Former Cybersecurity and Infrastructure Security Agency (CISA) director Chris Krebs sent a strong message to private sector leaders that ransomware threats pose a business risk, during his keynote at Rubrik’s Data Security Summit. 

“Ransomware events of the last year and a half have really changed the way that boards and executives think about cybersecurity, not just as an IT risk,” Krebs said. “Cybersecurity issues, IT security issues have jumped into a business risk.”

He added that the government made a minor pivot to broaden its cybersecurity communication audience from CISOs to their leadership over the past few years. “Effective cybersecurity starts at the top, and the leadership and the CEO has to be bought in and has to be part of the winning strategy,” he explained.

Krebs outlined several red flags that leaders should watch out for, including product features at the expense of security, high turnover in the CISO and IT security positions, as well as an uptick in attacks against peer companies in the same sector.

In addition, he cautioned that organizations need to conduct a series of different strategic assessments when integrating a new company into the IT infrastructure and cited the recent boom in mergers and acquisitions.

Besides the leadership team, Krebs recommends putting everyone on the security team, from the CEOs to the interns.

“​​Everyone needs to be looking very closely at a company's cybersecurity risk posture, their risk management posture,” he said. “But given the technical barriers to entry, sometimes that's hard to do.”

Because of this, Krebs urged every organization to appoint a representative to its board with security experience, either from a technical perspective or from a legal and compliance standpoint.

In his speech, Krebs emphasized the importance of thinking long-term about cybersecurity. “Ransomware is going to get worse before it gets better,” he said.

To minimize recovery time and potentially avoid paying ransoms, he suggested organizations implement basic cybersecurity measures, such as backing up critical data, practicing recovery procedures, and adopting a zero-trust architecture.

“Limiting administrative privileges is so key and core to stopping ransomware attacks, and multi-factor authentication is one of the best tools you can have,” Krebs said. He noted that “the economics of ransomware are still heavily in favor of the ransomware actors, meaning if ransomware is a business, the business is pretty good right now, unfortunately.”

Due to ransomware attackers often demanding ransom payment in cryptocurrency, Krebs said he expects the U.S. Infrastructure Bill to include crypto-related policy changes, including oversight and transparency measures.