Are your leaders prepared to withstand the intense pressure and disorientation of a ransomware attack? PwC UK Cybersecurity Partner Bobbie Ramsden-Knowles and Global Crisis Leader Kristin Rivera explore the options for responding to these potentially crippling attacks – and emerging stronger.
Are your leaders prepared to withstand the intense pressure and disorientation of a ransomware attack? PwC UK Cybersecurity Partner Bobbie Ramsden-Knowles and Global Crisis Leader Kristin Rivera explore the options for responding to these potentially crippling attacks – and emerging stronger.
Kristin Rivera:
Welcome to our podcast series, Emerge stronger through disruption. I'm Kristin Rivera and I lead Global Forensics at PwC as well as our Global Crisis Centre. I'm coming to you today from San Francisco, California. In each episode of this series, we speak with our global colleagues about the challenges facing business leaders during disruption.
In our last few episodes, I've spoken with colleagues about the rise in disinformation — and most recently ransomware and its potentially devastating effects on organisations. Today we're turning our attention to preparing for and recovering from a ransomware attack.
My guest is Bobbie Ramsden Knowles, who's a partner in PwC’s UK Crisis and Resilience practice. Bobbie, welcome. Would you mind sharing a little bit about yourself for our listeners?
Bobbie Ramsden-Knowles:
Yeah, of course. Thanks for having me, Kristin. So yeah, I'm one of the partners in our UK Crisis and Resilience practice. And I spend a lot of my time helping clients build resilience, but also prepare for disruptive events and also supporting them through live events.
And right now I'm working with many boards and executive teams on helping them both prepare and respond to ransomware attacks.
Kristin:
Thanks, Bobbie. I am delighted that you're here with me today.
In our last episode, I spoke with our shared colleague Richard Horne, who like you is a cybersecurity specialist, and we spoke about ransomware — its emergence as a global security threat and its evolution into a profitable criminal enterprise with geopolitical implications.
And it continues to scale. In the first half of 2021, more than $590 million was paid in ransomware in the US alone. And to put that in perspective, that compared to just $420 million in all of 2020. (source)
So, having covered the terrifying threat that ransomware poses to companies today, in our last episode, I am on the edge of my seat, wondering what companies can do to combat the threat.
And I suspect many of our listeners feel the same. So, Bobbie, please educate us on what companies can do to prepare for this kind of threat.
Bobbie:
Yeah, absolutely, Kristin. As we all know, it's not if; it's when. And all organisations need to consider how they both respond to a ransomware attack, but also their ability to recover. And actually also how they would deal with a data breach whilst being unable to operate as an organisation when hit by ransomware.
The important point is ransomware is a scenario you can absolutely plan for. And it's important that you do, because when you're in the middle of it, you'll be making decisions before you have all the information that you need. So getting your executive team comfortable in managing this type of complex disruptive event is absolutely critical.
Ransomware is the type of crisis that happens instantaneously and often becomes public very, very quickly.
So I'd say there are four key areas you really want to think about as you prepare for this type of crisis.
The first one is, does your organisation have key cybersecurity controls in place to prevent attackers getting a foothold? And secondly, do you have clear visibility of the IT estate to maximize chances of early detection before an attacker can detonate the ransomware?
And thirdly, do you have a resilient business, which can contain the spread of ransomware and also allow you to respond quickly?
The fourth point: Is your organisation prepared for this type of disruption? And is there confidence in how you recover? I'm just going to expand on that point for a second.
So, thinking about the response piece, ransomware attacks are unique in the immediate scale of impact they can have across an organisation. And therefore it's critical that you have an enterprise-wide crisis-response framework that can be invoked to coordinate the response across the organisation.
Now, what we find is that some organisations, which have historically managed crises at the market or business or local level, are now having to develop global crisis frameworks, to be able to respond at pace to this type of event. And catastrophic ransomware attacks rely on your organisation having a well-rehearsed response – from the technical frontline up to the C-suite and the board. But also across the supporting functions, such as corporate affairs, everybody needs to play a part.
You should also think about creating ransomware-specific playbooks, which cover key considerations, and they act as an overlay to your existing crisis management structures.
And the last point I'd make on this: You also have to explore how IT and security work together. Is this an IT outage or a security instance?
In reality, it's both. However, we find the processes for managing these two types of incidents often actually don't overlap.
Simulations help organisations prepare for ransomware attacks
Kristin:
One thing we've learned in our work, Bobbie, as you know, with the Global Crisis Centre, is that simulations are a really important way to prepare and to build that muscle memory. And we often say that it doesn't really matter what type of crisis you choose to practice.
In fact, it's good to practice different types of crisis scenarios over time, because you're going to learn lessons from those scenarios that can be applied really to any kind of crisis.
But today, the sheer prevalence of ransomware and its significant impact on so many divergent parts of the business, that ransomware scenario is a really good one to choose to build that muscle memory.
So, let's talk a little bit about what organisations should consider in a ransomware threat exercise simulation. What do you recommend to your clients, Bobbie?
Bobbie:
Well, firstly, I think it's important to say that actually the learnings you gain from developing a ransomware scenario for an exercise are as important as running the session itself.
And I think there's definitely some common themes we're seeing when we develop and run simulation exercises on ransomware for clients across the strategic, operational and technical levels.
I think firstly, these efforts require concerted engagement for both technology and business teams to deliver holistic resilience to ransomware.
So the key thing here, this is not just an IT problem. It's a business issue, which is why rehearsing your response at the board, the executive, the operational and the technical levels is so important. Additionally, these exercises should also really help you understand the types of issues, challenges and decisions you’re going to face in a ransomware attack. And now this is going to span regulatory, legal, technical, operational, financial and, importantly, communications.
So running these simulations really helps you to explore all of these different angles. Right now, what we're seeing is many organisations undertake these sessions with one or two teams.
But what we're starting to see is that we're helping our clients undertake end-to-end exercises, and that's across technical and operational teams, as well as the executive. And this will also help you to understand the potential routes and validate the timelines for recovery in a ransomware event, including the processes, which are going to be required to recover both with or without paying a ransom.
I think exercising is also really critical because it gives you an opportunity to think about who should be making each decision and, importantly, which decisions are reserved for the board.
And finally, the other important part is exercising helps you really think through how you would communicate with those who are impacted in the ransomware event, particularly if there's been a data breach – so both internal and external stakeholders, such as your customers.
Kristin:
That's really interesting. So let's dig into that a little bit and maybe bring it to life for our listeners. What kind of realisations do you see organisations have in a simulation exercise that would potentially cause it to change its way of responding to an attack?
Bobbie:
Yeah, I think that for me there are four common learnings we've seen in sort of the last 12 to 18 months having run these for many of our clients. And I've referred to a couple of these, but just to be very clear, I think the first one is there's absolute realisation at the executive level that this is a business crisis and not an IT incident.
And that actually, if they were hit by an attack, it does require the most senior team to come together to lead and make decisions. And what they see is often their very technical decisions have strategic impacts.
Secondly, for those organisations who do not currently have an enterprise-wide crisis framework, this type of crisis absolutely requires it, because it's likely that an attack could impact your entire organisation across all businesses and geographies.
So running an exercise actually really highlights that fact for many organisations.
The third point is executives have a much better understanding of the recovery timelines. So the reality is, recovering from these attacks takes organisations months and can cost millions, all while they are unable to operate and provide their key services. They get a great understanding of what insurance covers and, importantly, what insurance doesn't cover.
And finally, the last point I'd make is actually on the back of exercises: I think organisations really start to look at how we can better plan for this type of event. So for example, putting in place executive ransomware playbooks to help guide their response.
But also exercises really help inform future resilience and recovery programs to ensure that organisations are better prepared and that they can recover from this type of disruption.
Kristin:
One thing I've noticed is that security professionals, IT professionals in companies are often looking to build relationships across the business, across the organisation. And doing a simulation like this can be one really good way to help accomplish that and to really demonstrate the interconnectedness of all of the functions and address a threat at the same time.
So sometimes there can be dual benefits, even just outside of preparing for the crisis, in my experience.
So, Bobbie, there are a lot of misconceptions on the issue of ransomware, especially as attacks have become more prevalent in the news and also are becoming more elaborate and damaging. What are some of the myths that are out there that might be useful for our listeners to know are false?
Bobbie:
So, people think paying a ransom gives them a key or password that, once they've got it, means instant recovery. And it's just not like that. It takes weeks, and usually months, often, to recover from a ransomware attack. And this is regardless, actually, if you pay a ransom or not, because the decryption tool that's provided, if you pay the ransom, only works machine by machine.
So infrastructure still has to be rebuilt. And that takes months. So actually the real learning there is it's much better to be confident that your disaster recovery can deal with a ransomware attack and recover from that.
Kristin:
This is such a complicated, thorny issue. Let's turn our attention to that recovery that you mentioned. How does a company build resilience in the aftermath of a ransomware attack and ultimately emerge stronger?
Bobbie:
So, from a recovery perspective, you need to ensure you have thought and developed a strategy for IT disaster recovery for a ransomware scenario. So I'm just gonna explain that a little bit further. So, the cybersecurity function’s core focus is, as we know, to both prevent a cyber attack from reaching critical IT services, but also to rapidly detect and contain, should that prevention fail.
Now, it rarely considers how to recover if an attack cannot be contained. So you have the IT and the business resilience teams focusing on avoiding downtime, but are commonly built around failure modes, which actually are physical in nature and limited to a single location. So as an example, natural disasters impacting one data center – they fail to consider cybersecurity threats.
And we see this commonly across many organisations right now. And that means if they are hit by ransomware, they're just not able to recover.
Therefore, you've got to plan your recovery effort with how widespread a ransomware attack might impact your organisation. And also critical to recovery is now what are your critical business processes and what is the technology? And depending on those processes, this is essential to effective recovery in a ransomware incident.
And just to address your point on how you emerge stronger: In terms of how you rebuild and emerge stronger, much of this for me is down to the leadership of the crisis. You need to have leaders who are able to operate under high pressure, and can adapt their style to that pressure in order to lead effectively.
And look, let's be honest, this is going to be a test of personal resilience. And what we're really starting to see now is greater recognition to focus on equipping leaders with the right skills to operate effectively under pressure, amid a crisis like this. And actually we're supporting a lot more clients focusing on that as much as putting in the right plans and playbooks in place as well.
And to emerge stronger, for me, it's about focusing on trust. So like any crisis, maintaining trust with your stakeholders is so important. And in this type of crisis, your stakeholders may understand that you've been hit by ransomware, but they will judge you on how you respond, how you communicate and how you mitigate the impact to them.
Where organisations quickly lose trust is when they consider themselves to be the victim in this scenario. But as actually those who've been impacted by the attacks, such as your customers – they are the true victim. So be very careful about how you word your messaging. This is not just about you. It's also about those impacted.
So to emerge stronger, you need to maintain trust by remembering the perspectives of your stakeholders. This is a disruptive event for them as much as it is for you.
Kristin:
That last point is absolutely critical, Bobbie, and I know we've seen that in our crisis work and how important it is for companies to really take stock of all of the impacted stakeholders and develop customised messaging for them, customised responses, so that everyone who was impacted really feels supported at the end of the day.
So all of this underscores what we talked about at the top of the conversation: that simulations are an essential component of preparation and recovery, and ultimately for building resilience. And in fact, the road to recovery is likely more complicated than anyone can really anticipate.
So, Bobbie, thank you so much for joining me today. This has been an enlightening conversation, as always.
Bobby:
Thank you, Kristin. It's been great to be here with you today.
Kristin:
And thank you to our listeners for tuning in. Please remember to subscribe to our podcast series, Emerge stronger through disruption, wherever you get your podcasts. And don't forget to connect with Bobbie and me on LinkedIn.
Until next time, thanks for listening.