Cyber Resilience 2.0: Experts Talk Ransomware, Supply-Chain Risk, and Cloud Security

“Cyber pandemic” is a term first heard by most in business last spring, but its hyperbole makes the intended point: the COVID-19 pandemic and subsequent mass telework have begotten an alarming increase in cybersecurity attacks. Indeed, the US Federal Bureau of Investigation’s cyber division reported in April 2020 that it was receiving up to 400 percent more complaints per day than it received pre-pandemic.

That’s why resilience is more important now than ever, according to Robert E. Kress, a managing director and the global quality and risk officer at Accenture Security. To expand on this point and frame the current state of cybersecurity for directors, Accenture teamed up with NACD on March 3 to host a roundtable moderated by Christopher Y. Clark, publisher and senior director of partner relations at NACD, with speakers Kress and his colleague Vikram Desai, a managing director and the lead of the global products industries group with Accenture Security. To Kress and Desai, the top areas of concern today are ransomware, supply-chain risk, and cloud security.

Ransomware

This type of cyber threat was already a growing concern well before the declaration of a global pandemic. However, prior to the past year, ransomware mainly involved threat actors working their way into a business environment, encrypting data, and locking up a company’s ability to operate until the organization paid a ransom. With the onset of the pandemic, threat actors are evolving and growing smarter. In addition to encrypting an organization’s data, threat actors are now stealing data and intellectual property and threatening to expose the confidential or sensitive information, which may include emails from and between members of the C-suite. In parallel, the ransoms being demanded are dramatically increasing in price—into the millions and tens of millions of dollars.

There are a number of related risks directors should consider. These include the following:

1. Disruption risk. What is the potential that ransomware will disrupt the organization’s operations? What is the company’s ability to continue working and keep revenue coming in while under attack?

2. Loss of sensitive data. Legal and regulatory risk is involved. In more regulated industries, there are a greater number of potential penalties and fines if data is stolen and exposed.

3. Reputational risk. What can a ransomware attack do to the organization in the marketplace?

The risk of compounded attacks should not be forgotten. “Threat actors are smart in that once they understand an organization can be compromised, that organization goes on a ‘frequent flier’ list for attacks,” noted Kress. “You’re much more likely to be attacked again and again when it becomes known that you’ve been attacked.”

What can directors do? Kress recommends asking the following questions:

• Has the organization identified the systems, data, business units, and functions that are most critical?

• What are the systems and data that support those functions, and how does the company protect them?

• How long would it take to rebuild those functions and data in the event that they’re taken down by an attack?

• How quickly can the organization detect an attack and how quickly can it respond?

• Does the business have a crisis management response plan in place?

• Does the organization understand how and when a cyberattack must be disclosed and when to report the attack to law enforcement?

• Have the board and management discussed if the organization would be willing to pay a ransom, and if so, how much would it be willing to pay? Who will negotiate the ransom for the organization?

On the last question, Kress commented, “Negotiating this isn’t like having a Zoom call. It’s a different world. We’re talking cryptocurrency, how you engage with them would be different.”

“The beliefs and values of those holding your data hostage are very different than your beliefs and values—you’re not going to be able to connect,” Desai added. “You need someone, perhaps external, who can speak their language.”

Supply-Chain Risk

Ransomware and supply-chain risk often merge. A company’s value chain, including franchises, hotels, retail stores, or any kind of extension of the main business that attaches to the business’s processing systems, can be the target of an attack.

“You could be a top 250 firm with a franchisee that clicks a malicious email link, and it moves all the way back to the corporate office, and moves laterally from there,” said Desai. “If you’ve ever had fish at home, you put food at the top of the tank and all the fish converge on it. That’s what ransomware is like.”

The SolarWinds hack is perhaps the best recent example of exposure to supply-chain risk. In Kress’ mind, this massive attack by foreign agents in December was a gamechanger. “The one thing chief information security officers (CISOs) and chief information officers have relied on is the integrity of the updates from their suppliers,” he said. “For example, if your organization uses Microsoft Teams, when they issue their weekly patches for their products, CISOs would take those patches and assume they were good and implement them as quickly as possible. SolarWinds has challenged the integrity of even these core updates to systems. Organizations need to spend time testing that the patches they’re getting are actually good, but this extends the timeframe between patch release and when your organization can implement it.”

Questions about supply-chain risk the board may wish to ask management include the following:

• Does the company have a master list of its suppliers, and are they prioritized based on the access they have to the core business?

• Does the company know what sensitive data or connections it has from external organizations?

• Do the enterprise’s suppliers have suppliers, and what is known about them?

Cloud Security

COVID-19 accelerated the pace at which innovation has taken place. Why? Employees could not get to the office and employers could not easily monitor their workers’ Internet sources and activity, leading to the rapid creation of new working solutions. This has resulted in a faster migration to the cloud than previously expected.

“Many clients think cloud is going to give them great agility; it can. Many think it can save them money; it can. They think it is relatively easy to do; it is not,” said Desai. “And the answers to the first two questions are most often yes, it can, but no, it didn’t. And you shouldn’t shift everything onto the cloud as is. Don’t take your current data problems with you.”

Questions for the board to ask about moving to the cloud and how to keep cloud activities secure include the following:

• What cloud-based applications is the organization using and what should the company do with the outdated ones?

• What is the optimal outcome of moving operations onto the cloud? How long will it take? How quickly can the investment be recouped?

• What companies do the suppliers use that are beneath the cloud-as-a-service providers?

• How can the company build the talent and skills needed to operate cloud environments securely?

• What is the organization’s governance process around hiring or approving external providers?

• How many providers does or will the organization use?

On the last point, Kress noted that companies must strike a balance between concentration risk and having so many providers that the organization cannot effectively manage them all. “You probably don’t want all of your cloud hosting with a single provider. There is a concentration risk, and we’ve seen Amazon Web Services go down for a couple of hours—that has a big impact,” he said. “If you have more than two providers, though, I would start to question why.”

To close out the conversation, the two speakers offered final takeaways.

“The number one way in which you can minimize your risk associated with ransomware is through training. Accenture routinely tests all 500,000 of its employees. If you fail our testing more than three times, you go to school, and your email privileges are severely cut back,” offered Desai.

“Do you know what role your board plays in a cyber incident?” Kress questioned. “If the board can’t answer that, you’re not ready.”