Organizational Complexity Rivals Technical Complexity in a Ransomware Attack

Complexity is the enemy of security. James Bond wouldn’t be exciting if he casually sauntered through unlocked doors. Rather, he’s been trained to break in by targeting weak points in complex systems. Cyber criminals are trained to do the same. In ransomware attacks, however, the complex system targeted is not the computer or data systems, but the organization itself.

Ransomware is a way of extorting bureaucratic organizations for financial gain. Attacks exploit a company or organization’s need to continue operations to meet the demands of customers, critical services, or balance sheets. Computer systems might be the weak point, but organizations are hamstrung by an inability to coordinate a holistic response. Consideration of complex organizational priorities makes or breaks response plans. 

Ransomware Simulations Offer Insight

Two years ago, I was part of a team that executed a simulated ransomware attack in a hospital. Early in the morning, teams were alerted that something was amiss. By noon, it was discovered that a ransomware campaign had rendered the surgery scheduling system inaccessible, and hundreds of thousands of patient records were unavailable—including preexisting conditions and allergies, insurance records, and personally identifiable information.

Hackers had frozen the application and encrypted the data, requesting half a million dollars be paid to them in Bitcoin. The IT team determined the attack to be legitimate, and the CEO called an emergency meeting with team leaders. Midway through the exercise, news broke that a patient had suffered complications after an emergency surgery was performed without access to known conditions and allergies. 
Much of the early part of the exercise hinged on whether the hospital had an up-to-date copy of the systems and network data for restoration. Backups are an essential part of cyber incident response and recovery and are routinely completed to protect organizations from risks and negative business impacts. However, restoring from backups in different environments may take additional systems and data offline for some time, further impacting operations. 

Lack of Preparation Is a Key Factor 

The rest of the exercise was a tangle of complex organizational priorities: whom to notify first (patients, staff, or the public), how to craft each statement, which contractors and regulators required notification, and whether or not to involve the FBI. When their time was up, the team had to present recommendations to the CEO. Ultimately, every participant decided to pay the simulated ransom, not because it was the natural thing to do, but because getting back what was stolen cut down the complexity of the response. Notably, we found that:

• A hierarchy of stakeholders causes confusion. The hospital was a private, for-profit entity responsible for providing critical services. Priorities for patients, staff, and the board of directors superseded suggestions not to pay the ransom.

• Public relations matter. Most negative attention following cybersecurity incidents focuses after the fact on an organization’s response. In a critical environment like a hospital, holding off on restoring services to patients may be a worst-case scenario for the organization’s mission, vision, and strategic communications. 

• Organizational complexity is the biggest hurdle. Misaligned priorities for the teams led each to favor paying the ransom because it made solving the problem simpler, providing an attractive option for getting back to normal operations. 

Preparedness requires consideration of complex organizational priorities ahead of time. Guidehouse Insights recommends that organizations prepare for ransomware strategically by shoring up systems and data as well as modeling and simulating organizational response scenarios. With 3D models, virtual reality, and gamification, simulation capabilities are more realistic than ever before.