Chief Risk Officer Perspective
What is the role of the CRO in the event of a cyber-extortion attack?
With cyber extortion attempts on the rise, it is only a matter of time before your organization will face one if it hasn't already. It’s likely that it’ll be a form of ransomware or cyber extortion (Cy-X) that’s beaten your defenses. Based on data from Orange Cyberdefense’s Security Navigator, the main motivation of cybercriminals remains the pursuit of profit, and ransomware attacks remain one of the most lucrative approaches.
There's no denying Cy-X attacks are increasing: Orange Cyberdefense data highlighted a six-fold increase in Cy-X related threats from the first quarter of 2020 to the third quarter of 2021. But with cyber-attacks growing, is there value in focusing specifically on one threat?
In a word, yes. A full recovery is not guaranteed – according to Gartner, 32% of organizations lost top leadership after an attack, with companies suffering an average of 20 days of disruption.
To help you tackle Cy-X, it is first important to consider some of the significant challenges your organization faces:
Questions you will face
Understand your organization's overall risk profile
Knowing risk is part of the CRO's daily life, with each company's risk profile unique to its combination of objectives, markets, and industries. With so many threats to an organization's operational effectiveness, Cy-X is just one of potentially hundreds that need to be considered and built into the risk profile. To ensure the Cy-X threat is properly accounted for, CROs must enlist the support of the CIO and CISO to distill the technical and operational aspects which are unique to Cy-X, and ensure proper mitigation and crisis management initiatives are put in place.
What will your external stakeholders expect?
In the event of an attack, stakeholders such as customers,industry regulators, insurance providers, shareholders, employees and other groups with vested interests in the organization expect to be informed of the scope, impact and response to the incident, expect to be updated and informed of the scope, impact, and reaction to the incident. But the information they need will differ, and what your organization wishes to disclose will depend on your business, regulatory and market context'.
Being able to work with your CISO, CIO and other teams in the organization each of your stakeholders, and define how to communicate effectively stakeholders is a critical part of managing the immediate aftermath of a Cy-X incident
What is the likelihood of a Cy-X attack occurring?
Feeding into that risk profile is the likelihood of a Cy-X attack occurring. As previously mentioned, how the number of incidents has increased; the challenge for the CRO is understanding the probability of an attack and its likely impact. Whereas your CIO, CISO counterparts will be looking at it from a technology perspective and how critical IT systems and data could be paralyzed, CROs need to enabler a wider assessment of how it will affect every aspect of the organization, and work with other C-Level leaders to implement an action plan to mitigate it should an attack happen.
Pinpoint your key challenges and actions
Putting Cy-X into the same group as other external threats can be tempting. But having a comprehensive of how it materializes and the specific role a CRO has in mitigating the impact can help businesses respond effectively to an attack.
To find out more, read our CRO's guide to cyber-extortion defense.