Ransomware is fast becoming the cybercriminal's preferred tool of their trade.

Introduction

I see so many articles that write about the 'Ransomware Risk' (e.g., Ransomware Risk Management Model (R2M2), (Mukhopadhyay and Jain, 2024)) and even many of my fellow peers talk about the 'Ransomware Risk'.

Straight of the bat, let's clarify this:

Ransomware is NOT the risk!

Ransomware is just one of the cybercriminals' tools of their trade!

Ransomware is the threat!

The risk is of the potential threat and consequences of a ransomware attack on an individual or organization's computer systems and data (e.g., a cybercriminal being able to successfully use this tool against your business).

• Think of it as being like a burglar being able to prise open a door or window to your home, using a crowbar.

Assessing the risk

To simplify a qualitative risk assessment, this involves the following core components:

Much in the same as assessing the risk of your home being burgled, you need to start by understanding where your Valuable and Attractive (V&A) reside, within your home.

Next, you would evaluate whether burglars are operating in your area and what tactics they are known to use.

Following this, you evaluate the potential impact of a burglary.

• How much might the loss or compromise of these V&A items impact your household?

Finally, you would assess the status of the doors and windows (looking from the perimeter inwards) to identify how vulnerable they are to these kinds of tactics. This can be achieved through the application of the 4 Ts of risk response:

1. Tolerate. Are you happy with the protection that your current doors and windows provide?
2. Treat. Are further enhanced measures needed, so that you are comfortable with the perceived levels of risk?
3. Terminate. Are the V&A items needed or can they be sold to someone else?
4. Transfer. Have you considered taking out additional insurance or outsourcing the responsibility for storing these V&A items to a third-party (e.g., Storage lockup, Bank safety deposit box, etc.).

Application to the Ransomware Threat

The same applies when assessing the risk of a cyberattack, using ransomware:

1. Do you know where your valuable IT assets (e.g., the IT assets that support your Important Business Services (IBSs)) reside, within your corporate environment and can you trace their connections out to the perimeter?
2. How much might the compromise of these IT assets impact the business' Mission Statement, Vision & Values (MVVs)?
3. Do you know which threat actors are using ransomware and what the likelihood is that they will target your organisation?
4. Are the IT systems vulnerable to the cybercriminals' use of the ransomware tool of the trade?
5. Are you comfortable with the perceived inherent levels of risk or do further risk responses need to be applied to bring the levels to within acceptable levels (risk appetite/tolerance)?
6. If not, what measures could be considered and applied? E.g., Segmenting IBSs from lower important business environments.

Risk Considerations for the EU Digital Operational Resilience Resilience Act (EU DORA)

The consideration of the cyber threat's relevance to an organisation's financial systems, service users or clients and having effective ICT Risk practices are key elements of the new EU DORA (EUR-LEX, 2022). Consequently, with less than 250 days until the EU DORA becomes mandatory, there is limited time left for the in-scope Financial Services Industry organisations (and their third-parties) to be adequately prepared for the 17 Jan 2025.

In preparation for this date, there are resources aplenty to help you to better understand the threat from ransomware and the common associated exploitations, e.g., Verizon 's Data Breach Investigations Report (Verizon, 2024).

Recommendations

It is highly recommended that you enhance your existing Operational Resilience practices so that they utilise ICT practices more proactively so that the risks against each of your IBSs can be identified and effectively managed.

Take a look at your existing risk registers to evaluate whether they provide sufficient granularity so that you can evaluate the risk statuses that pertain to each of your identified IBSs.

Start in the order of perceived priorities to the importance that each IBS provides in support of your business MVVs and use these to create specific Key Risk Indicators (KRIs), e.g., how many ICT systems have critical or high-risk vulnerabilities, which could be exploited to enable a system intrusion?

Conclusion

As you can see, ransomware is not a risk but a tool that is used by some threat actors. To help mitigate this type of threat, you need to carry out IBS-level risk assessments against this type of cyberattack.

Operational Resilience requires both proactive and reactive risk management capabilities and is far more reaching than merely having Incident Response Management, Business Continuity Management and Disaster Recover Management capabilities.

If you haven't already started to do so, you might want to consider applying and documenting the 4 Ts of risk response.