Ransomware - need to know, need to ask

Ransomware - is your organisation prepared? What you need to know, need to ask

By Ryan Ettridge 

Share this article

The issue of cyber security has been on the minds of senior business leaders for some time now and with good reason. PwC’s 23rd CEO survey (released earlier this year) found that Cyber continues to be the greatest threat to business growth. Over the past five years, Australia’s CEOs have been consistently more concerned about cyber security undermining growth than their global peers (a five year average 83% of local CEOs, compared to 69% of global peers).

While strides have been made to tackle cyber  issues, threats still loom in the minds of Australian CEOs. In our recent survey, 85% pointed to cyber security as a greater threat to growth than any other concerns, including uncertain economic growth, regulatory burdens and the availability of key skills in the workforce. Given the huge threat cyber poses, it’s an issue that has been high on the agenda of Audit Committees. 

In more recent times, we are seeing a particular type of Cyber attack becoming more prevalent - that of Ransomware.  In the past, organisations falling prey to such attacks were typically smaller organisations without the skills and resources to adequately protect themselves from such attacks.  However, it’s become clear that organisation size and the sophistication of operations doesn’t guarantee immunity from such attacks. What we’re seeing is the prevalence of attacks against Australian organisations is increasing and they have the potential to cripple an organisation’s operations with devastating consequences. 

In this article we provide Business Leaders and Audit Committee members with the key facts on Ransomware and the questions that you need to ask of Management to satisfy yourself that the organisation is adequately protected. 

What is Ransomware?

Ransomware is a type of malicious software (‘malware’) that denies access to files or computer systems until a ransom is paid. For individuals, Ransomware can get onto a device through the following methods:

  • Visiting unsafe or suspicious websites

  • Opening emails or files from someone you don’t know

  • Clicking on ‘malicious’ links in social media and peer-to-peer networks.

For large organisations, Ransomware attacks typically occur through the following: 

  • Bypasses cyber security controls by masquerading as legitimate communications and data

  • Spreads from one infected device to another through vulnerable software

  • Automatically scans for and corrupts databases and network files by encrypting the data, rendering them unreadable

  • Automatically notifies the responsible cyber attack group that the process was successful

What action should be taken if your organisation is impacted by a Ransomware attack?

Advice from the Australian Cyber Security Centre (ACSC) is to never pay a ransom demanded as “there’s no guarantee paying will restore your files, and paying a ransom could make
you vulnerable to further attacks.’’ The ACSC advises that organisations impacted should report the infection and seek help from a cyber security expert.

How can organisations best protect themselves from the risk of Ransomware?

There are many pragmatic steps that organisations can take to reduce the likelihood of ransomware incidents, limit their impact when an incident does occur, and to recover swiftly and effectively. These include the following:

1. Effective data governance practices: developing an information asset inventory to track what data you hold and where its stored, to assist with enforcing appropriate protection and monitoring of your key data, as well as aiding recovery efforts in the event of a cyber security incident.

2. Robust business continuity planning and exercising: validating that individual user systems and key servers can be restored rapidly from backups, that the frequency of backups aligns to the timeframe of data your organisation is prepared to lose in the event of any system being rendered unusable

3. Crisis and incident response planning and exercising – making sure that there are formal procedures in which employees and those responsible for the management of high priority incidents are well versed to streamline the organisation’s reaction to ransomware events and its ability to restore service to employees and customers

4. Strong security hygiene policies and user awareness – preventing Ransomware entering your IT environment through the most common delivery vector; ‘Phishing’, by enforcing strong controls at your email gateways and network perimeters, and, developing vigilant employees through robust awareness campaigns

5. Rigorous patch and vulnerability management - closing security vulnerabilities in your systems which can be exploited by establishing a robust system patch and vulnerability management program.

What questions should Audit Committees ask of Management to satisfy themselves that the organisation is adequately protected? 

1. How often are our security systems reviewed and updated? Have been validated by a qualified third party?

2. How have we engaged with and educated our employees on the risks of Ransomware and how to protect our organisation?

3. Do we have confidence in the security of our data  - what information assets do we have, where are they stored, who has access, and who do we share them with?

4. Have we satisfied ourselves about the security of third party suppliers and that we aren’t exposing ourselves to risk?

5. How are we protecting our data? What commercial decisions have we made about balancing the level of security with cost effectiveness?

6. Is our crisis plan current and does it include our response in the event of a Ransomware attack? Have we rehearsed it as a governance team?

7. Do we have the right skills and expertise within our team to manage our Cyber risk? As well, are they equipped to respond appropriately should an attack occur?

8. Are we ready to apply our crisis plan? Have we rehearsed it as a governance team?

 

If you’d like to discuss your organisation’s readiness and response for cyber threat, please contact us. 

 

Contact us

Ryan Ettridge

Ryan Ettridge

Partner, Brisbane, PwC Australia

Tel: +61 417 702 234

Follow PwC Australia