Inhalt

Ransomware attack

Awareness. Risk management. Professionalism and cooperation with sectoral experts. Preparation. These are the main antidotes to a threat that has become increasingly tangible over the last few years, from which no business can consider itself to be immune: this is the “cyber-risk”, more specifically the risk of a “ransomware” attack, the implications of which can be greater than one might naively have thought. The cyber-risk therefore calls for major attention and careful preparation, also by small and medium-sized companies, and especially by those that do not have the IT setup typical of a major organisation.

 

By Luca Previtali
Head of the Technology, Data and Innovation Department, BancaStato

 

What are we talking about 

Let’s make it immediately clear what we are talking about. A ransomware attack is an attack by which computer criminals gain access to IT systems, and then extract and encrypt business data, rendering it unavailable and threatening to publish it online. A random is requested (usually in cryptocurrency) along with a promise of providing the decryption key for the data and a commitment not to publish them. All of this occurs within a context that is highly stressful for the business, for instance involving major pressure and threats of escalation by the criminals, the unavailability of IT systems and uncertainty regarding the scale and ramifications of the attack. The costs might not be limited solely to financial costs, and could also involve a loss of time and productivity, as well as data corruption or loss, leaving the field open also to reputational or legal consequences. 

It is therefore appropriate to prepare as much as possible for such a scenario, naturally hoping that it never happens.

 

Involve professionals 

What are the first steps that should be taken by anyone who wants to assess their “state of health” in relation to this IT risk? It should be pointed out first and foremost that, as a matter of principle, cyber-risks should be dealt with in a similar manner to the other risks that external asset managers are already used to engaging with on a daily basis. Specific competence and organisations are required: in other words professionalism, expertise and resources. If these resources are not sufficiently available in-house, it may be useful to work with reliable external service providers that may potentially have a sufficient critical mass to provide appropriate staff and expertise. It is also a good idea to contact an independent company specialising in IT security, which can be asked to assess security preparedness, identify any gaps (using so-called “penetration tests”) and suggest remedies or improvements. Fortunately, Switzerland has large numbers of excellent companies specialising in this area.

 

Keyword: awareness 

This approach all too often thus enables a risk to be identified that had previously been under-estimated, and hence to incorporate it into the policies and strategic planning of the business. If one is aware of one’s own level of exposure, it is possible to assess key aspects and answer questions that are only apparently straightforward, such as: “If an attack were to take place and my infrastructure were to remain blocked for two weeks, whom should I contact? What are the first steps that I should take? How should I inform clients? What should I say to staff?”.

 

Not being prepared can end up being very expensive

Let’s be clear: there is no such thing as “zero risk”, and this is the case especially for IT risks. And yet it is extremely important to mitigate them as far as possible. First of all, as mentioned above, it is important to manage internal data and IT systems in a professional manner: refinement of the IT infrastructure, inventories, antivirus and antispam systems, vulnerability management, offline backup and testing are notions that should become an integral part of any business.

Staff awareness is also crucial: employees need to be trained to recognise suspect emails or attachments as well as forms of “social engineering”; in parallel, they must know whom to contact in order to report any such incidents.

Another basic dimension is preparation in the sense of “training” in crisis management. Specialist companies can also provide tangible and concrete assistance also in this respect in clarifying processes, assigning tasks and responsibilities, and drawing up internal and external communication plans: if activities of this type are not planned it will be very difficult to carry them out efficiently and in a rational manner during the frenzied period of a ransomware attack, when the time factor is essential in minimising damage.

It is also necessary to establish contact and put in place cooperation arrangements with companies and support specialists, which will be fundamental in order to investigate attacks, recover and restore the systems attacked and negotiate with criminals: these aspects too need to be dealt with in good time.

Finally, businesses are strongly advised to subject themselves to a simulated attack. This type of theoretical practice session (referred to in jargon as a “tabletop exercise”) can take as little as half a day and the costs can be relatively modest; however, it is an extremely useful instrument in verifying response readiness and further refining preparations.

In conclusion, dealing with cyber-risks proactively, with professional management of ICT systems and data coupled with appropriate preparation makes it possible not only to reduce exposure to attacks but also to deal with any potential incidents in an orderly manner and to mitigate the consequences.

 

 

Biography

Luca Previtali has been Head of the Technology, Data and Innovation Department of BancaStato since March 2022. The Department’s tasks also include the management of ICT and cyber risks according to FINMA regulations, as well as ensuring proper data management procedures within the Bank.

Luca Previtali previously occupied various management roles at the ETH Zurich for over twenty years, where he gained vast experience in drawing up and implementing ICT and corporate strategies, devising and delivering technological transformations (for example digital innovation, public cloud adoption, and security concepts and strategies) and organisational transformations (such as reorganisations, turnarounds, post-merger integration and new operational models), as well as in the development of ICT platforms and data management solutions.

He holds a Degree in Electical Engineering (ETH Zurich, 2001) and an Executive MBA (University of Oxford, 2020).