To Combat Ransomware Attacks, Communication With C-Suite is Essential

December 22, 2021 - In light of numerous high-profile cyberattacks this year, C-suite executives are more tuned in to the risks of ransomware attacks and other cybersecurity threats than ever, a recent study from (ISC)² revealed. As a result, it is crucial that cybersecurity leaders know how to effectively communicate ransomware risks and preparedness strategies to the C-suite.

Healthcare has been hit particularly hard by ransomware in recent years, and the ongoing cybersecurity workforce shortage will likely continue to strain the industry in the next year. Clear and consistent communication between cybersecurity professionals and the C-suite can effectively mitigate risk.

(ISC)² surveyed executives from a variety of industries with job titles like CEO, CFO, CIO, COO, and General Counsel. When asked to rate their awareness of ransomware prior to the high-profile breaches of 2021, 55 percent of respondents described themselves as very aware, and 40 percent described themselves as somewhat aware.

The C-suite respondents were also asked about the quality of communications regarding ransomware before and after the recent wave of high-profile attacks. Just under two-thirds of respondents rated the communications highly, leaving room for improvement by cybersecurity leaders.

Over 65 percent of C-suite respondents reported an increase in the frequency of communications about ransomware in 2021, and 14 percent of respondents reported a decrease in communications.

“The attacks have spurred interest in cybersecurity security operations specific to ransomware, with the C-suite now asking cybersecurity professionals for more information on risks, defense strategies and budget needs,” the study pointed out.

Most executives reported looking to their cybersecurity team for information on strategies to prevent and recover from ransomware. Executives also reported prioritizing knowledge about how long it would take to restore minimal operations after compromise and how prepared their organization is to engage law enforcement and cybersecurity investigators.

“The feedback is clear. Leadership wants and needs more communication from the cybersecurity practitioners dealing with ransomware within their organizations,” the study contended.

“There is also a need for more detail, depth and explanation in that reporting to ensure that leaders fully understand the landscape to facilitate more informed decisions and supporting calls for cybersecurity investment.”

Researchers recommended that cybersecurity teams increase the frequency of communications so that executives have a solid understanding of ransomware risks and the investments needed to mitigate those risks.

In addition, cybersecurity leaders should work to temper overconfidence within the C-suite by being clear and realistic about the threat of ransomware.

“Make the threat understandable and relatable,” the study suggested. “This isn’t about dialing up the rhetoric, but being clear on the very real consequences ransomware can have on your operations and the long-term health of your organization.”

Cybersecurity teams should also focus on tailoring their message based on what the executives care about most when it comes to ransomware risk. For example, if regulatory compliance is a key stressor, the communications should address that.

Communicating ransomware risks to the C-suite in an effective manner is also a great way to make the case for increased staff and investments in cybersecurity within an organization. Upfront investments in cybersecurity can save organizations millions in the long run, but many executives may be hesitant to throw money at a problem that they do not fully understand.

“Ultimately, leadership must come from the top of the organization in all instances, but it is the responsibility of cybersecurity professionals to inform and educate senior leadership about the growing ransomware threat,” the study concluded.