Ransomware attacks are constantly hitting the headlines, with FBI director Christopher Wray recently likening the current spate of attacks to the challenges raised by the 9/11 terrorist attacks. In response, the UK’s NCSC has produced a number of resources to help organisations, including a recent blog post aimed at board members. It reminds boards what they can do to ensure their organisation is prepared for what are often highly disruptive (and potentially high profile) attacks.
The blog is part of the NCSC's wider Cyber Security Toolkit for Boards. As well as explaining the basics of ransomware (which, it says, should enable boards to have constructive conversations with their technical experts) it suggests 5 questions that senior management can ask their organisations and advisors, to help improve their resilience to this type of attack.
Five key questions for board members to ask about ransomware
1. As an organisation and as board members, how would we know when an incident occurred?
It is important to ensure that your organisation is monitoring, and identifying, unauthorised access to your systems as there is often a significant period of time (‘dwell time’) between an attacker gaining access to your systems and launching the ransomware. The board can ask questions around that monitoring - for example, what monitoring is in place, are the monitoring thresholds set at the right levels and is the organisation confident it knows of (and is monitoring) all IT assets? Many attacks come via equipment the organisation is unaware of. Who is examining the logs and are they sufficiently trained to identify anomalous activity? Also, do they know how to report suspicious activity? The board should also check that it has set, and communicated, clear thresholds for when it wants to be informed of an incident.
Q2. As an organisation, what measures do we take to minimise the damage an attacker could do inside our network?
Given the damage ransomware attacks can cause, and the way in which they spread throughout an organisation, boards should ask about user access and network segregation. For example, how do you authenticate and grant access to users/systems, are these measures hard to bypass and is access only given if necessary? Also, how is the network separated (to ensure an attacker gaining access to one device cannot then access the full IT estate) and how would you identify an attacker's presence on the network (e.g. is monitoring in place – see above)? The NCSC has provided further details on these points in its guidance on preventing lateral movement.
Q3. As an organisation, do we have an incident management plan for cyber incidents and how do we ensure it is effective?
Organisations have been told for some time now of the importance of having an incident response plan which covers cyber, and testing and reviewing that plan regularly. The NCSC therefore suggests that boards ask how (and how often) their organisation practices for cyber incidents, and how it learns from these exercises. It also:
- points organisations to its new free tool ('Exercise in A Box') which contains discussion-based and simulation exercises, including ransomware scenarios; and
- discusses what should be covered in a basic incident management plan. This includes identifying key contacts, clear escalation routes and allocations of responsibility (and considering whether these apply in normal working hours only or 24/7). They also suggest including a conference number for urgent calls, contingency measures for critical functions and guidance on regulatory (e.g. notification) requirements and when to engage legal support. Given the nature of a cyber/ransomware attack, the NCSC suggest having a basic flowchart describing the full incident life cycle, and the most relevant information (incident management playbooks, contacts lists and checklists etc.) available off-line. This will allow them to be accessible even if there is no access to your computer systems.
Q4. Does our incident management plan meet the particular challenges of ransomware attacks?
While many of the same issues apply whether you are facing a ransomware or other type of cyber-attack, there are some particular features of ransomware attacks that need to be specifically addressed in your incident management plans. For example, have you considered how you would respond to a ransom demand and who would make the decision about this? Also, are you prepared for that fact that a recovery that could take several weeks? Note: the NCSC stresses that the UK government strongly advises against paying ransoms.
Q5. How is data backed up, and are we confident that backups would remain unaffected by a ransomware infection?
Ransomware attacks are becoming more sophisticated, and effective. Attackers often spend time in an organisation’s systems collecting information and data, and targeting data backups. This prevents an organisation from recovering their own data and adds additional pressure on them to pay. Boards should therefore seek assurances around backups. For example, how frequently is data backed up (both ‘critical’ and 'non-critical' data), would you be able to recover from these backups and how frequently is this being checked? Also, are backups stored offline (or in a different location from your network/systems) – the NCSC has produced guidance on managing backups – see 'Offline backups in an online world'.
As ransomware attacks become more prevalent and high profile, there will be increased pressures on boards to ensure that they (rather than just their IT or CISO functions) understand the threats involved in an attack of this kind and how their organisations are managing those threats. Board engagement with cyber (and particularly ransomware) is key. While many organisations will already have considered these points, it is helpful to see the level of detail the NCSC expects boards to focus on, and useful to have a simple set of questions to provide which can start a constructive dialogue between the C-suite and their technical experts to help them gain this understanding.