Search
Close this search box.
Search
Close this search box.

The 5 Key Ransomware Questions CEOs Should Be Asking CIOs Now

© AdobeStock
In the wake of the Colonial Pipeline attack, what should you ask your CISO? Scott Howitt, CIO for cybersecurity giant McAfee, offers tips.
Scott L. Howitt

The Colonial Pipeline ransomware attack may be in the headlines, but out of public view thousands of other CEOs are dealing with similar crises. In March, for instance, a ransomware attack against insurance company CNA again illustrated how smaller companies can easily find themselves the victims of a larger hack, if the stolen data is used to extort money from the original target’s customers. And the data show the prevalence of ransomware attacks shows no signs of abating. Since 2016, there have been more than 4,000 cases every day, according to FBI figures.

“But that’s likely a very low estimate,” says Scott L. Howitt, SVP and chief information officer for cybersecurity giant McAfee. “They’re using the stats that were reported to them and in a lot of cases, people don’t report it because they don’t want the bad press to follow them.”

That’s understandable—particularly considering the high financial toll this particular cybercrime has taken on targeted companies. At our recent Risk Summit, we asked Howitt for some smart questions to be asking our security and technologies teams to help mitigate ransomware risk:

Are We Segmenting Networks?

Howitt recommends CEOs and boards ask their CISOs about creating divisions between networks to ensure that when one is infected, the malware doesn’t spread as easily to the rest. For example, as CISO of MGM Resorts International prior to McAfee, Howitt worked on segmenting the networks of the casino’s hospitality, restaurant, retail and entertainment networks in order to mitigate potential damage to the whole business.

Internet of things (IoT) applications have made the job of securing all points on the network even more complex, adding new risks, he added. At MGM Resorts, the refrigerator technology allowed temperatures to be regulated remotely. “So now [we had to consider], what if somebody came in and raised the temperature of the chicken, so now suddenly I’ve got poisoning risks and it’s a life safety issue instead of now being a data leakage issue.”

Can We Identify The Potential Threat Actors?

While active monitoring for potential attacks is critical, it’s not enough. Your CISO should be able to identify the bad actors most likely to target the company and then ask what they are doing proactively to prevent those attacks. “Because that’s one great thing about threat actors—they’re not very inventive,” said Howitt. “They only have to get it right once or twice, so they throw an attack against a thousand people and if one or two catches, it’s worth the money.”

Have We Run A Companywide Prevention/Awareness Program—Including The Board and C-Suite?

Most malware is spread initially through a phishing email sent to an employee with network access, which is what happened to CNA. “They had a very robust cyber program, but that’s the trick—it only takes one click for something bad to happen,” Howitt said.

How Are You Insuring Security Is Being Adapted For The Future?

Most security people grew up primarily in a physical network environment, said Howitt. As companies go to the cloud and transition to a software-based world, how is your CISO retooling the security organization to adapt? To that end, he or she should be having conversations with all the company’s business owners—not just internally with the security team.

“It’s okay to put your CISO on the spot and say, ‘So, as the world changes network-based world, tell me what you know about the business. How are you adapting that to meet the strategy?” he said. “If the CISO isn’t thinking about it in terms of business strategy, it’s checkbox compliance. That will get you past the audits, but it won’t necessarily keep you secure.”

If We Are Hit By Ransomware, Will We Pay Or Not?

To be sure, ransomware attacks only thrive in a world where victims pay the ransom. But whether or not to pay is an age-old question without a clear-cut answer. “It’s easy to be morally right and say you should never pay, but it has to be a business decision,” said Howitt. Factors will include the ransom amount, the files that have been targeted, the cost to the business of having files stay locked, etc. According to the latest data, only 26 percent of firms pay, and that may be because their cyber insurance firms require it.

“From an actuarial standpoint for them, it’s cheaper if they just hurry up and pay the ransom and take the chance of getting the attack over with,” said Howitt. But he points out that payment does not guarantees the return of the data that was stolen. “It’s always a very dicey proposition to pay them off because they might not unlock your files and they’ll just take your money and run.”

Howitt recommends conducting a tabletop exercise looking in detail at the potential impact of a ransomware attack on each area of the business. “The frequency of tabletop exercise should be every quarter,” he said. “And it doesn’t have to be a full day. You can accomplish a lot in an hour or two. It should be a very specific scenario.”

The ask is, what we need to do, and then is it working? Should we do more or less? Kill it? The data-driven decision is becoming more and more important.”


MORE LIKE THIS

  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events

    Roundtable

    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)

     

    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.