It feels like ransomware has plagued businesses for an eternity. Its massive popularity among black hat hackers, however, has only surged over the last decade. Despite ransomware cases rising each year, businesses haven’t gotten much better at handling incidents, even with manifold historic attacks and case studies from which to learn.
Experts agree it’s a problem that risks damaging an organisation’s reputation, but with tech giants routinely shrugging off company-ending PR crises, it calls into question the value of reputation for onlookers. With experts now considering ransomware attacks a matter of when, not if, it’s highly tempting to adopt a complacent mindset; that customers have priced this in, and only really care so long as they continue to get what they pay for. In reality, the landscape has changed over the past five years, and failing to respect the dangers of mishandling a crisis could cause more damage than the attack itself.
Reputation matters
Businesses handling sensitive data should expect to be as prepared for a cyber attack as they would be if going to court to fight a class action lawsuit. The good news is, across the board, the level of preparation has increased in recent years, according to Mark Harris, senior director analyst in Gartner’s Digital Workplace Security team.
“Four or five years ago, when it was WannaCry [that dominated the news], people weren’t aware of ransomware as a threat. You can’t say that now, he says. “On the whole, certainly for the larger organisations, they are more prepared – they are getting better.”
Harris says factors like the personal reputation of CISOs, ever-stricter rules enforced by cyber insurance firms, and a business’ reputation being at stake, have all played a role in increasing preparedness.
Reputation certainly matters, adds Steve Turner, analyst for security and risk at Forrester, and is a deep consideration for businesses in visualising their long-term performance. Once trust is lost, he stresses, “customers will always look for an alternative”.
“Reputation is really, really important for a lot of industries where you either rely on them extremely heavily, or you have some sort of event where you need something right now. If you can't trust that brand, they're not going to be who you go to in your time of need.”
People haven’t stopped caring
Given the countless stories of ransomware attacks through the years, it’d be easy to assume we’ve become desensitised. Consumers may be more attuned to the cyber security landscape, but it doesn’t mean they care any less about having their data mishandled.
Bridging the DevSecOps divide: Spotlight on key relationships
The importance of relationships between security and development
In this respect, businesses can’t afford to be complacent, says Turner, who believes in ‘breach exhaustion’. While people may not fully grasp the gravity of a ransomware incident, they have choices, and if they’re able to get what they need somewhere else, providing it’s convenient, they will.
Breach exhaustion can’t be understated, and if the average customer had better insight into how irresponsibly their data has been handled, they may not be so apathetic, argued Dr Rois Ni Thuama, head of cyber governance at Red Sift, on the IT Pro Podcast.
Ni Thuama argued public outcry may not be so abundant due to a lack of understanding, rather than a genuine indifference. Using Equifax’s data breach as an example, she said if the public better understood the breach and how unsophisticated it was, it may have led to much wider outcry and a bleaker outlook for the FTSE 100 firm.
Don’t feed the beast
Whether it’s from customers or clients, reputation, it seems, is about expectations. What the previous umpteen ransomware incidents have taught the industry is that businesses are expected to deliver high-quality post-incident responses that hit the key checkboxes: transparency, expeditiousness, and taking responsibility. This triad of expectations demonstrate competence and professionalism, according to the experts, and each expectation must be met to deflect the heat in the days and weeks following the initial attack.
After all, a high-quality response can certainly influence a company’s long-term reputation recovery, Jack Myers, a seasoned crisis PR expert with ransomware experience, says. BA’s notorious 2018 data breach, for example, shows its “quiet” response did far more harm than good. By trying to kill the story with silence, BA essentially fed the news cycle for four-to-five months, he suggests, adding national media will spot a lack of transparency and cling to it.
Norsk Hydro’s breach a year later, by contrast, will go down as the gold standard for post-incident business communications, with Myers suggesting the firm may have even enhanced its reputation. Firstly, it appointed its CIO as its chief spokesperson – adding an air of legitimacy – in addition to being open and honest about what happened, and what the company was doing to fix it.
“It didn't feel like evasion at all, it felt like acceptance of the issues that led to the cyber incidents, but also allowed someone with all the details at hand to offer that positive messaging around what's gone wrong and what they were doing,” says Myers. “That killed the story quite quickly.”
Turning the tide
Analysts are torn over whether businesses have learned anything substantial over the years, with geography also playing a surprising role in this difference. While UK-based Mark Harris says businesses were getting better, US-based Steve Turner argues companies are only taking a "good enough” approach. This can be explained by regulatory differences; EU-based organisations are bound by the General Data Protection Regulation (GDPR), whereas the US approach is more relaxed and often outdated rules differ between states. Only the California Consumer Privacy Act coupled with the California Privacy Rights Act offer protections akin to GDPR.
This contrast is also exemplified by how businesses on either side of the Atlantic handled data breaches recently. Last year’s GoDaddy’s breach, for example, was only made public by journalists investigating difficult-to-locate SEC filings; only after reports began feeding the news cycle did the firm disclose the incident publicly.
Norway-based Volue, which suffered a Ryuk attack last May, meanwhile, created a live blog covering its response, and provided regular updates on the disruption. It even published the CEO’s phone number so customers could call with any queries.
It’s clear to see many companies are learning how to handle ransomware incidents responsibly, considering the standout cases presented by Norsk and Volue. These two cases, though, are just that: standout. We’re some distance away from companies universally understanding their customers deserve honesty and transparency when their data is on the line.
We must all factor in, and sympathise with, the company-wide frenzy that will undoubtedly take hold in the minutes immediately following an attack, and that frenzy can certainly lead to very poor decision-making. Nevertheless, it shows bravery for a company to go out on the front foot and admit they’ve dropped the ball; the sooner it’s understood that open and honest communication is almost always a winning strategy, the better for us all.
