The good news is that in the world of Cyber, the number of
Ransomware attacks has actually been declining to some of the lowest levels in
years. It reached its height during the
COVID-19 pandemic, when everything and anything was a victim (and technically,
this is still the case today). The
mantra then and now has been to never the pay the Cyberattacker the ransom
amount that they are seeking. Why is
this the case? There are numerous for
this, some of which include the following:
*There is no guarantee that you will even ever receive the decryption
keys that are needed to unlock your computer and files that have been heisted.
*Doing so will only urge the Cyberattacker to come after you
again, but this time asking for even more money.
*It will only fuel the appetite for the Cyberattacker (as
well as their ego) to launch even grander attacks. Their thinking here is that if they can do it
multiple times on smaller targets, then there is nothing stopping them.
But there are times when perhaps a ransom payment could be
thought of, and actually delivered. One of
the best examples of this is the recent Colonial Gas Pipeline attacks. It brought a great amount of shortages to the
east coast, and the gas/oil futures prices were gyrating totally out of
control. To avoid things from getting
worse, the CEO agreed to make a $4.4 million dollar payment, and because of
that, things started to normalize out again.
But, this was no easy process to accomplish, that I am sure
about. Although the details of it were
kept out of the news headlines, I am sure that there was a lot of back and
forth between law enforcement and the Cyberattacker to try to work out a lower ransom. So, simply paying it is not the answer. If you decide to make a payment or at least
attempt to, it is important that you try to negotiate. Why you may ask?
Well, the primary benefit of this is that ti can give law enforcement
the critical time they need to track down the footsteps of the Cyberattacker
with hopes of bringing them to justice.
But this negotiation process takes a group of people, with the ransomware
negotiator at the helm. Believe it or
not, there are companies that specialize in doing this very task.
But now the question has started come about, is if the CISO should
now become involved in this process as well.
Well, there are differing views on this, but a subset of this question
is if the CISO should become more involved in the procurement process when it
comes to getting Cybersecurity insurance.
After all, if you are hit with a Ransomware attack, and make payment,
you will want to get reimbursed by your insurance carrier.
So how can the CISO help in this regard? Here are some areas:
1)
Will be able to get more information:
When most CISOs start a new
position, they are still getting acclimated to what it is in their new IT and
Network Infrastructure. But with the
Cyber threat landscape the way it is today, many insurance carriers are
demanding a lot more information from businesses with regards to their security
practices, and in fact, making them even fill out a lengthy questionnaire which
can run as long as 20 pages. Very often,
this is left to the manager of the IT Department to figure out. But if the CISO were to get involved in this process,
not only would make him or her learn quickly about what is going in their new
environment, but it would also give a very positive impression to the underwriters
of the insurance policy that this business is serious in what they are
doing. And, by having the CISO sign the questionnaire,
there can be more assurances that are provided that the right controls are put
in place (at least in theory), and therefore, the business will not be a huge
risk or gamble to take on.
2)
They can become a good partner:
The truth of the matter is that most
people are afraid to work with an insurance carrier. But if you were to bring your CISO in to the table
to work with them, they can actually forge a very valuable partnership. For example, by filling out the questionnaire,
the insurance company can act as a fresh pair of eyes when it comes to
reviewing the controls you have in place.
Best of all here is that rather than having to hire an expensive
auditor, you can use this new partnership for free.
My Thoughts On This:
Keep in mind not that every company can even afford to hire
a CISO in the first place, given just how expensive it is to hire and keep them. A lot of this is because of the enormous salaries
that have to be paid, along with all of the extra perks, such as stock options
and other types of bonuses. Plus, the day
of the traditional CISO will most likely come to end soon, as the burnout rate
is very high.
But, businesses still do a need a leader to keep the ship on
straight and navigable Cyber world. So,
are there any options? Yes, there
is. This is called the “vCISO”. This is where you actually hire a highly
experienced, ex CISO on a contract basis.
What you pay them is a fraction of what you pay for a salary.
Best of all, you only keep them on for as long as you need
them. You terminate the contract when
you don’t need them, and bring them back on board again as needed. These people are highly skilled in what they
do, and even have more contacts that you can penetrate into if you have other
needs.
But whatever the situation is, you still need a leader in
both Ransomware and Cyber Insurance negotiations, whether they are a direct
hire or a CISO on a contract basis.
No comments:
Post a Comment