Electricity and Control July 2023

CYBERSECURITY

Crisis management is central to ransomware resilience Boland Lithebe, Security Lead at Accenture in Africa

R ansomware is not solely a technology or security prob lem. A ransomware attack is far more significant than a technology breach, as it can affect an entire business. If an organisation is struck and existing recovery strategies tuned to traditional business continuity plans prove insuffi cient, it should, in the aftermath of the attack, adjust mind sets around the role of security for technical and business decisions. Accenture research has found that attacks are on the rise and that 20% of costs associated with all incidents are attributed to brand reputation damage. Its recommenda tion is to get the balance right between security efforts and alignment with the business strategy. Overall, a modern ransomware and extortion response should be treated as a business risk, prioritising effective crisis management across the enterprise. Key challenges There are a number of challenges that highlight the need for greater alignment between security and the business before, during and after a cyber crisis event. Traditional crisis response plans need to evolve Ransomware attacks represent a business risk, not simply a security problem. Security teams’ current approach to incident response typically involves solving the technical investigation aspects of an attack. However, the incident response also needs to consider critical business process es and how they impact recovery priorities. Prioritising and stabilising essential operations and systems can help pre vent additional downstream financial, reputational, opera tional and physical impacts. Organisations should extend traditional business con tinuity and incident response approaches and develop one cohesive plan that identifies the priorities for the whole business, problem-solve the big picture and better prepare for swift and inclusive business recovery. By adopting a ro bust communications plan, leaders can tackle a ransom

ware attack for what it is – a crisis that needs to be handled in a business-focused manner.

Transparency and agility in crisis communications Ransomware incidents are disruptive and need an effective communications plan. Regular updates shared with inter nal and external stakeholders are essential to get ahead of any unfolding story. Understanding the unique demands of an industry, its regulations and notifications and disclo sures that apply are fundamental. Organisations must be open and honest about what has happened and what happens next and collaborate with security professionals, legal teams and the organisation’s broader ecosystem to ensure a structured approach and that they act transparently. Key questions to address in clude: what happened when it happened, what we know, who was impacted and how, what are we doing about it, and what is next. Ransomware impacts the enterprise and stakeholders Ransomware has become a persistent threat, with law enforcement and governments becoming increasingly in volved. Threat actors have developed tactics such as steal ing data and extorting individual people by threatening to disclose stolen data. Today, attackers can buy access and malware and execute a ransomware attack by becoming an ‘affiliate’ of a ransomware-as-a-service (RaaS) program available on criminal forums. The compressed transfor mation has often extended the attack surface, evidenced by the triple-digit increase in attacks observed in 2021. Therefore, any crisis response strategy should consider the stakeholders affected, such as customers, corporate sub sidiaries, suppliers, trusted third parties, financial invest ments, and merger and acquisition targets. The CEO and Board need to be on-board Testing and validating attack prevention, detection, re sponse and recovery is part of business for most organi sations. Nonetheless, drawing on the CEO and Board can enhance this practical step. Tabletop exercises are gener ally undertaken by security personnel. By extending such practices to include executive-level simulations, organisa tions can test their defences against a typical ransomware attack and introduce the risk and adrenalin of a ‘real-life’ attack scenario. For example, executives may be told three lines of business are down due to an attack where a threat actor asks for US$10 million. Executives are asked to deter mine in real-time which business should be recovered, how they communicate their response and who is responsible for making those decisions. To make the process easier, Accenture has developed the following ransomware response and recovery approach to handling cyber crisis communications. - Triage and prepare: Identify impacted parties and 

It’s important to align security efforts with the business strategy to ensure effective crisis management in the event of a cyberattack.

30 Electricity + Control JULY 2023