Held hostage: Ransomware attacks a test of leadership, not technology
For two years in a row, Asia-Pacific has been the region in the world most affected by cyberattacks. Ransomware attacks, where organisations face being extorted of money, data, and their ability to operate, are becoming such as issue that Australia is considering banning ransomware payments.
Consider also that ransomware attacks often grab headlines and leave business leaders struggling to know how to respond, it is clear they demand an unusually high level of preparedness. But are Asia-Pacific business leaders preparing in the right way?
My experience in crisis management tells me that it takes a village to manage a ransomware attack, something many business leaders are only starting to realise. It is a lesson leaders need to learn fast. Without a rock-solid, coordinated response, not all businesses will weather the cyber-storm.
“Without a rock-solid, coordinated response, not all businesses will weather the cyber-storm.” – Antoine Calendrier, Head of Crisis and Trust Services for Asia-Pacific, Edelman
It is a Monday morning, and a blinking notice pops up on your laptop. The next moment, your operations team informs you that the entire factory is at a standstill. Machines cannot function. Employees cannot access the building. Soon, customers are calling in with questions and complaints. All this happens in a matter of hours, and it soon seems that the only way out is payment to an unidentified threat actor.
If this seems unlikely for your business, consider that every day, hundreds of millions of cyberattacks take place, aided by the rapid expansion of ransomware-enabling technologies, and the advent of “ransomware-as-a-service” which enables end-to-end solutions for threat actors to implement an attack—from the system penetration itself to the reception of the ransom payment.
There is no substitute for solid technological defences. But in a time of crisis, keeping your businesses in business and protecting stakeholder trust is ultimately a test of leadership. Here are how business leaders can prepare for success.
First, surround yourself with your A-team. Ransomware is a wide-ranging issue requiring a comprehensive, enterprise-wide response. The quicker the executive team gets a shared understanding of the seriousness and magnitude of the situation, the better it will be at responding. This can be planned for long before any attack. From specialised legal counsel to forensics investigators, professional negotiators, cybersecurity insurers and public relations experts, convening a broad and well-synced team is a challenge, but one that is best anticipated, not improvised in the blur of a crisis.
Leaders also need to prepare for long-term consequences. While the heat of the crisis—its externally visible dimension—may last only a few days, the consequences of the cyberattack itself will be experienced for months. This is not only because IT systems never come back online instantly but because of an increasingly demanding regulatory environment and the heightened politicisation of ransomware attacks. The far-reaching dimensions of a ransomware attack need to be factored in when developing crisis management plans, with an eye to immediately protecting the trust and setting the foundations for a rapid reputation rebuild as the crisis subsides.
And while preparing for a variety of consequences, leaders also need to prepare for the worst. Whether or not to pay the ransom is a thorny, multidimensional topic. It is certainly tempting but handing over a ransom does not create any certainty that the lights will go back on, or the data recovered. Specialised counsel is required to tailor an ad-hoc approach to best meet the demands of the situation. But when the clock is ticking it is best practice to immediately prepare for the worst and hope for the best, regardless of the negotiation strategy adopted.
Next, leadership teams need to fill the information vacuum. Ransomware attacks are experienced by organisations as an informational gap challenge. This is common to most crisis situations but takes a unique turn to ransomware. Like a virus spreading unknowingly, pressing questions from stakeholders include: Could I be infected? As part of this supply chain, will my business go down too? How far can this go?
I have seen this cause critical stakeholders to stonewall and move into “defence mode” at a time when dialogue and partnership are fundamental. This continued dialogue is even more critical with internal audiences, given the consequences of the attack on workplace operations and the role employees will play in interacting with the outside world.
Ultimately, managing a ransomware attack is a test in crisis leadership: How to do the right thing, with the right team, within the right timeframe. Leading an executive team through such a crisis requires nerves, confidence, and foresight. These are not inherent characteristics that leaders either have or do not. Rather they come from organisations training their leadership teams and training them again.
The ransomware market is fast-moving and threat actors use highly creative tactics. There is no doubt that the issues, challenges, and responses are complicated. And while no business or its leaders will ever feel fully ready for a ransomware attack, they can do one thing: Prepare. The advice for businesses is in fact deceptively simple: Train your teams. Not only the top leadership, the IT, or the communications teams. And train them often.
About the author: Antoine Calendrier is Head of Crisis and Trust Services for Asia-Pacific, Edelman.