I pay, or not pay, do I even need to inform my board, or just hurry to set up a Bitcoin account?”
The CEO and other staff should not have to make these decisions on the fly — and if they do, it’s the fault of the board, which didn’t prepare in time. “Ransomware is not the fault of the CEO,” notes Lenehan. “It’s like a school snow day — you have to set your decision policies in advance.” (Lenehan also notes that his small company has a staff of 12, and is as far off the business news radar as can be — yet hackers still found them).
No policy can mean inability to respond at all. At a major company whose board I serve, we faced a short-term ransomware demand, and decided we had to pay. But the hackers demanded payment in Bitcoin, and the company didn’t have a Bitcoin account. This took two days to set up — by which time the deadline had passed. Also, ask what you’ll do if other problems crop up. In Europe, a recent Petya attack demanded payment to the bit-napper’s Posteo email account. But before victims could comply, Posteo had blocked the mailbox.
— Ransomware is not just an internal danger. Even after you shape a sound emergency policy for your corporate response, what about the suppliers, customers and advisors you depend on? Lenehan tells of a ransomware strike, not at his company, but at a major law firm they were depending on to close a $20 million dollar acquisition. “The lawyers got an email from IT early in the morning telling everyone to not turn on their laptops, and check them in immediately.” A pending deal was suddenly frozen solid.
How to Defend Your Organization
What would happen at this very moment if one of your top vendors or clients IT system instantly went dark for an uncertain period of time? Are they able to back up their information with systems completely walled off from the afflicted ones?
— Fight hackers with unconventional warfare. Above, I noted the generic things a board can do to improve the technical odds of avoiding and fighting cyber mischief. Push IT to innovate outside its normal comfort zone. Third-party vendors like Optiv, SecureWorks, and Stroz specialize in penetration testing, 24/7 threat monitoring and ethical hacking. Your IT staff says they have the latest software updates and threat assessments? Good — let’s contract with outside experts who can make sure. The expenses involved should be modest, and today are a basic cost of doing business. Want to drive a car? You need to buy insurance. Want to operate in today’s digital world? Invest in outside cyber-expertise.
— Speaking of insurance, check your liability and other business policies when it comes to hacking damages, and specifically ransomware costs. What sort of losses are covered, which aren’t, how much could ransomware losses total, what compliance measures must you have in place, and what are disqualifiers? Also, how should your company decide on making a claim? (If you file a claim for a ransomware payment of $5000, will your premiums shoot up by ten times that amount?) “If someone demands $350 in Bitcoin, it may be like when someone keys your car in a parking lot,” notes Lenehan. “Rather than making a claim, you just get it detailed out on your own dime.”
Ultimately, boards and management need to respond to a ransomware crisis the same way they respond to any company crisis. They must assure good response tools and plans are in place and functioning, that tough questions are asked, and that everyone knows their role. But for the board, ransomware prep demands an added step — asking yourself if you’re ready to deal with the devil.