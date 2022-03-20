In 2021, ransomware attacks rose to unprecedented levels with new tactics driving an increase in both the prevalence and impact of incidents. Several high-profile incidents have increased public awareness of ransomware meaning that how organisations respond in the aftermath of an incident has come under increasing scrutiny.

The ‘Ransomware as a Service’ (RaaS) model and the use of double and triple extortion tactics have had a dramatic impact on the ransomware landscape. RaaS is a cybercrime business model in which developers, in exchange for a cut of profits, sell their strain of ransomware to affiliates.

This model has lowered the barrier to entry for threat actors and made it more difficult to track them. The practice of double-extortion – encrypting a victim organisation’s systems and exfiltrating and publishing data – has become commonplace as a tactic.

However, ransomware attackers are now adopting the practice of triple extortion. Triple extortion involves directing a ransom demand not only toward the victim organisation, but to its stakeholders – including employees, customers and the media.

This practice is widening the impact of a ransomware incident and complicates an organisation’s response.

When faced with a ransomware attack, business continuity remains critical. However, the longer-term impact can be wide-reaching.

Operational impact

In the initial stage of an incident there may be widespread outages impacting an organisation’s ability to maintain business operations.

It is important to keep stakeholders apprised of the latest developments and to arm customer-facing employees with the information they need. Any outages may be noticeable externally and could generate media attention.

Financial impact

Research conducted by Sophos found that the average cost of recovering from ransomware was $1.85 million in 2021. The costs stem from an immediate loss of revenue due to outages, the costs associated with recovery, lost business opportunities and ransom payments.

If attacks are not disclosed in a timely or transparent manner, organisations leave themselves open to costly legal action or sanctions. Regulators have signalled that cyber-attacks present existential business risks and may have a material impact warranting disclosure.

Reputational impact

The reputational impact of an incident may be the most long-lasting. Recent HSBC research found 73 per cent of organisations underperformed the market after a ransomware attack. Effective communications, however, can help mitigate reputational damage.

Stakeholders may not judge an organisation for becoming a victim of a ransomware attack, but they will judge them based on their response. As ransomware has entered mainstream consciousness, organisations’ responses have come under greater scrutiny. As attacks have evolved, so have the communications tactics necessary for responding.

Develop a preparedness plan

Organisations should develop cybersecurity crisis preparedness plans with ransomware in mind and based on the organisation’s risk register and the regulatory environment. They should complement existing crisis response plans and emergency protocols. Plans should be reviewed regularly to maintain viability and it’s important to continually assess regulatory environments.

Map out stakeholders

With ransomware incidents regularly reported in the media, the public possess a greater awareness and understanding of ransomware. Investors and boards are similarly becoming more aware of and increasing their scrutiny of cybersecurity, as are external ratings agencies who are increasingly factoring cyber into their assessment of businesses’ financial, regulatory and continuity risk. The use of triple extortion may also widen the net of stakeholders who are drawn into an incident.

It is key not to forget internal stakeholders who may be directly impacted by an incident. Internal stakeholders are also of particular importance given that everyone in an affected organisation – from frontline employees to the C-suite – is a communicator and a critical vehicle for message distribution.

Be swift and transparent

Delays in communication can be costly, both in terms of financial penalties, but also reputational damage and loss of business. A lack of transparency can generate speculation and erode trust in an organisation, making it harder to communicate with stakeholders. Companies need to understand stakeholders’ needs – and reach them in a way they are accustomed – to maintain valued relationships and tackle misinformation.

It’s not a matter of if but when an organisation will be hit by ransomware, necessitating an evolved communications strategy informed by preparation and an understanding of stakeholders and characterised by swift, transparent and forthright communication.

