January 28 marks Data Privacy Day, an international event created to raise awareness of data protection best practices. Following a particularly challenging 2021, when ransomware attacks hit record levels, it is an opportune time to reflect on the evolving cybersecurity landscape and lessons learned from a communications and reputation perspective.
As comedian John Oliver said recently, ransomware is now “so pervasive that it’s affecting pipelines and grandmothers.” The volume of ransomware attacks more than doubled in 2021 from 2020 (which was itself the worst year ever for ransomware), with a shift towards high-profile public infrastructure resulting in increased media attention. The devastating attacks on Ireland’s healthcare system, Colonial Pipeline, and the global meat-processing company JBS made ransomware a household topic.
An emerging tension lies between the growing volume of ransom payoffs and increased public sentiment against making such payments – at least in the abstract.
An emerging tension lies between the growing volume of ransom payoffs and increased public sentiment against making such payments – at least in the abstract. 79% of the respondents in a 2021 Twitter poll by Menlo Security were against paying ransom, and a UK poll from security firm Talion found that 78% of consumers thought ransomware payments should be banned. However, when people had a personal stake in the entity attacked, they generally favored payment of ransom. For example, 72% of parents said they would favor the payment of ransom if their child’s school was the subject of a ransomware attack, as reported by a 2021 Kaspersky survey of school-age parents in the US.
Cyber criminals are aware of a divergence of views around ransom payment, and have resorted to additional tactics, such as engaging directly with media and even contacting customers of entities hit by ransomware to increase pressure for payment – tactics employed recently by the prominent Clop ransomware group. Surveys on the proportion of victim companies that pay ransom vary widely, but what is clear is that a large number of companies do pay despite risks they may not get all their data back, or that paying may invite subsequent attacks.
Companies can benefit from active collaboration with governments in an incident, reducing their exposure both to the attackers and to the government regulators investigating the attack.
As ransomware attacks become more sophisticated and affect the lives of more consumers, governments have mobilized and are coordinating with the private sector to reduce the threat. In the United States, the new Joint Cyber Defense Collaborative will involve the private sector in cyber crisis and cyber defense planning. The US and EU have launched a task force to combat ransomware, focusing on information sharing, best practice exchange, and pressuring states that are sponsoring ransomware. Companies can benefit from active collaboration with governments in an incident, reducing their exposure both to the attackers and to the government regulators investigating the attack.
US congressional attention on ransomware is heating up: according to CSO Magazine, at least 18 bills focused on cybersecurity have been introduced recently in the US Congress. One prominent bill introduced by Senators Marco Rubio and Dianne Feinstein would increase cryptocurrency oversight, penalize countries providing support for ransomware, and require critical infrastructure owners and participants to report ransomware incidents within 24 hours. US States including North Carolina, Pennsylvania, and New York are also advancing bills that would ban ransomware payments and require notification of ransomware attacks. Other countries, such as Canada, Singapore, and Japan, have adopted GDPR-style legislation, often with strict reporting requirements.
While US legislation has not yet been adopted at the national level, it is clear that stricter reporting requirements will emerge and companies will have to prepare to respond rapidly – and often publicly – in the event of an incident. These tougher requirements will increase pressure on companies to implement a rapid and broad stakeholder cascade in the event of an incident.
In light of this changing landscape, companies should do the following:
- Review incident response plans regularly and ensure there is a section devoted to communications, with clear protocols for how to respond to emerging threats, including ransomware.
- Ensure your core incident response members know their own responsibilities and are prepared to act quickly. With the likelihood that rapid reporting will be required, companies must be able to quickly reach key executives and outside advisors including if systems are down, and should have a process in place for quick assembly and decision making.
- Put in place a clear process to develop an appropriately calibrated stakeholder notification plan, including direct stakeholder engagement.
- Understand both the business and reputational implications of paying ransom; ensure the communications strategy takes into account evolving viewpoints.
Even the best technical preparations likely won’t be able to prevent government-backed cyberattacks, and all companies should be prepared to protect their reputation if (and when) the threat becomes reality.