The 5 Key Ransomware Questions CEOs Should Be Asking CIOs Now

In the wake of the Colonial Pipeline attack, what should you ask your CIO or CISO? Scott L. Howitt, SVP and chief information officer for cybersecurity giant McAfee, offers tips.

Scott L. Howitt

The Colonial Pipeline ransomware attack may be in the headlines, but out of public view thousands of other CEOs are dealing with similar crises. In March, for instance, a ransomware attack against insurance company CNA again illustrated how smaller companies can easily find themselves the victims of a larger hack, if the stolen data is used to extort money from the original target’s customers. And the data show the prevalence of ransomware attacks shows no signs of abating. Since 2016, there have been more than 4,000 cases every day, according to FBI figures.

“But that’s likely a very low estimate,” says Scott L. Howitt, SVP and chief information officer for cybersecurity giant McAfee. “They’re using the stats that were reported to them and in a lot of cases, people don’t report it because they don’t want the bad press to follow them.”

That’s understandable—particularly considering the high financial toll this particular cybercrime has taken on targeted companies. At our recent Risk Summit, we asked Howitt for some smart questions to be asking our security and technologies teams to help mitigate ransomware risk:

Are We Segmenting Networks?

Howitt recommends CEOs and boards ask their CISOs about creating divisions between networks to ensure that when one is infected, the malware doesn’t spread as easily to the rest. For example, as CISO of MGM Resorts International prior to McAfee, Howitt worked on segmenting the networks of the casino’s hospitality, restaurant, retail and entertainment networks in order to mitigate potential damage to the whole business.

Internet of things (IoT) applications have made the job of securing all points on the network even more complex, adding new risks, he added. At MGM Resorts, the refrigerator technology allowed temperatures to be regulated remotely. “So now [we had to consider], what if somebody came in and raised the temperature of the chicken, so now suddenly I’ve got poisoning risks and it’s a life safety issue instead of now being a data leakage issue.”

Can We Identify The Potential Threat Actors?

While active monitoring for potential attacks is critical, it’s not enough. Your CISO should be able to identify the bad actors most likely to target the company and then ask what they are doing proactively to prevent those attacks. “Because that’s one great thing about threat actors—they’re not very inventive,” said Howitt. “They only have to get it right once or twice, so they throw an attack against a thousand people and if one or two catches, it’s worth the money.”

Have We Run A Companywide Prevention/Awareness Program—Including The Board and C-Suite?

Most malware is spread initially through a phishing email sent to an employee with network access, which is what happened to CNA. “They had a very robust cyber program, but that’s the trick—it only takes one click for something bad to happen,” Howitt said.

How Are You Insuring Security Is Being Adapted For The Future?

Most security people grew up primarily in a physical network environment, said Howitt. As companies go to the cloud and transition to a software-based world, how is your CISO retooling the security organization to adapt? To that end, he or she should be having conversations with all the company’s business owners—not just internally with the security team.

“It’s okay to put your CISO on the spot and say, ‘So, as the world changes network-based world, tell me what you know about the business. How are you adapting that to meet the strategy?” he said. “If the CISO isn’t thinking about it in terms of business strategy, it’s checkbox compliance. That will get you past the audits, but it won’t necessarily keep you secure.”

If We Are Hit By Ransomware, Will We Pay Or Not?

To be sure, ransomware attacks only thrive in a world where victims pay the ransom. But whether or not to pay is an age-old question without a clear-cut answer. “It’s easy to be morally right and say you should never pay, but it has to be a business decision,” said Howitt. Factors will include the ransom amount, the files that have been targeted, the cost to the business of having files stay locked, etc. According to the latest data, only 26 percent of firms pay, and that may be because their cyber insurance firms require it.

“From an actuarial standpoint for them, it’s cheaper if they just hurry up and pay the ransom and take the chance of getting the attack over with,” said Howitt. But he points out that payment does not guarantees the return of the data that was stolen. “It’s always a very dicey proposition to pay them off because they might not unlock your files and they’ll just take your money and run.”

Howitt recommends conducting a tabletop exercise looking in detail at the potential impact of a ransomware attack on each area of the business. “The frequency of tabletop exercise should be every quarter,” he said. “And it doesn’t have to be a full day. You can accomplish a lot in an hour or two. It should be a very specific scenario.”

The ask is, what we need to do, and then is it working? Should we do more or less? Kill it? The data-driven decision is becoming more and more important.”