Editor’s note: The following is a sponsored blog post from RSM:
It’s the day before month-end, and the finance team is prepping the to-do list for tomorrow:
- Do the payroll run
- Send payments to vendors
- Issue invoices for customers
- Close out the monthly financials
When you get into the office and log into your computer, there is a ransom note on the screen. You sit at your desk in stunned silence. Your phone rings, and the CFO is on the line. There is panic in his voice as he tries to figure out how to get people paid on time. When will vendor payments go out? Can the financials be closed in time?
As the day goes on, the full impact of the business interruption is coming into focus, and it looks bleak. It could take weeks to resume normal business operations, and there is the potential for significant issues with customers and vendors. However, it becomes clear that your effort to implement a robust and comprehensive resilience approach will minimize the impact of this incident.
The financial impacts are significant, and changing
Over the past five years, the number of ransomware attacks has grown exponentially, with the losses covered by cyber insurance topping US$264 million, according to the 2021 NetDiligence Cyber Claims Study report. The traditional thinking is that most of the ransomware incident cost is paying the ransom; however, the business interruption expenses account for nearly 50% of the cyber insurance claims relating to ransomware incidents.
We are now in an age where the costs of the cyber incident are just tablestakes to mitigate the immediate attack. The ongoing business impact is much more expensive and can act as a force multiplier on insurance claim costs.
As reported by a joint cybersecurity advisory issued by multiple U.S. government organizations, there was a significant leak of internal information from the Conti ransomware organization. One of the interesting points that came out of this leaked playbook is that the threat actors are conducting reconnaissance in exploited organization environments to identify systems that would be most impactful to an organization if they were taken out of service. We have seen many examples of this technique, where critical systems have been subjected to a ransomware attack, including:
- Enterprise resource planning systems
- Security and IT monitoring systems
- Fulfillment management systems
- Customer relationship management systems
This technique is designed to further encourage victims to pay the ransom, but the unintended consequence is that companies are now facing significant business interruption losses.
The increase in business interruption costs has led to a rise in insurance rates. As part of the continued refinement of insurance underwriting, companies are requiring their insured to attest that they have implemented comprehensive cyber controls that protect business processes. The insurers are realizing that today’s security, although very effective, is simply not enough. A broader approach that incorporates hardening against various forms of business disruption is needed. The RSM 2022 Cybersecurity Middle Market Business Index surveyed 400 business leaders at middle market firms, with 67% reporting an increase in cyber premiums over 2021.
It’s not your “mom and pop’s” cyber incident response anymore
It is time to shift your culture from “cyber incident” to “crisis management,” understanding that ransomware can throw your organization into crisis mode. There are other sources of crisis that will experience the same elements of prevention, detection, response and recovery (environmental, pandemic, etc.).
Personnel, tools and outcomes may change based on the crisis, but that core response team should include IT, security, emergency management, physical security and key business stakeholders. Including these influencers will drive a greater understanding of the threats, a unified approach to resolve them, give leadership a greater stake in remediation and will help set the tone at the top about your resiliency program. This business-focused governance and controls framework helps ensure consistency and organizational engagement, which helps you respond to current-day business threats.
Proactive planning beyond just incident response with a resilience focus further embeds business continuity planning and impact analysis in the crisis management model, including backup and recovery exercises. Essentially, look for critical tools, processes and tech that are not deemed as “critical” and not covered under existing DR/IR focus.
You will execute as you train…
Responding to threats, be they business- or cyber-related, requires a certain muscle memory. Ideally, you aren’t “reacting” to the fire, but fighting it with a well-planned and practiced approach. Bringing the crisis response team together to rally around a common set of policies and procedures, with a clear understanding of roles and accountabilities, will reduce the mean time to respond and recover from the incident.
It is our experience that clients who invest in this proactive approach have experienced significant return on this investment. Why? The tasks being performed have already been thought out and trained on, and you are not spending valuable time figuring out how to perform that task during the midst of an actual event.
As an example, as clients are trying to respond to a ransomware attack, they need to enumerate all machines in scope, identify and restore from known good backups, and more. However, if they have not conducted a review of their resilience maturity, they do not have adequate information to quickly and efficiently perform the recovery efforts that are needed. As a result, fulfilling this during the incident will be more costly, disruptive to operations, and (most importantly) cost valuable time to remediate the event.
What does this mean for you?
We encourage your team to perform a more business-focused assessment of potential impacts to operational continuity, plan for any potential events that could feasibly impact your ability to meet customer expectations and be ready to respond to these threats should they occur. Proactive hardening of the resiliency chain is accomplished by reviewing your response plans, establishing training exercises (tabletops) and vetting how you will maintain operational continuity. It is important to inject business outcomes as part of the resilience plans and exercises. When it comes to being proactive, here are some key takeaways:
- Incorporate business impact analysis and risk assessment tools to identify and remediate potential gaps in your resilience chain
- Proactively manage vulnerabilities, preferably performing a snapshot assessment with a targeted pen testing of your infrastructure, logging and system redundancies
- Evaluate elements of the resiliency chain where a failure could directly impact customer outcomes
For additional information about how RSM can help you prepare for these ongoing threats, please visit RSM Cyber Resiliency.