(ISC)² study sheds light on companies' ransomware communications

(ISC)²  has released the findings of a new study titled, “Ransomware in the C-Suite: What Cybersecurity Leaders Need to Know About What Executives Need to Hear.” The study provides insights for cybersecurity professionals into the minds of C-suite executives and how they perceive their organisations’ readiness for ransomware attacks. This data underscores the need for clearer and more frequent communications between cybersecurity teams and executives and offers best practices security leaders should implement to improve those interactions.

The survey of 750 C-level executives across the United Kingdom and United States reveals that the high-profile ransomware attacks of 2021 have created an opportunity for cybersecurity leaders to proactively address their organisational readiness by providing more detailed updates and actionable intelligence to the C-suite. The data shows that while executive confidence about ransomware defences remains high, there is a strong willingness to invest in technology and staff.

“With this study, we wanted to provide deeper insights from executives who are ultimately responsible for protecting their organisations from ransomware,” said Clar Rosso, CEO, (ISC)². “The study gives cybersecurity professionals a window into what their C-suite cares about when it comes to the potential impact of ransomware. Knowing this, and by tailoring their ransomware education and risk reporting accordingly, security teams can get the support they need to mitigate this high-profile risk to their organisation.”

Confidence is High

Surprisingly, respondents expressed high levels of confidence about their organisations’ preparedness to handle a ransomware attack. The recent spate of attacks has not eroded that confidence either. In fact, there was a slight uptick in confidence (69% up to 71%) in the wake of the year’s high-profile breaches. Only 15% of executives reported a lack of confidence.

What They Need to Know

Respondents were also asked about the most critical information they need from their cybersecurity teams when it comes to ransomware, and their top concerns included ensuring data backup and restoration plans were not impacted by ransomware (38%), how minimal operations can be restored in the event of an attack (33%), and how prepared the organisation is to engage with law enforcement (32%).

What Worries Executives

If hit by a ransomware attack, the top concern among leaders, cited by 38% of respondents, is exposure to regulatory sanctions. The concern is higher in the United Kingdom (41%) than in the United States (36%). The second biggest concern for executives (34%) in the event of a ransomware attack is loss of data or intellectual property, followed equally (31% each) by concerns about loss of confidence among employees, loss of business due to systems outage, uncertainty that data could still be compromised even after paying a ransom, and reputational harm.

Five Tips for Cybersecurity Team Leaders

Based on the feedback from C-suite respondents, the study outlines five key tips for cybersecurity team leaders to consider in their conversations with and reports to executives about ransomware threats. More details on each tip can be found in the report, but the five tips are as follows:

• Increase communication and reporting to leadership

• Temper overconfidence as needed

• Tailor your message

• Make the case for new staff and other investments

• Make clear that ransomware defence is everyone’s responsibility