GovernWith Blog

Navigating Ransomware Payments: Guiding Boards in Cyber Crisis

Understanding the Urgency:

In the dynamic realm of cybersecurity, organisations confront intricate challenges that demand quick decisions. Ransomware attacks, a looming threat, thrust boards into complex choices amidst cyber extortion. This article delves into the intricacies of ransomware payments, guiding boards through the maze of considerations when facing this critical juncture.

Cyber Attacks Paying Criminals Snippet

Weighing the Decision to Pay:

As cyber threats evolve, organisations often find themselves at crossroads triggered by a ransomware assault. Governance expert Wes Ward underscores the seriousness of these situations, characterising them as organised crime with specialised cyber segments. Boards must grasp the urgency, realising that business continuity, reputation, and stakeholder trust hang in the balance.

Navigating Sanctions and Cyber Insurance:

Initiating payment isn't a straightforward money transfer. David Rudduck, an incident response authority, emphasises the significance of avoiding inadvertent payments to sanctioned entities. This is where the intervention of ransomware negotiation experts becomes pivotal. While cyber insurance may defray the cost, organisations often need to fund the ransom upfront. The process typically involves transferring funds to negotiation experts who then convert them into the preferred currency of cybercriminals, Bitcoin.

The Intricacies of Payment:

Once the payment journey starts, a complex waiting game unfolds. Transferring funds via Bitcoin involves a time-consuming procedure due to blockchain intricacies. Threat actors wait for the blockchain to update before confirming the transfer. This strategic move prevents retraction after confirmation. Subsequently, the decryption phase commences.

Decryptor Delays and System Recovery:

Obtaining the decryptor doesn't guarantee a seamless return to normalcy. Delays in decryptor reception, incorrect or sluggish decryptor functionality, and system corruption can complicate the restoration process. Boards must be prepared for potential hiccups in systems' restoration. Repairs, reloads, and potential data loss due to encryption-related corruption might be necessary.

Broader Implications and Board Vigilance:

Choosing to pay a ransom isn't an isolated event; it has far-reaching ramifications. The intricate process, uncertainties, and potential setbacks underscore the need for proactive board engagement in cybersecurity matters. These incidents spotlight the significance of robust incident response strategies, risk assessment, and proactive measures.

Conclusion:

The evolving cyber threat landscape demands an encompassing grasp of ransomware attacks and the intricate decisions they trigger. Boards must internalise the urgency, legal nuances, and technical intricacies tied to ransom payments. By recognising the complexities involved and the possible aftermath, boards can better equip themselves for worst-case scenarios, diligently striving to prevent and mitigate the aftermath of ransomware attacks on their organisations.

Navigating Cyber Incidents: Strategies for Directors and Timely Response

In the interconnected digital realm, cyber incidents have become an unavoidable challenge faced by businesses of all scales and sectors. In this article, we explore the insights shared by David Rudduck on effectively managing cyber threats. From containment and eradication to business resumption, forensics analysis, legal considerations, and customer notification, we delve into the crucial phases of handling cyber incidents. Additionally, we'll address the importance of involving boards, directors, and planning timelines in a comprehensive cyber incident response strategy.

Boardroom Workflows & Timelines Snippet

Containment and Eradication: Halting the Cyber Attack

When a cyber attack surfaces, the initial step is containment and eradication. This process mirrors halting bleeding in a medical emergency, where businesses must swiftly arrest the threat's progression and eliminate the attacker's presence from the environment. Successful containment and eradication prevent further damage, safeguard data, and minimise the attack's impact.

Business Resumption: Swift Recovery Strategies

Following containment and eradication, the focus transitions to business resumption. Critical systems take precedence during this phase, as they're essential for restoring operations. Efficiently prioritising systems ensures that businesses achieve partial operational status, minimising the economic repercussions of downtime.

Concurrent Steps: Forensics and Root Cause Analysis

While containment, eradication, and business resumption proceed, forensics and root cause analysis run concurrently. Forensics scrutinises the threat actor's activities within the environment, particularly significant for sectors handling sensitive data. Healthcare and other industries grappling with personal information must ascertain whether data access triggered regulatory mandates. Legal experts provide valuable guidance in ensuring compliance and tailored regulatory advice.

Balancing Transparency: Effective Customer Notification

Notification poses a formidable challenge post-incident. Many businesses grapple with the intricacies due to inadequate data governance. Under the Privacy Act's requirements and specific data storage obligations, notifying customers about potential breaches becomes complex. Rudduck underscores the importance of informed notifications, offering a comprehensive approach based on meticulous data analysis. Informed notifications empower affected individuals to take prudent actions.

The Role of Legal Consultation: Navigating Complexities

Legal guidance is instrumental in navigating post-incident challenges, particularly in the realms of notification and regulatory compliance. Enlisting legal partners well-versed in cyber incidents and regulations ensures proper communication, mitigating reputational damage and legal ramifications. Experienced legal teams can provide insights into crafting effective communications that resonate with stakeholders and the media.

Managing Expectations: Timely Communication and Planning Timelines

A successful incident response entails aligning stakeholder expectations, including boards and customers, with realistic planning timelines. Effective communication strikes a balance between the urgency of updates and the time needed for thorough analysis and remediation. Transparent communication fosters trust while maintaining accurate reporting.

Involving Boards and Directors: A Comprehensive Approach

Cyber incidents underscore the crucial role of boards and directors. Their strategic oversight is pivotal in crafting and implementing robust incident response strategies. Empowered directors with a nuanced understanding of cyber threats contribute to better decision-making during incidents.

Conclusion

As the threat landscape continues to evolve, businesses must prioritise cyber incident preparedness. An adept incident response strategy, encompassing containment, eradication, business resumption, forensics analysis, legal considerations, and transparent customer notification, is essential for minimising damage and protecting both operations and reputation. Furthermore, involving boards, directors, and planning timelines elevates the overall cyber resilience of an organisation.

Strengthening Board Directors' Role: Navigating the Evolving Cybersecurity Challenge

In today's dynamic corporate governance landscape, the role of board directors has expanded to encompass a comprehensive understanding of the primary risks facing organisations. Among these challenges, the escalating spectre of cyberattacks has underscored the imperative for board directors to equip themselves with the necessary knowledge and skills to navigate this intricate terrain. This article delves into insights from governance expert Fi Mercer, emphasising the pivotal significance of board directors' proficiency in cybersecurity and the strategies boards can employ to effectively tackle this pressing issue.

Boardroom Policy Snippet

Understanding the Responsibility of Board Directors:

Fi Mercer emphasises the weighty responsibility borne by board directors in addressing the paramount risks encountered by the boards they serve on. She highlights that this responsibility transcends the confines of the boardroom, necessitating active engagement from board directors in comprehending the pivotal risks that can impact the organisation.

Evaluating the Skill Sets of Board Directors:

A fundamental aspect of addressing these risks involves evaluating the skill sets of board directors. Fi Mercer proposes periodic assessments to gauge the competencies held by directors in relation to the evolving risks. In instances where directors lack the requisite skills, a structured plan should be implemented to augment their knowledge and capabilities, ensuring their preparedness to navigate the organisation's challenges effectively.

Cybersecurity: A Foremost Risk:

A predominant challenge in the contemporary landscape pertains to the dearth of cybersecurity acumen among board directors. Fi Mercer underscores that this knowledge gap presents a noteworthy concern, as it hampers directors' ability to pose pertinent inquiries and render informed decisions concerning cybersecurity affairs.

Navigating the Complexity of Cybersecurity:

The rapid evolution of cybersecurity mandates that board directors proactively seek a deeper grasp of the domain. Fi Mercer's insights propel organisations to take prompt action to rectify this knowledge gap:

1. Education and Training for Directors: Engaging in educational programs and training sessions focusing on cybersecurity is crucial for board directors. These initiatives offer a foundational understanding of key concepts and emerging threats.
2. Collaboration with Cybersecurity Experts: Partnering with cybersecurity specialists offers board directors insights into the latest advancements and best practices. This collaboration empowers directors to contribute effectively to discussions surrounding cybersecurity.
3. Conducting Cybersecurity Audits: Regular cybersecurity audits and evaluations are essential to pinpoint vulnerabilities within the organisation's infrastructure. Active involvement from board directors in reviewing findings and recommending necessary enhancements is paramount.
4. Incorporating Cybersecurity into Boardroom Conversations: Allocating dedicated time for cybersecurity deliberations during board meetings underscores its significance. This practice elevates cybersecurity as a priority and ensures it is integral to boardroom deliberations.
5. Continuous Learning and Stay Updated: Acknowledging the dynamic nature of cyber threats, board directors must stay abreast of the latest trends, regulations, and best practices in cybersecurity. This knowledge empowers them to pose pertinent questions and make well-informed decisions.

In Conclusion:

In an era where digital vulnerabilities wield significant impact, board directors are entrusted with the task of bridging the cybersecurity knowledge gap. The insights from Fi Mercer act as a poignant reminder that effective corporate governance mandates proactive involvement from board directors in addressing the prime risks confronting their organisations. By investing in education, collaborating with experts, and seamlessly integrating cybersecurity discussions into boardroom deliberations, board directors wield a pivotal role in fortifying their organisations against cyber threats. In doing so, they ensure that their boards are aptly poised to navigate the intricate and ever-evolving cybersecurity landscape.

Safeguarding Your Organisation Against Ransomware Attacks:

A Comprehensive Guide for Governance and Boards

In the ever-evolving digital landscape, the spectre of ransomware attacks looms large over organisations of all sizes. These malicious cyber threats can have catastrophic consequences, compromising sensitive data, disrupting operations, and causing financial and reputational harm. As ransomware attacks become more sophisticated, it is crucial for governance bodies and boards to take proactive measures to protect their organisations. This article delves into the significance of ransomware attacks, their implications for governance, and strategies to fortify cybersecurity defences.

Ransomeware Attacks Snippet

Understanding Ransomware Attacks:

Ransomware attacks involve the unauthorised encryption of an organisation's data, rendering it inaccessible until a ransom is paid to the attackers. These attacks often exploit vulnerabilities in systems, networks, and human behaviours. The cost of these attacks extends beyond the ransom itself, encompassing downtime, data recovery, legal and regulatory penalties, and damage to reputation.

The Role of Governance and Boards:

Governance bodies and boards play a pivotal role in safeguarding organisations against ransomware attacks. Their responsibilities encompass setting cybersecurity policies, allocating resources for cybersecurity measures, and overseeing risk management strategies. Recognising that ransomware attacks can have far-reaching implications, boards must actively engage in cybersecurity discussions and decision-making.

Implications for Governance and Boards:

Strategic Integration: Ransomware attacks have far-reaching consequences that extend beyond IT departments. Boards need to integrate cybersecurity considerations into their strategic planning processes. A cyber incident can disrupt operations, erode stakeholder trust, and undermine long-term objectives. Boards must ensure that cybersecurity is part of the overall risk management strategy.

Risk Mitigation: Ransomware attacks represent a significant risk to organisations. Boards need to collaborate with cybersecurity experts to identify vulnerabilities and implement robust risk mitigation strategies. This includes regular security assessments, employee training, and maintaining up-to-date security protocols.

Financial and Reputational Impact: Beyond the financial cost of ransom payments and recovery efforts, boards must consider the reputational damage that a successful ransomware attack can inflict. A breach can erode customer trust, damage brand reputation, and lead to customer attrition. Boards should oversee crisis communication plans and ensure transparency in case of an attack.

Regulatory Compliance: Many industries are subject to strict data protection regulations. Ransomware attacks can lead to violations of these regulations, resulting in legal penalties. Boards need to ensure that their organisations adhere to relevant compliance standards and that cybersecurity measures align with regulatory requirements.

Strategies for Fortifying Cybersecurity Defences:

Multi-Layered Defence: Implement a multi-layered cybersecurity approach that includes firewalls, intrusion detection systems, encryption, and endpoint security. Boards should ensure that cybersecurity budgets allocate resources to these critical components.

Employee Training: Human error remains a common entry point for ransomware attacks. Boards should emphasise the importance of ongoing cybersecurity training for employees. Phishing prevention and proper handling of suspicious emails are crucial aspects of employee education.

Incident Response Plan: Develop a comprehensive incident response plan that outlines actions to take in the event of a ransomware attack. Boards should review and approve this plan, ensuring that it covers communication strategies, data recovery processes, and coordination with law enforcement.

Vendor Risk Management: Third-party vendors can be a source of vulnerability. Boards should assess the cybersecurity practices of vendors and demand compliance with security standards as part of their contracts.

Conclusion:

Ransomware attacks are an ever-present threat that demands the attention of governance bodies and boards. By understanding the implications of these attacks, boards can actively contribute to the development of robust cybersecurity strategies. The collaboration between boards, management, and cybersecurity experts is essential in fortifying an organisation's defences against ransomware threats. Through strategic integration, risk mitigation, and proactive measures, governance bodies can safeguard their organisations and ensure their continued success in the digital age.

Cyber Incident Response Plans (download)

• Cyber Incident Response Plan Guidance (PDF)
• Cyber Incident Readiness Checklist (PDF)
• Cyber Incident Response Plan Template (Word)
• Cyber Governance Models (PDF)
• Mills Oakley Cyber Security Checklist (PDF)

Cyber Webinar Replays

• How Human Nature is the Biggest Risk to a Cyber Security Breach (Webinar)
• Essential Eight Best Practice Strategies to Prevent Cyber Attacks (Webinar)
• How Boards Can Manage Their Way Through a Cyber Attack (Webinar)
• Are Directors Legally Liable for a Cyber Attack (Webinar)

Cyber Resources

• Australian Cyber Security Centre
• Essential Eight (Strategies to Mitigate Cyber Risk)
• NIST Cyber Security Framework (National Institute of Standards in Technology) USA
• Understanding Cyber Security Definitions
• How to Start Conversations About Cyber Security in the Boardroom
• Cyber Insurance and Negotiating with Cyber Criminals

Building a Cyber Incident Response Plan: A Step-by-Step Guide

Imagine waking up one morning to find that your organisation's sensitive data has been compromised. Panic sets in as you realise the extent of the damage caused by a cyber incident. In today's digital landscape, where threats lurk around every corner, it's crucial for businesses to be prepared for such scenarios. This is where a cyber incident response plan comes into play.

Key Points

• Cybercrime Negotiations: Dealing with Cyber Criminals is complex and requires experts who understand their tactics and strategies.
• Cyber Insurance: Cyber insurance provides financial and reputational protection against cyberattacks, offering access to professionals experienced in negotiation and data recovery. Michael Parrant is Aon Australia's leading cyber expert
• Real-World Examples: Organisations across Australia face unique cybersecurity challenges and can benefit from cyber insurance expertise.

Negotiating with Cyber Criminals Snippet

Understanding the complexities of negotiating with Cyber Criminals

As board directors, there exists a responsibility of ensuring the security and stability of your organisation's digital infrastructure. 

The threat of cybercrime, particularly ransomware attacks, looms large in today's technology-driven world. This article sheds light on the complexities of negotiating with cyber criminals and emphasises the indispensable role that cyber insurance plays in safeguarding your organisation. Drawing from real-world examples, we explore the significance of engaging professionals who possess the expertise to navigate the ever-evolving landscape of cybercrime.

Understanding the Criminal Enterprise:

It is crucial to recognise that cybercrime is not a small-scale operation. It has grown into an industry, ranking as one of the top revenue generators globally. The criminals operating in this space are professionals themselves, well-versed in conducting due diligence, identifying pressure points, and executing negotiation strategies. Consequently, it is imperative that organisations seek assistance from experts who understand the intricacies of dealing with these cyber criminals.

The Value of Cyber Insurance:

Fortunately, most insurance providers offer access to vendors who specialise in negotiating with cyber criminals. Engaging these professionals becomes even more critical in the face of a ransomware attack. Cyber insurance provides organisations with the means to mitigate the financial and reputational risks associated with such incidents. By partnering with cyber insurance providers, you gain access to experts who handle these situations regularly, providing guidance on the criminal enterprise at hand, their reliability in delivering decryption keys, and their tendency to publish data.

Learn more through our ‘Negotiating with Cyber Criminals and Cyber Insurance’ snippet

Sector Specific Scenarios:

Independent Schools:

Independent schools, like any organisation, are susceptible to ransomware attacks. The loss of student records, financial data, or intellectual property could have severe consequences for both the school and its reputation. Engaging cyber insurance vendors who possess extensive experience in negotiating with cyber criminals allows schools to navigate these challenges effectively, ensuring the safe recovery of data and minimising disruption to daily operations.

Aged Care Providers:

Aged care providers handle sensitive personal and medical information, making them prime targets for cybercriminals. A ransomware attack on an aged care facility could compromise patient privacy and disrupt critical healthcare services. By leveraging cyber insurance, providers can access specialised vendors who understand the unique challenges faced by the aged care sector. These experts guide organisations through negotiations, ensuring the restoration of services while protecting patient data.

Human Services Providers:

Organisations offering vital human services, such as disability support or crisis helplines, possess confidential data entrusted to their care. Cyber attacks targeting these organisations not only jeopardise the privacy and safety of vulnerable individuals but also hinder their ability to deliver essential services. Cyber insurance offers a lifeline, allowing human services providers to engage professionals experienced in negotiating with cyber criminals. This ensures minimal disruption to services and reinforces the organisation's commitment to its beneficiaries.

Hospitals and Healthcare:

Hospitals are particularly vulnerable to ransomware attacks due to their heavy reliance on interconnected systems and critical patient data. Such attacks can have life-threatening consequences, potentially disrupting medical services and compromising patient safety. Engaging cyber insurance vendors who specialise in working with healthcare institutions provides hospitals with the necessary expertise to navigate negotiations with cyber criminals. This expedites the recovery process and helps safeguard patient data, ensuring continuous care delivery.

Community Service Organisations:

Community service organisations play a vital role in supporting and empowering communities. Disruption to their services resulting from a cyber attack can have far-reaching consequences, impacting the lives of those they serve. Cyber insurance becomes an essential component of their risk management strategy, offering access to professionals well-versed in dealing with cybercriminals. These experts facilitate negotiations and assist in restoring services promptly, enabling community organisations to fulfill their mission.

Why understanding the threat is not enough

Negotiating with cyber criminals is a complex undertaking that requires expertise and a comprehensive understanding of the evolving cybercrime landscape. As board directors, it is crucial to recognise the magnitude of this threat and take proactive measures to protect your organisation. By engaging with cyber insurance providers and their associated vendors, you gain access to professionals who possess the knowledge and experience to navigate the intricate world of cybercrime negotiations.

Remember, cyber insurance is not just an added expense but a strategic investment in your organisation's resilience. It provides financial support, expert guidance, and peace of mind during times of crisis. The examples from the not-for-profit sector highlight the tangible benefits of cyber insurance in mitigating risks and ensuring the continuity of operations.

To learn more about Cyber Attacks and the Cyber Crime landscape, view our Webinar replay with Michael Parrant here

Cyber Security Key Points

• Understanding cyber security definitions is crucial for not-for-profit organisations in the Australian sector.
• Real-world examples highlight the importance of implementing robust security measures and frameworks.
• View videos from Australia's leading cyber security experts

Safeguarding Digital Assets in the Not-for-Profit Sector

In today's increasingly digital landscape, the not-for-profit sector faces unique challenges when it comes to protecting valuable digital assets. 

With the ever-changing landscape of technology, it brings with it a lot of new language to the table, which makes it seem complicated and one of those technically detailed conversations. It doesn’t have to be. 

It doesn’t have to be. 

The frequency we are hearing terms such as cyber and cyber-security reported in the news is growing – even as recently as last week with the NSW Education department being hit by a cyber-attack. The Australian Institute of Criminology has released a report putting the total economic cost of cyber-crime across Australia at $3.5 billion in 2019, including $1.9 billion lost by individual victims. 

With the depth and breadth of technology needed to run and work within an organisation increasing and the ongoing maintenance of the technology that this entails, the risk the IT infrastructure poses to the organisation is also escalating. 

As a Board director, you’re empowered to question the risks of any aspect of an organisation and with that comes the need to educate yourself to understand those risks and your organisation's preparedness to respond to those risks. It’s also worth noting that the Federal Government is working on new cyber-security standards that include corporate governance, first floated in the 2020 Cyber Security Strategy, which may hold directors personally responsible for cyber-attacks.  Addressing cyber and IT infrastructure risk should be no different to addressing finance or stakeholder engagement risk for example. 

It’s important that Board directors identify these risks as organisational risks and not just an IT problem, as taking this approach will encourage your peers, stakeholders and employees to take the same approach. 

In our research into cyber-security, Techradar recently reported that up to 99 per cent of cyber-attacks require human interaction to execute.  This is why it is so important to bring all levels of the organisation along on the cyber and IT infrastructure conversation. 

So, how do you have the conversation? 

The CEO is a lynchpin in the conversation, bringing information to the board and acting as a leader for the organisation's attitude to this topic. A great place to start is to have a strategic plan for cyber and IT Infrastructure for the organisation in place and that plan should be a regular part of the Board’s agenda and papers. 

What questions should be raised at a Board meeting?

The Australian Cyber Security Centre has published a prioritised list of mitigation strategies to assist organisations in protecting their systems, called the Essential Eight. A great question off the back of those strategies is “how do we stack up?” 

It doesn’t have to be that detailed though, as suggested in the book The Secure Board, some great questions are: 

• Do we know who has access to our critical information assets and how is this monitored and managed? 
• What happens in the event a key supplier is compromised? 
• In our security team, how many people are focussed on the security of technology, and how many are focussed on the behaviours of our people? 
• Are we doing everything we can for our customers to protect their data that we hold? 

The most important thing though, is that the cyber and IT infrastructure conversation at the Board room level starts straight away before an incident occurs. The acceptance of these risks as organisational risks needs to be guided from the top, to then filter down through the whole organisation. 

If you’d like to hear more from experts in the field, watch our recent webinar Cyber Security for Boards where Fi Mercer chats with Anna Leibel and Claire Pales about how it’s no longer a question of if you need to know about cyber-security but when you’re going to learn. 

This article takes inspiration from Anna and Claire’s book, The Secure Board, which is a fantastic starting point for assuring your board is addressing and understanding the cyber risk in your organisation.

Last year cybercrime increased 600% globally. In 2021, cyber is expected to be a $6 trillion business which will make it more profitable than the illicit drug trade. 

Blog by Claire Pales and Anna Leibel, co-authors of The Secure Board and Directors of The Secure Board Advisory 

“In our book "The Secure Board", which was released in March 2021, and at the May Governance Evaluator webinar we explain cyber risk in non-technical terms so you will have confidence next time your IT or security leader attends your Board meeting.” 
- Claire Pales and Anna Leibel, authors of The Secure Board and Directors of The Secure Board Advisory 

Written for current and aspiring Board members, "The Secure Board" provides the insights you need to ask the right questions, to give you the confidence your organisation is cyber-safe. Designed to be read either in its entirety or as a reference for a specific cyber security topic on your upcoming board agenda, "The Secure Board" sets aside the jargon in a practical, informative guide for Directors. 

"The Secure Board", is the second book from Claire Pales and the first for her co-author Anna Leibel. Claire and Anna are the founders of the boutique advisory firm The Secure Board and leading experts in cyber security and technology. They are independent advisors who have worked with many with boards and committees in both Australia and Asia. Anna is also a current director on the board of Ambulance Victoria. Based on their work with boards and executives, their local research and global trends in cyber, the book covers the 5 key elements of cyber knowledge that Directors expressed concerns about when it came to managing cyber risk. 

“I recommend The Secure Board as essential reading for all leaders. It will equip you with the knowledge and foresight to protect your information and your people.” 
– David Thodey AO, Chair of CSIRO 

“[This book] will challenge you to stop, to reflect and then re-set some of your governance thinking. Anna and Claire, you have made a great contribution to the development of all Directors who choose to pick up this book” 
– Ken D. Lay AO APM FAICD, Lieutenant-Governor of Victoria