Almost every day, it seems, there’s news of another ransomware attack on a prominent organization. In fact, according to one study, almost 40% of all businesses experienced an attack from the summer of 2015 to the summer of 2016. To protect our companies against ransomware and its potentially disastrous technological and financial consequences, we have to understand what’s needed to shield information technology systems from the initial infection and how to recover as quickly as possible.
For the uninitiated, ransomware is a type of malware software designed to access and encrypt data and files by generating a private/public pair of keys. The data are impossible to decrypt until the victim pays for a private key that is usually stored on the attacker’s server. Unfortunately, in many cases, even once the ransom has been paid, the attackers refuse to provide the decryption key, leaving victims without their money and their data.
As the saying goes, preparation is half the battle. Don’t wait for an incident to happen. CFOs need to partner with CIOs to ensure their organizations are not just multiple steps ahead of malicious intent, but also building IT resilience that allows the business to truly thrive in the face of adversity.
As businesses grow and increasingly move critical data and applications into cloud infrastructures and migrate them between data centers, CFOs are becoming more involved in driving IT decisions, such as the purchase of hybrid cloud disaster recovery (DR) solutions that protect brand reputation.
A CFO’s understanding of the risks that ransomware presents to the business will help the CIO build the infrastructure and services needed to protect and serve the company. As a CFO myself, when I talk with peers and CIOs from customer organizations and discuss their disaster recovery (DR) plans and infrastructure, I always advocate looking beyond the ROI elements to the reputation of a company in the event of a ransom attack. We then identify the areas considered to be risky and channel the requisite investments accordingly.
For example, there are certain areas in a business that are important for the future growth and scale of the company, areas where it will need to invest in upgrading its technology. When a company changes technologies, though, it is changing vital elements of the business, and that is where it is necessary to identify and examine risks related to these new technologies and to build DR plans for them. It all starts from an agreed strategy — the CIO executes and the CFO makes sure IT has the proper resources as it aligns to future goals.
CFOs need to open the line of communication with CIOs and encourage them to voice concerns. Regular meetings should examine IT risks, how to mitigate them, and evaluate if the CIO has adequate resources. The team should determine if the business can continue to grow and scale while maintaining compliance, and ensure that DR and hybrid cloud strategies are relevant and effective.
Part of a well-rounded IT and cybersecurity investment strategy involves identifying on a regular basis the key applications and data that are at risk and ensuring they are protected. Reach out to other CFOs to see what technologies they are investing in and how they were selected. Gather as many data points as you can before making a decision, but also cast a critical eye: What is the cost of downtime, and what you would personally consider acceptable as a customer? Be sure to also include the “long game” view in these peer conversations. Often there are significant “vendor lock-in” issues that others have encountered, which can severely restrict the organization’s options down the road.
Today’s IT landscape is more dynamic and unpredictable than ever before. To keep pace, an organization’s DR plan must be easily implemented and regularly tested. Still, the number of unsuccessful deployments and numerous failed DR tests continue to grow, given the complexity of IT environments and their incompatibility with manual systems. That should give any CFO and CIO serious pause to revisit their underlying infrastructure and software.
There are several questions for CFOs and CIOs to consider when revamping their DR plans and when evaluating existing technology or acquiring new technology:
Cyber insurance policies are a means of mitigating risk and managing the impact of IT breaches. Some policies involve putting money aside for the potential payment of a ransom, but placing funds in reserve might not always be the best option. That money should be put to use for the future growth of the company, R&D, and sales and marketing. Consider instead taking the right measures to protect the company by investing in solid DR solutions.
In today’s risky IT world, it is absolutely necessary for the CFO and CIO to work together to protect the company’s data. Their combined efforts are needed to safeguard the company’s information and finances as well as its most valuable intangible asset — the company’s reputation. Paying a ransom is never recommended, as there is no guarantee that an encryption key will be provided. The capabilities for immediate and full data recovery should be in place so that that option never warrants consideration.
Roy Golding is CFO at the software company Zerto and has more than 15 years of experience in senior financial management positions. Prior to joining Zerto, Roy served for five years as CFO of Telmap.