Close this search box.
Close this search box.

Ransomware: What To Do When Your Organization Is In The Crosshairs

When it comes to cybersecurity and ransomware, CEOs need to come up with a plan for handling security breaches before they happen.

ransomwareWould you not invest in a front door lock or security system, hoping that if you were robbed, the thief would give you a good deal on your stolen property?  As with security, it is not a matter of ‘if’ you need homeowner’s insurance.  It is a matter of ‘when.’

Why then do so many organizations fail to invest in security, thinking that they can pay off a hacker’s ransom or predict, many times incorrectly, the ultimate cost of a breach?  Though the average is just over 1.5M, a growth of 50% in just two years, the real cost depends upon the type of data compromised – i.e., the vertical, such as finance or healthcare – the extent of the breach, and the length of time the intruder has gone undetected.  And, there are both direct and indirect costs, with some estimating the overall cost of a breach at over 10% of revenue. How many organizations can afford this loss?

In fact, based on a recent study by NTT, 34% of organizations would rather pay the ransom, a low of 21% in the UK to 41% in Germany.  Remember that a ransom that may not actually result in recovered data, and also has the effect of delaying the correction of the root cause.  Another day, another ransom request.  However, the industry is heading in a positive direction, since a year earlier, an analysis published by Trend Micro found that 75% would be willing to pay.

The problem with paying the ransom is that it usually doesn’t pay off.  A study by the CyberEdge Group shows that of the 39% of ransomware victims who have paid, less than half recover their data.  One interesting observation is that the number of organizations who actually pay is about half when compared to those that say they will pay.  When combined with those who refuse to pay in the first place, the total data loss is on the order of 27% if an organization has been hit by ransomware.

Despite these less than reassuring numbers, organizations do in fact pay, with the FBI estimating that total payments grew from $24 million in 2015 to over $1 billion in 2016, possibly due to better reporting.  2017 data is not in yet, and one must assume that not every company that pays, reports.  And, the amounts are growing, with an IBM survey showing that of those who do pay, 50% pay more than $10K, and 20% more than $40K.  As one analyst noted, it is much like a business having to pay protection money to the local mob.  It rarely ends well!

However, with conflicting guidance even among security researchers, it is really up to the executive team at the organization to decide whether or not to pay.  Panic sets in, and continuity of business or the threat of confidential data in the public domain can be the deciding factor.  Still, much better not to be placed in a compromised position in the first place.  But how?

A common refrain is that the organization is ‘too small’ to be subject to such-and-such breach, or that security controls are too much of a burden for employees.  True, security must be usable to be effective, and a balance is required, but this balance is really about understanding the difference between being first or being first and secure.   And, being too small increasingly is not an excuse if part of a larger vendor’s supply chain.  There is a growing awareness of this third party risk, with contractors and temps identified in the NTT report as the weakest link by 60%, and partners / suppliers identified by 49%.   There are larger issues at play as well.

The same report shows that less than half (45%) of the organizations surveyed have an incident response plan, possibly a driver for the ransoms described earlier, 41% consider all their critical data to be secure, an overestimation, and 43% believe that security is only the responsibility of IT, leading to stovepipes and lack of communications.

So, how not to fall victim?

Brian Krebs, a well-known influencer in the security space, has published three cardinal rules of online security:

  1. If you didn’t go looking for it, don’t install it.
  2. If you installed it, update it.
  3. If you no longer need it (or, if it’s become too big of a security risk) get rid of it.

Mapping these precepts to action:

  • Point 1 relates to user training, and where required, locking down endpoints (i.e., no USB drive access).
  • Point 2 addresses basic security hygiene, and calls for continuous assessment of the infrastructure, both on-prem and in the cloud. This includes continually monitoring the current state of the organization’s ‘CyberPosture’ against the required securing baseline, and immediately adjusting when drift is identified.  A corollary is to ensure that if an application and associated data is installed, ensure that an automated backup plan is in place that is logically and physically separated from the primary network.
  • Point 3 also mandates hygiene, eliminating services, applications, and especially data that is no longer critical. The last item – data – is what trips up many organizations.  A corollary to 3 is limiting the same services, applications, and data to only those in the need – a zero-trust model.

While larger organizations can of course deploy more sophisticated forms of protection, but the above should serve as a baseline. That being said, why not avoid the bandage solution of simply “winging it” and hoping the organization isn’t targeted altogether and actually invest the time and money into curing the actual issue at hand – security. By doing so, organizations will be able to prevent and not remediate any types of ransomware attacks they might find themselves faced with and can come out on top.

RelatedCreating An Effective Cyberattack Defense Plan—Before It’s Too Late


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.