In the evolving landscape of cyber security, confidence can be a bad thing. That’s because, amid ever-escalating ransomware threats, a company’s success fending off an attack today does not guarantee it’s ready for a more sophisticated threat tomorrow.
With that realization, business leaders may wish to rethink their current ransomware preparations in light of the findings of the KPMG 2021 CEO Outlook. Many executives expressed confidence in their readiness for a ransomware attack. And many remain focused on cyber security plans that address yesterday’s threats, rather than taking steps to build resilience in their digital and now highly interconnected business environment. Building a resilient organization requires focus, persistence and discipline.
Ready for yesterday’s attack
Reflecting on the survey responses by 1,325 chief executives, it’s a positive sign that 65 percent indicate that they “have a plan to address a ransomware attack if faced by one.”
However, it’s revealing that only 28 percent “strongly agreed” with the statement, suggesting that most are not overly confident in their ransomware preparations. That, in my opinion, is a good thing, since it would be naive to consider one’s company “unsinkable”, with the waters ahead full of increasingly disruptive ransomware hazards.
I see this cautious mindset in my recent client interactions, as senior executives state modestly, “I only know that there are many things I don’t know.” In response, I compliment their current state of ransomware preparations, and then ask if their plans truly consider the changing nature of ransomware threats and their connected business ecosystem.
This can inevitably lead to deeper conversations about the gaps in their plans. Often, their primary weaknesses relate to inadequate detail in their overall response plans, resulting from limited mapping of technical to business considerations, followed by the absence of embedded, continuous improvement capabilities and focus on the topic. As a result, an organization can be “ready-ish” to respond to yesterday’s attack — not tomorrow’s.
Making ransomware risk real
For most executives, a ransomware attack simulation is an eye-opening event. Not only do these simulations reveal how their companies lack sufficient safeguards to defend against the latest techniques, but they also uncover vulnerabilities — or assumptions made — that can reduce the company’s ability to recover.
For instance, when huddled in the simulation war room, business leaders suddenly realize they don’t have sufficient information to quickly identify the business impact of an attack on end-to-end services. There are often assumptions built around individual systems, but rarely are there real plans behind more extreme scenarios. And since the organizations have not clearly mapped the linkages and dependencies between their infrastructure and business services and channels, senior leaders find themselves flying blind, unable to calculate the impact on their operations, production or customers until calls or complaints start coming in.
Along with an inadequate line of sight to assess the problem, these companies often lack sufficiently detailed and tested business resumption plans to work around a system outage for an extended time. As the time extends, even more difficult questions can start setting in — what their assumptions are around returning to basic functionality, how long can they operate manually, what is going to be the minimal viable products they can offer their customers and for how long, what do they do with the data and how do they deal with integrity issues. These are just some of the new questions that typically start to circulate in boardrooms.
Also, as the period extends and the damage to the business becomes more apparent, further considerations start to kick in that are typically not supported by pre-approved protocols and decision trees. Most identify that procedures and pre-agreed principles would have been beneficial to help senior leaders act prudently and promptly (including pay or don’t pay decisions) based on varying severity scenarios and aligned with their domestic and global legal and regulatory obligations.
While these simulations usually prompt startled executives to patch any holes in their current preparations, the next question is, “How will they sustain these security measures as cyber-attacks grow more sophisticated and their company exposure increases in a digitally-connected business and technology ecosystem?”
Creating true cyber resiliency
To the business leader who now asks, “How can we strengthen our cyber security capabilities for today and tomorrow?”, I often recommend actions focused in three key areas:
- Scrutinize operational resilience programs. Align the broader digital resilience topic with operational resilience programs. Ensure there is alignment within the organization across the broader topics and bring together the various stakeholders to help ensure that disruption scenarios are clearly documented and detailed; dependencies and risks are adequately mapped; legal, regulatory and insurance issues are well understood; and appropriate policy and procedures are in place to aid mid-crisis decision-making.
- Invest in resilient technology platforms. Understand the existing challenges your infrastructure and technology platforms may face in the specific disruptive scenarios, consider alternative setups and cloud-based systems with air-gapped/micro-segmented environments that are well-protected against attack, better able to support business recovery in a threat situation, and scale up as threats and demands shift and grow.
- Strengthen operational response capabilities. To help address the gamut of detailed technical and business requirements needed to seamlessly operate during an incident with the least impact on operations and business, it’s important to become an adaptive and resilient organization. This includes implementing in-depth operational and communication protocols to reassure stakeholders, continuing critical services and resuming impacted services within tolerance levels.
Interestingly, to be effective, each of the activities requires greater integration and cooperation among technology and business teams so that the resulting plans take into account both business and technology considerations. This speaks to the need for deep organizational culture change by which cyber security, technology and business team members and strategies are coordinated or embedded.
It’s also noteworthy that, as revealed by the KPMG 2021 CEO Outlook, less than half of global business leaders are focusing on these very activities. For example, less than half of CEOs surveyed for our 2021 CEO Outlook say that, over the next 3 years, they plan to “strengthen governance and operational resilience and their ability to recover from a major incident” and “invest to develop secure and resilient cloud-based technology infrastructure”.
In addition, about one third of CEOs surveyed plan to “embrace automation to streamline and optimize security and technology risk management”, and just over a quarter of CEOs will “embed security and resilience principles into the design of future systems and services”.
Although it’s encouraging that nearly half of executives will “focus on improving skills in cyber security” and “establish a strong digital and cyber risk culture”, these actions are becoming table stakes in readying a company for ransomware threats. When you consider that current ransomware attacks began percolating in the minds of cyber criminals 5 years ago, it’s clear that businesses should think 5 years forward to be ready for far more nefarious attacks.
Planning for yesterday’s ransomware attacks simply won’t be enough to safeguard digitally powered organizations. Fortunately, the KPMG 2021 CEO Outlook suggests that there’s a healthy dose of doubt in the minds of business leaders, which can help drive the effort required to create cyber resilient organizations for the years ahead.