Over the past year, a surging cybersecurity threat has infiltrated the computers of individuals and organizations around the world. Known as ransomware, this type of cyberattack holds sensitive data hostage and then forces victims to pay up to get it back or to stop it from being released or destroyed. Although major ransomware attacks have made recent headlines, this type of threat really isn’t new. In fact, the earliest forms of ransomware came out around 1996, with extortion-based ransomware emerging in the mid-2000s. But the threat is growing. According to Barkly, which offers anti-ransomware protection, ransomware continued to experience record growth in 2017, with fifteen percent or more of businesses in the top ten industry sectors being attacked.
What Is Ransomware?
In a ransomware attack, victims often receive an email addressed to them with an attachment or URL that appears valid but, once accessed, propagates malicious ransomware. In recent years, criminals have even exploited unpatched software and devices to infiltrate legitimate websites with malware code. This code infects computers by encrypting files and folders on all drives—and potentially other computers on the same network. Most users are unaware of the attack until they can no longer access their data or begin receiving messages detailing the attack. These messages typically demand a ransom payment in exchange for a decryption key. The ransom is often required in bitcoin, because this cryptocurrency is practically impossible to trace.
Unfortunately, according to the 2016 Kaspersky Security Bulletin, twenty percent of businesses that paid the ransom never retrieved their files. While it’s unsurprising that some attackers have no intention of returning what they stole, perhaps the most damaging result of ransomware is lost work time. According to Barkly, seventy-two percent of businesses whose computers were infected lost access to data for two days or more, with one third going for five days or longer without access. More often than not, lost time and lost business can cause much more damage than the ransom itself.
Recent Ransomware Attacks
Over the past year, ransomware has victimized numerous organizations around the world, large and small. The WannaCry virus penetrated more than 300,000 computers in more than 150 countries and resulted in $4 billion in estimated damages and loss of revenue worldwide. The Petya virus, which began with a widely used tax and accounting software in Ukraine, affected organizations as diverse as the National Bank of Ukraine; Kiev’s main international airport, Boryspil; and the nuclear power plant at Chernobyl.
In June, the multinational shipping company FedEx announced that its subsidiary, TNT Express, was disrupted by a ransomware virus that crippled computer systems in Europe, Asia, and the United States. FedEx claimed the event had “material impact” on its bottom line. Only a month before, the company had also been hit by the WannaCry virus.
Maersk Shipping, a company responsible for over fifteen percent of the world’s shipping, was hit by a heavily modified version of Petya, known as NotPetya, released last year. The attack crippled the company’s logistical operations, causing more than $200 million in damages. NotPetya was specifically designed for the stolen data to be unrecoverable, even if a company paid the ransom.
From corporations to government to private sectors, no organization is safe from a ransomware attack. Multinational organizations, however, could face increased risk due to their vast amounts of data, high-profile status, and, of course, their ability to pay higher ransoms.
Why CFOs Must Prioritize Cybersecurity
If you think ransomware is strictly an issue for your IT department, think again. While protecting against hackers does fall into the IT realm, the ramifications of a ransomware attack reverberate across an organization.
For multinational enterprises, ransomware is particularly powerful because it can engulf large companies by exploiting vulnerabilities in company servers and then spreading easily within integrated corporate networks. Once ransomware attacks successfully, the fallout can cause severe reputational damage, diminish shareholder confidence, and contribute to EPS volatility.
If we consider regulations like the General Data Protection Regulation (GDPR), which seeks to create a harmonized data protection law framework across the European Union, we should be aware that breach notification procedures may differ among regions. Multinational corporations not only need to be aware of regional regulatory requirements, but also develop and implement plans that comply with these standards to avoid potentially significant fines and penalties. Additional challenges may be related to differences in time zones and governance structures, which can reduce the visibility of the entirety of affected assets.
If that isn’t enough to catch your attention, consider client security risks. If your company houses personal client data, a massive breach can result in penalties for mishandling information, not to mention brutally diminished client relationships.
Once security is breached, personally identifiable information (PII) often finds its way to nefarious places on the dark web, which consists of web pages and data that are beyond the reach of search engines. Here, criminals can purchase detailed and sensitive information about individuals that may result in identity theft, tax fraud, and other calamities.
For these reasons, CFOs must involve themselves in defending against cybersecurity threats. Here’s how.
Mitigating Ransomware Risks
Although there is no way to defend completely against a ransomware attack, there are steps every organization should take proactively to mitigate the risk associated with this growing threat:
1. Understand your organization’s security risks.
As a CFO, you don’t need to be immersed in the techy details of cybersecurity; however, it is important to be aware of the current environment and the threats posed to your organization, so you can ensure support of basic defensive operations and the foundation for security. Too often, CFOs are not given all the relevant facts or education on the greatest exposure points that exist within the organization. This results in historic or systemic underspending in critical security areas such as detection, antivirus protections, and response operations.
To avoid these missteps, consider setting up a quarterly meeting with the head of your IT security management group to understand what risks your organization faces and how they are being defended against. It’s also important to make sure the vendors and partners you do business with not only properly protect you but are properly protected themselves. Remember: An attack on them could result in an attack on your organization.
2. Allocate funds to support best practices, technology, and compliance.
Clearly, it takes an investment to defend your data. Make sure your organization takes advantage of best practices in cybersecurity and reduces vulnerabilities in your systems. From application security to two-factor authentication, make sure your cybersecurity teams are in the know and use the latest technology to defend against potential threats. Furthermore, make to measure your progress and educate yourself through regular exposure to the metrics associated with security so you can fully understand your company’s defensive posture and capabilities.
3. Ensure that a detailed communication plan is in place.
If the worst-case scenario occurs, be prepared for it. From public relations to client, employee, and shareholder communications, make sure your teams are equipped to triage quickly. If a ransom is demanded, discuss how your organization will handle it. Create a comprehensive incident plan, being sure to review and update it regularly. It goes without saying that viable testing and working disaster recovery and business continuity plans should be fully funded and resourced. Without them, businesses run the risk of recovering services without the actual ransomed data, relying on out-of-date—or, worse, useless—backups due to their age.
In the end, the most important takeaway is that ransomware, or any type of cybersecurity attack, has consequences for the entire organization. Cybersecurity must therefore be viewed not as a technical problem but as a business problem—and if it isn’t, then you must move it there. The risk is only increasing as hackers become more sophisticated, so it’s critical to be proactive in understanding and preparing for a potential attack. While it’s impossible to eliminate the risk, you can mitigate the consequences.
Marc Mehlman is vice president and head of ONESOURCE Direct Tax and Accounting business at Thomson Reuters.
Endnotes
- “Ransomware: The New Threat to Business Uptime,” Intermedia, accessed March 10, 2018. www.intermedia.net/report/ransomware.
- Steve Ranger, “Ransomware Attack: The Clean-up Continues After WannaCry Chaos.” Zdnet, May 18, 2017. www.zdnet.com/article/ransomware-attack-the-clean-up-continues-after-wannacry-chaos.
- Hamza Shaban, “FedEx Delivery Unit Hit by Worldwide Cyberattack,” Washington Post, June 28, 2017. www.washingtonpost.com/news/the-switch/wp/2017/06/28/fedex-delivery-unit-hit-by-worldwide-cyberattack/?utm_term=.f4e9dfd2d79a.