Ransomware attacks are increasingly targeting organizations across industries, with the potential to cause devastating financial, operational, and reputational damage.
We spoke to James Eason, practice lead for cyber risk and compliance at Integrity360, to get his insights into how executive boards can effectively prepare for such incidents.
BN: Why is ransomware a critical issue for boards and not just the IT department?
JE: Ransomware is no longer simply a technical problem; it’s a business-critical issue that demands board-level attention. According to Rapid7, there were over 2,570 ransomware incidents reported in the first half of 2024 alone, and Coalition research shows that the average ransomware demand now stands at $1.3 million.
This level of financial risk requires decision-making that goes beyond IT. Executives need to consider the broader implications, including downtime, regulatory compliance, and reputational damage. In fact, 75 percent of consumers have stated they would switch to a competitor if a company suffered a ransomware attack. These risks underscore the importance of board-level involvement in cybersecurity strategy.
Adding to the urgency is the evolving regulatory landscape, which is increasingly holding senior management directly accountable for cybersecurity breaches. Regulations such as the Securities and Exchange Commission (SEC)’s updated cybersecurity disclosure rules in the US and the NIS2 Directive in the EU emphasize the personal liability of executives and board members for failing to manage cyber risks effectively. The SEC now requires organizations to disclose material cybersecurity incidents within four business days, along with their processes for managing cyber risks. Similarly, NIS2 mandates that senior leadership demonstrates active involvement in their organization’s cybersecurity measures, with penalties, including personal fines for non-compliance.
These developments signal a clear direction of travel: boards can no longer delegate responsibility for ransomware or other cyber threats entirely to the IT department. Personal accountability for breaches is becoming a legal reality, making it imperative for boards to prioritize cybersecurity as a core element of their governance. Failing to do so not only risks financial and reputational damage but could also expose senior executives to regulatory scrutiny and penalties.
BN: What’s the main challenge boards face during a ransomware attack?
JE: The biggest challenge is the disconnect between boards and cybersecurity teams. When an attack happens, executives often treat it as a purely technical issue, handing it off to the IT department. This delays critical decisions and demonstrates a lack of understanding of the full scope of the crisis.
Boards may ask the wrong questions or fail to focus on critical areas such as stakeholder communication and long-term business continuity. A ransomware attack is a multi-faceted crisis that requires informed, coordinated action across the organization, starting at board level.
BN: How can boards prepare themselves to handle a ransomware attack effectively?
JE: Preparation begins with asking the right questions and understanding the organization’s vulnerabilities. Boards need to know how to assess the credibility of a threat, who to contact, and what the legal, financial, and operational implications are.
Crisis simulations are one of the most effective ways to prepare. These exercises allow executives to practice responding to ransomware attacks in real-time, helping them understand their roles, refine communication strategies, and build confidence in managing such crises.
For example, a simulation might start with the question: “If the CEO receives a ransom demand, what is their first move?” Is it to call the CISO? Or do they need to establish the credibility of the threat first? These exercises expose gaps in readiness and ensure the board is equipped to lead a coordinated response.
BN: What are the most effective strategies boards can implement to mitigate ransomware risks?
JE: Mitigating ransomware risks requires a multi-layered approach that combines robust technological defenses with organizational policies. One of the most important steps is to implement regular data backups, ensuring that critical information is securely stored offline or in the cloud. This enables organizations to restore their data without needing to pay ransoms. Employee training and awareness are also essential, as phishing and social engineering remain the most common attack vectors. By conducting regular training sessions, employees can become the first line of defense against these threats.
Another critical strategy is patch management, which involves ensuring that all systems and software are updated regularly to eliminate vulnerabilities that ransomware can exploit. Access controls play a pivotal role as well; by enforcing the principle of least privilege, organizations can limit the spread of ransomware within their networks. Finally, having an incident response plan specifically for ransomware attacks is essential. This plan should detail how to contain, eradicate, and recover from an attack, and organizations should conduct regular drills to ensure preparedness.
While these measures form the backbone of effective ransomware mitigation, a comprehensive cyber insurance policy can provide an additional layer of protection. Though it should never replace robust risk management strategies, cyber insurance offers financial support and expert resources to help organizations recover more quickly in the aftermath of an attack. For board members, knowing that the organization has coverage in place can bring peace of mind, ensuring they sleep a little easier at night. However, it’s crucial for boards to view insurance as a safety net rather than a primary defense, effective prevention and preparation remain the most reliable ways to mitigate ransomware risks.
These measures, when implemented together, significantly reduce both the risk and impact of ransomware attacks.
BN: How can organizations balance the need for robust cybersecurity measures with operational efficiency?
JE: Balancing robust cybersecurity with operational efficiency is a common challenge, but it is vital for sustainable business operations. One way to achieve this is through comprehensive risk assessments, which help identify critical assets and prioritize security measures, ensuring resources are allocated efficiently without overburdening operations. Integrated security solutions can also streamline this balance by offering multiple protective features in a single platform, reducing system complexity and improving performance.
Automation is another key factor. Automating routine security tasks, such as the patch management (mentioned above) and threat detection, allows IT staff to focus on strategic initiatives. Additionally, creating user-friendly security policies ensures that employees can easily understand and follow them, fostering compliance without disrupting daily workflows. Continuous monitoring and real-time threat detection are crucial for maintaining both security and operational efficiency. By regularly reviewing and adapting security policies to meet evolving threats, organizations can achieve a resilient security posture without compromising their operational goals.
BN: What specific actions should the board take to improve ransomware readiness?
JE: Boards can take several concrete steps to enhance their readiness:
- Clarify roles and responsibilities: Ensure everyone knows who to contact, how to assess a threat’s credibility, and when to involve external authorities.
- Develop a ransom demand plan: This includes understanding the legal and financial implications of paying a ransom, the options for negotiation, and public relations strategies during a crisis.
- Integrate cyber risk into business strategy: Cyber risk management should be part of the organization’s overall governance framework, not siloed in IT.
- Invest in Cyber Risk Assessments (CRA): A maturity assessment helps identify vulnerabilities and areas for improvement, ensuring the organization has a strong defense posture.
- Continuous education: Boards should stay informed about evolving threats and receive regular updates from the cybersecurity team.
BN: How does a Cyber Risk Assessment (CRA) help boards become more prepared?
JE: A CRA provides a comprehensive analysis of an organization’s cybersecurity posture. It identifies existing vulnerabilities, assesses the effectiveness of current defenses, and aligns risk management with broader business objectives.
Regulatory compliance is another critical area where CRAs are invaluable. Failure to meet compliance requirements can result in significant legal and financial penalties. A thorough assessment ensures the organization not only meets, but exceeds, these requirements.
Additionally, investing in managed endpoint detection and response (EDR) services is critical. These services provide continuous monitoring and rapid response to threats at the endpoint level, protecting the confidentiality and integrity of client data.
BN: Are there recent ransomware incidents that highlight the importance of board-level preparation?
JE: Absolutely. The MOVEit file transfer hack earlier this year, for instance, resulted in significant data breaches for numerous companies, showcasing the cascading impact of ransomware attacks. Similarly, the attacks on MGM Resorts and Caesars Entertainment in September 2024 led to operational disruptions and public scrutiny, with Caesars reportedly paying tens of millions of dollars in ransom.
These cases illustrate how ransomware can cripple operations and erode customer trust. They also highlight the importance of having a clear, actionable response plan to navigate such crises effectively.
BN: What role does communication play during a ransomware crisis?
JE: Communication is critical, both internally and externally. Internally, boards must ensure there’s clear communication between the executive team, IT, legal, and communications departments.
Externally, managing stakeholder expectations is key. This includes transparent communication with customers, partners, and regulators. Mishandling communication can exacerbate reputational damage.
BN: What is the ultimate goal of ransomware preparedness for boards?
JE: The ultimate goal is build fully on the ability to respond effectively and to achieve a strongly resilient capability all round. Effective ransomware preparedness isn’t just about mitigating damage during an attack; it’s about ensuring long-term business continuity and safeguarding customer trust.
By integrating cybersecurity into the broader risk management framework, practicing crisis response, and staying informed about evolving threats, boards can lead their organizations through potential crises with confidence.
Ransomware is a business-critical risk that demands active involvement from the C-suite. By taking proactive steps such as conducting crisis simulations, investing in Cyber Risk Assessments, and fostering a culture of continuous learning, boards can bridge the gap between risk and responsibility.
Image credit: Monkey Business Images/Dreamstime.com
