$40 million of ransomware paid for a cyber-attack - as a non-tech exec, what can you do?

In March last year, CNA Financial in the US paid a record $40 million in ransomware for a cyber-attack due to malware linked to a Russian cybergang. The average payment in 2020 was $312K; up 171% from the year prior. Attacks are forecast to increase.



Could your organisation reduce the probability of this?


Since November, I have spent over 100 hours completing Harvard’s Managing Risk in the Information Age; watch a two min video about the program here. Here are five things any non-technical executive must know.

  1. The SPECIFIC threat actors relevant to your sector and their likely method of attack; avoid generalising and consider real scenarios to your organisation.

  2. What are your mission-critical systems? Without them, your business stops.

  3. Where are the most significant vulnerabilities in your organisation? Everyone is vulnerable; how vulnerable are you?

  4. As humans we trust, hackers prey on this. Who has completed what cyber security training when?

  5. How well do you know NIST framework of - Identify – Protect – Detect – Respond – Recover – and what is your organisation measuring in each of these verticals?


APRA collected data and found this of Australian businesses;

“35% of entities hadn’t tested their backups for critical systems, 22% hadn’t tested their cyber incident response plans, and 60% hadn’t assessed their IT service providers’ information security control testing.”


The implication for Australian company directors is they now appear more liable; directors can no longer turn a blind eye. They must set up proper standards of cyber security to be implemented by management, with clear evidence of stepping stones in maturing cyber security.


All of the above will intensify the focus on cyber security this year, and talent capability availability will add to complications.


Want to learn a little more? Feel free to make contact.