Ransomware Puts Organizations Communications Response in the Spotlight

In 2021, ransomware attacks have reached unprecedented levels with new tactics leading to an increase in both the prevalence and impact of incidents. Several high-profile incidents have raised public awareness of ransomware, which means that how organizations respond following an incident is coming under increasing scrutiny.

The “Ransomware as a Service” (RaaS) model and the use of double and triple extortion tactics have had a dramatic impact on the ransomware landscape. RaaS is a cybercrime business model in which developers, in exchange for a cut in profits, sell their ransomware strain to affiliates.

This model has lowered the barrier to entry for threat actors and made it harder to track them. The practice of double extortion – encrypting a victim organization’s systems and exfiltrating and publishing data – has become a common tactic.

However, ransomware attackers are now adopting the practice of triple extortion. Triple extortion involves making a ransom demand not just to the victimized organization, but to its stakeholders, including employees, customers, and the media.

This practice broadens the impact of a ransomware incident and complicates an organization’s response.

In the face of a ransomware attack, business continuity remains essential. However, the longer-term impact can be considerable.

*

Operational impact

In the initial stage of an incident, widespread outages can affect an organization’s ability to maintain operations.

It is important to keep stakeholders informed of the latest developments and to provide customer-facing employees with the information they need. Any failure may be noticeable from the outside and attract media attention.

*

Financial impact

Research by Sophos found that the average ransomware recovery cost was $1.85 million in 2021. Costs stem from immediate loss of revenue due to outages, costs associated with recovery, lost business opportunities and ransom payments.

If attacks are not disclosed in a timely or transparent manner, organizations risk legal action or costly penalties. Regulators have signaled that cyberattacks pose existential business risks and can have a significant impact warranting disclosure.

*

Reputation impact

The reputational impact of an incident can be the most lasting. A recent HSBC study found that 73% of organizations underperformed the market after a ransomware attack. Effective communications, however, can help mitigate reputational damage.

Stakeholders may not judge an organization for falling victim to a ransomware attack, but they will judge it based on its response. As ransomware has entered mainstream consciousness, organizations’ responses have come under greater scrutiny. As attacks have evolved, so have the communication tactics needed to respond.

Develop a preparedness plan

Organizations should develop cybersecurity crisis preparedness plans with ransomware in mind and based on the organization’s risk register and regulatory environment. They should complement existing crisis response plans and emergency protocols. Plans need to be reviewed regularly to maintain viability and it is important to continuously assess regulatory environments.

*

Map stakeholders

With ransomware incidents being regularly reported in the media, the public has greater awareness and understanding of ransomware. Similarly, investors and boards of directors are increasingly aware of and interested in cybersecurity, as are external rating agencies which are increasingly integrating cybersecurity into their risk assessment. financial, regulatory and business continuity. The use of triple extortion can also broaden the network of stakeholders involved in an incident.

It is essential not to forget the internal stakeholders likely to be directly impacted by an incident. Internal stakeholders are also of particular importance given that everyone in a relevant organization – from frontline employees to the C-suite – is a communicator and a key vehicle for delivering messages.

*

Be fast and transparent

Communication delays can be costly, both in terms of financial penalties, but also in terms of reputational damage and loss of business. A lack of transparency can generate speculation and erode trust in an organization, making it more difficult to communicate with stakeholders. Companies need to understand stakeholder needs – and reach them in ways they are used to – to maintain valued relationships and combat misinformation.

It’s not about if but when an organization will be impacted by ransomware, which requires an advanced communications strategy informed by stakeholder preparedness and understanding and characterized by timely, transparent, and candid communication.

“FTI Consulting provides assistance on the three essential elements of cybersecurity incident response: incident response; forensic data analysis; and communications and reputation support,” said Gráinne Bryan, Senior Managing Director of FTI Consulting.

Comments are closed.