It goes without saying that board members of a company understand financial, operational, and legal risks to their business. Board members should also view cyber resilience strategically and manage it within their overall risk framework.
The impact of a ransomware attack on you organisation can be catastrophic, not just for you but for your customers as well. That makes Cyber security a board-level responsibility which means board members and partners should be aware of the basic questions they should be asking their IT team or technology provider.
WHAT DO YOU NEED TO KNOW?
Typically, Ransomware prevents you from accessing your data by encrypting it, but it may also be sold on the dark web or released online with malicious intent.
Ransomware attacks will often compromise your whole network, not just a single computer
You should assume the attackers know enough about your organisation to have assessed how much you are willing to pay them. Remember, payment is no guarantee that your data will be unencrypted or that it hasn’t been corrupted.
WHAT DO YOU NEED TO ASK?
What monitoring is in place around those critical assets that would have an impact if compromised, damaged, or altered?
Is monitoring happening in real time and managed by trained security personnel?
Do we have procedures in place for staff to report any suspicious activity, and is this routinely reinforced through training refreshers?
Are we protected by professional security operations centre (SOC) personnel who will know how to manage alert thresholds and recognise genuine alerts when they occur?
Do we have visibility of all the physical, virtual and software assets on our network and their status; are they maintained with the latest patches and versions.
Are we able identify and remove shadow IT which may be introduced into the network by our own staff?
How do we authenticate and grant access to users or systems? Is Multi Factor Authentication in use and is access granted based on least privilege?
How is storage separated so that an attacker will not get access to all copies of our data?
Are we able to avoid a long recovery that could damage corporate reputation and brand?
What data is ‘critical’ and how frequently is this backed up? How frequently is non-critical data backed up?
How confident are we that we would be able to recover from these backups? How frequently is this checked?
How are our backups stored? Offline or different locations? What are our recovery time and recovery point objectives?
Do we have clear escalation routes and defined decision-making processes to deal with a major cyber incident?
Do we understand our regulatory requirements and obligations to report data loss incidents?
What are our contingency measures to maintain business operations?
Are we able to practice our response to cyber incidents, how often, and how do we learn from these exercises?
It is important to view cyber resilience strategically. Cyber security risk should have the same prominence as financial, legal or any other strategic risk in board decision making.
If you need a better understanding of your organisation’s ability to deal with an attack, get in touch. We’re here to help