Thanks to a year in which ransomware attacks wreaked havoc on corporate networks, IT and cybersecurity professionals have an opportunity to provide more detailed updates and actionable intelligence to corporate leaders, according to a recent survey from (ISC)².
The information security nonprofit membership association’s survey of 750 C-level executives across the U.S. and U.K. show that confidence among IT security professionals is high when it comes to ransomware defense, and there remains a strong willingness to invest in technology and staff.
According to the survey results, 71% of respondents say they are confident in their ability to handle a ransomware attack, which is up from 69%. Only 15% reported a lack of confidence.
The survey also suggests that IT and security professionals need to do a better job relaying cybersecurity and ransomware concerns to executives, as just 55% of executives describe themselves as “very aware,” and 40% say they are “somewhat aware.”
Nearly 60% of executives say the communications they receive from their dedicated security professionals are “excellent or good,” and about one in five say those communications are either “poor or very poor.”
However, that communication appears to be increasing after what many experts say was the worst year ever for ransomware attacks, as the percentage of those that rate communication “excellent or good” increased by 5%.
When asked about the critical information they need from IT when it comes to ransomware, 38% cited ensuring backup and restoration plans are not impacted, 33% cited how operations can be restored in the event of an attack, and 32% said how prepared the organization is to engage with law enforcement.
When a ransomware attack actually happens, the top concern among business leaders is exposure to regulatory standards (38%). Next is the loss of data or intellectual property (34%), followed equally by loss of confidence among employees, loss of business, uncertainty that data could still be compromised after paying a ransom and reputational harm (31% each).
Based on these survey results, (ISC)² has five tips for IT and cybersecurity to consider when communicating with executives about ransomware threats:
Increase communication and reporting to leadership
According to the survey, leadership wants and needs more communication about the ransomware threats facing their organization, including more detailed reporting to ensure that leaders fully understand the threat landscape. That could better inform leadership’s decisions about security investments.
Temper overconfidence as needed
A good rule of thumb in cybersecurity is to never be overly confident in your ability to defend against ransomware attacks. The survey indicated that leaders are growing more confident in their ability to do so, but security professionals need to paint a realistic picture of the threat landscape to their C-suite.
Tailor your message
Communicating these security concerns to leaders can sometimes be challenging, so that message must be tailored to the unique business environment or industry in which the organization operates. Focus on the top areas of concern and communicate that risk to leaders in a way that aligns with their concerns.
Make the case for new staff and investments
When it’s clear that the C-suite has a more thorough understanding of the threat landscape, now is the time to make the case for more IT and security staff and other investments, including technology, third-party services and more.
Employ everyone in the organization
While the security of the organization is largely the job of IT and security professionals, leadership, end users and anyone else using corporate systems bear some of the responsibility for defending against ransomware.