What is ransomware?
Ransomware is a harmful software (or malware) that encrypts your computers and the files in them, so you and your team cannot access them. The attacker then demands a payment (or ransom) to restore your access.
Ransomware can infect your device in the same way other viruses do, commonly through:
- Visiting unsafe or suspicious websites
- Opening emails or files from unknown sources
- Clicking on malicious links in email or on social media
- Some common signs you have become a ransomware victim include:
- Pop-up messages requesting funds or payment
- You cannot access your devices, or your login doesn’t work
- Access to files need a password
- Files have moved
- Files have unusual file extensions
As a CEO (or other company executive) it’s understandable if you feel vulnerable knowing that a cyberattack can occur at any time. Cybersecurity solutions can sometimes seem overwhelming.
Yet by implementing the following 5 steps, CEOs can feel confident that their business is properly protected from a ransomware attack.
#1. Get board level buy-in for cybersecurity
In the past, cybersecurity was a technical IT responsibility. However, cybersecurity has been developing more into a business driver rather than a technology issue for some time. That’s why it’s important to ensure board level buy-in and support.
The main ways that CEOs can gain buy-in from their board are:
- Quantifying the company’s cyber risk based on budgets
- Defining a clear return on investment (ROI)
#2. Have a cybersecurity plan
A cybersecurity plan is something every staff member, at every level, must be aware of. This means that if a breach occurs, everyone knows what to do.
A cybersecurity plan should include:
- Security policies, procedures, and controls required to protect the company
- An outline of the specific steps to take to respond to a breach
This plan can also be called a ‘Crisis Management Plan’, which you can learn more about in our blog ‘5 questions board members need to ask’.
#3. Don’t skimp on your cybersecurity budget
Cybersecurity is not a one-size-fits-all kind of investment. Many companies – especially SMEs and start-ups – struggle to make the right security choices. Yet choosing cheaper options will end up costing more in the long term.
Cybersecurity is more than just having anti-virus software in place. The best cybersecurity measures are outlined in the Essential Eight Framework, as identified by the Australia Cyber Security Centre.
Essentially, your cybersecurity needs to cover:
- Prevention/protection from an attack – aimed at preventing malware delivery and the execution of malicious code
- Limiting the extent of an attack – aimed at limiting how far an intruder can get
- Data recovery & system availability – aimed at restoring your data and systems if an attack occurs
#4. Expect to be breached
The chance of experiencing a ransomware breach in today’s world is high, so it’s important to quickly identify when an attack has occurred. The sooner a breach has been identified, the better!
The main things for a CEO to understand are:
- How the company monitors ransomware attacks or breaches
- How staff report any suspicious activity
- How a breach is communicated to the rest of the company
#5. Create a culture of awareness
All company departments and employees should be involved in protecting the company’s valuable and sensitive data. Crafting a culture where all employees see themselves as having an active cybersecurity role is the key to addressing an inevitable ransomware attack. It’s important that this culture starts at the top with the CEO.
Three ways to help create this desired culture are:
- Create a cybersecurity plan that is well known, and referred to often
- Launch cybersecurity education initiatives for employees
- Emphasise the importance of cybersecurity in all mass-communications with staff
Understanding ransomware and what to do when it occurs is the job of a CEO. By implementing the above 5 steps, you will be well on your way to properly protect yourself from a ransomware attack, and ensure your company isn’t tomorrow’s news.