June 21, 2022 By Jonathan Reed 4 min read

The majority of C-suite executives are confident in their organization’s protection against ransomware attacks. At least, that’s what a recent research report from ISC2 shows. In fact, just 15% express a lack of confidence. Does this confidence take into account the nearly 53% rise in double extortion ransomware attacks between January and February? Are the executives wrong? Or do they have insight that others lack?

While it might seem like a paradox, there are some good reasons to be confident in ransomware protection. Improved teamwork between executives and security teams, effective approaches, cryptocurrency regulation and successful investigation into ransomware crimes are all reasons that offer a sense of improved confidence.

Communication is essential

Cybersecurity issues impact business operations and the bottom line. For example, the average cost of a ransomware attack is $4.62 million. In the wake of a data breach, companies can lose customers, lose trust and face hefty fines.

According to the ISC2 study, business leaders would like more budgetary and risk information when it comes to knowing their cyber risk. Up to 41% of executives surveyed want more details on investments needed to protect against ransomware. And 43% want to know exactly how another budget will improve security.

To build true confidence in your protection against malicious attacks, all key stakeholders should be made aware. Despite the sense of confidence, only 29% of boards are “deeply involved” in cybersecurity strategy. This reveals a gap between the real world and that confidence.

Highly effective approaches

Employee training is essential, as many cyber attacks occur through social engineering scams. Infected files can find their way into a network through phishing emails and imposter social media accounts. If employees aren’t careful, an attacker could fool them into opening the door wide for a malicious attack.

Still, human beings aren’t the only ones seeking network access. The online world has exploded with apps, APIs and Internet of Things (IoT) devices that require authentication. Advanced identity and access management (IAM) tools can decide which requests are approved and provide the least amount of privilege for each.

IAM solutions can manage access for clients, partners, employees, contractors and any other human or machine access request. All of this falls into a broader category of zero trust policies. Zero trust ensures that the system restricts resources by default, even for connections inside the perimeter.

Could it be that truly confident leaders already have zero trust solutions up and running to protect their networks?

Regulating cryptocurrency

It’s no secret that nefarious gangs typically demand payment in Bitcoin, Ethereum or other cryptocurrencies. These payment methods are anonymous, hard to track and easy to obfuscate. However, as crypto moves further into the mainstream, regulation will also advance with it. From a security standpoint, this could be a good thing. It could add anti-money-laundering rules, customer requirements and the requirement to file suspicious activity.

Catching cyber thieves

Some might believe you can’t catch a crypto crook. But investigations lead to real results, such as shutting down darknet markets and arresting attackers. For example, the U.S. Department of the Treasury recently reported the takedown of the Hydra gang. In a coordinated international effort involving multiple U.S. federal authorities, the German Federal Criminal Police shut down the server infrastructure of Hydra, the largest darknet marketplace in the world.

The massive Hydra network had 17 million customer accounts and over 19,000 registered sellers. In 2020, the group had a global turnover of $1.34 billion. In addition to sanctioning Hydra, authorities found and listed over 100 virtual currency addresses that criminals used to conduct illicit transactions.

Massive scale of threat coming?

With the rise in attacks, even the average person is more aware of the risk. Meanwhile, organizations of all kinds, from corporations to infrastructure to government agencies to health care, are all under intense attack. As the damage continues to mount, leaders will be forced to face a new truth: cyber security strategy is company strategy. Relying on audits, flimsy security add-ons and development afterthoughts isn’t competitive.

The most difficult attacks to defend against are still those that trick people, worm into systems and find or install backdoors. If these processes could be automated (some already are, like automated phishing), unprotected companies could be in for a world of hurt.

Are you optimistic?

No matter your level of confidence, it pays to take a good look at your current security posture. First of all, decisions must have strong C-level buy-in. Executives must learn to work well with their security teams and include them at key levels of decision-making. Meanwhile, the chief information security officer should learn to speak in business terms. They need to understand how budgets can be made to strengthen the business, not just security.

From there, implement the right tools early. Already, proven approaches such as zero trust exist in our new perimeter-less reality. As attacks grow in scale and sophistication, artificial intelligence (AI) is helping overworked teams stay ahead of threats. With AI assistance, threat intelligence can curate data from millions of research papers, blogs, news stories and other data sources. From there, machine learning and natural language processing tools provide rapid insights to reduce response times.

Lastly, government agencies and law enforcement are doing their part to make the internet safer and bring criminals to justice. Even though threats will always exist, the prepared organization has the tools and know-how to make a difference. That’s a good reason to be optimistic.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today