Ransomware and the GC: 6 key questions that you should be able to answer
If your company has been caught out in the last few days then these will be urgent questions.
If you have not been caught out then, for most companies, this will be an issue of "when" not "if". So it might be a good time to self assess your answers to the questions now and get any gaps in knowledge, process and approvals resolved now while there is a current illustration of why it matters fresh in the minds of your team and your management:
1: Do you understand the basis on which all of your corporate software is bought/licensed/updated – both the standard position and any exceptions to it?
2: Do you understand who is responsible for maintaining and updating your software, your firewalls, your system user access controls etc – outsourced/ insourced – contract terms?
3: Do you understand how, where and through whom your corporate IT actually works? (It really helps to have a reasonable grasp of this before management asks you questions about liability for business interruption. It also helps with litigation, investigations, dawn raids etc)
4: Are you reasonably on top of the technology? (e.g. Do you understand at least the basics about the move from owned to licensed operating system software, voluntary versus forced push updates to software, what a virtual private network is?)
5: Do you understand how your legal, regulatory, stock market, shareholder major client and supplier (e.g. Force Majeure clause?) obligations would be impacted by an effective Ransomware attack? (What can you do? Must you do? In what order? What is not permissible (e.g. paying the ransom?)? If you pay up anyway for business expedition then what will or may be the consequences?
6: Is your approach to this issue built into your organisation's risk management processes and policy framework so that you can respond effectively and reliably and with no surprises?
Suggestions for extra relevant questions welcomed.