Gartner: Ransomware top risk priority for auditors in 2022

Ransomware is the top key risk area that audit departments anticipate focusing on in 2022, according to Gartner’s 2022 Audit Plan Hot Spots report.

“Ransomware attacks have become increasingly prevalent and sophisticated,” says Zachary Ginsburg, research director for the Gartner Audit and Risk practice, and as a result are “becoming a top focus for both boards and management” – with the majority of board directors saying cybersecurity is almost always on the agenda.

The worsening state of ransomware for businesses in 2021

While more than a third of organisations experienced ransomware attacks globally in 2020, according to The State of Ransomware 2021 report from Sophos, this has risen by an incredible 57% in 2021.

Among the biggest were attacks on tech company Acer (US$50m); German chemical distribution firm Brenntag (US$4.4m) and American oil pipeline operator Colonial Pipeline (US$4.4).

The Sophos report found that increasingly effective extortion tactics are being used leading to higher costs, extending beyond the ransoms paid, with the average recovery costs of an attack – taking into account downtime, tech-related costs, opportunity costs and the ransoms themselves – doubling in 2021. Worse yet, just 8% of organisations received all their data back, even after paying the ransom.

And despite the rising threat, only half of CISOs believe their organisation is able to fend off a ransomware attack, and just 39% successfully stopped attacks before hackers encrypted their data.

“Ransomware is resulting in revenue and data loss, compromised data, reputational damage, significant operational disruption and more,” says Ginsburg. “Regardless of their size or revenue, organisations should assume they will be targeted with ransomware, and they should examine their prevention, detection, mitigation, response and recovery measures.”

Ransomware extortion strategies evolving

According to Gartner, cybercriminals are going to great lengths to ensure payments from their ransomware attacks by raising the level of consequences among ransomware victims. Given that many governments are warning against paying ransoms, potentially causing some companies to be more reluctant to pay, cybercriminals are adding more sophisticated tactics to their portfolio of extortion strategies.

These include attacks that use third parties as vectors, ‘fileless’ attacks and others that are harder to detect, demands for separate ransoms for data and unlocking systems, or demands of ransoms from multiple parties such as a hacked organisation and its customers.

Attacks that target and infect a trusted partner, like a software vendor or service provider, deliver yet further consequences, as seen with the Kaseya attack in July 2021. The very definition of a supply chain attack, this resulted in as many as 1,500 additional businesses (its customers) falling victim to ransomware.

Also, cybercriminals have recognised that by threatening to release stolen personal data, customers will put pressure on organisations to pay ransoms.

Recommendations for auditor in addressing the risk

Gartner experts recommend five first steps for auditors to provide assurance over their organisations’ efforts to mitigate risk from ransomware attacks:

1 Evaluate employee security training Assess the effectiveness of security awareness and training programmes, specifically social engineering and phishing tests. Review the number of employees who have taken and passed training and how often it is required. Ensure training includes education and awareness of the latest ransomware threats and guidance on securing devices in both the office and remotely. 

2 Assess external relationships for ransomware support services Determine whether the organisation has an appropriate level of external support services, review the expertise these provide and assess whether this properly complements the services the company can provide in-house. Ensure you have a plan detailing when to contact each service provider should a ransomware attack take place.

3 Review ransomware attack response plans Assess whether the organisation’s ransomware response plan includes mitigation, communication, recovery and resolution strategies. These should align with organisational priorities and establish clear processes to respond to an attack. Assess whether plans include defined roles and responsibilities beyond just IT.

4 Assess data storage policies Review policies that govern data storage, including the protection, retention and deletion of organisational data. Review the process by which management decides which data and assets are most important to protect and who is responsible for protecting them. Ensure business units have sufficient security controls in place for data that could be used in a double- or triple-extortion attack.

5 Review service provider ransomware attack communication protocols Evaluate whether relevant functions have investigated contractual reporting requirements for when and how a service provider will communicate information regarding an attack. Determine whether the service provider’s response plan is in line with the organisation’s internal response plan.

Other risk hotspots auditors should know about

Although ransomware should be a key concern for auditors in 2022, there are further pressing risks that need to be addressed, many of which relate to the ongoing economic impact of COVID-19.

• Data and analytics governance
• Digital business transformation
• IT governance
• Third parties
• Business continuity and organisational resilience
• Environmental, social and governance (ESG)
• Supply chain
• Strategy execution
• Workforce management
• Retention and recruitment
• Economic uncertainty