CAMBRIDGE, Mass. — Ask a room full of CIOs if their organizations have suffered ransomware attacks and only a few reluctant hands will be raised.

Statistics, however, tell a different story, Jeff Reichard, VP of solution strategy at Veeam, said during a Tuesday panel at the MIT Sloan CIO Symposium.

Attacks are common, according to a January report by the security software company, which surveyed 4,200 IT leaders. It found that 85% of organizations suffered at least one ransomware incident last year.

“Regulated industries are accustomed to auditors looking at their environment a couple of times a year,” Reichard said. “But everyone in this room is getting audited every day by cybercriminals.”

While many organizations have a CISO to attend to daily security concerns and coordinate broader enterprise strategy, cyber threats and the accompanying fallout are a CIO problem, too.

Just as in any IT operations crisis, the CIO has to be ready to manage the recovery process and find a way to keep the business up and running. 

Having a reporting and response plan is essential, particularly if it’s not locked inside a compromised application.

“We have a very thorough response plan,” Bill Brown, CISO and CIO at healthcare data management company Abacus Insights, said during the panel. “But, when an incident hits us, are we going to be able to get that big plan off of Confluence?”

In addition to backing up critical data, Brown’s team is addressing enterprise communication contingencies through a simple fix — installing Slack, Zoom and Microsoft Teams on company mobile devices.

Recreating 250 endpoint devices from scratch requires preparation, Brown said.

Planning should include an estimate of minimum assets needed to keep IT functional and situational preparedness for extreme events, such as a scenario in which an adversary has cracked every administrator password, Reichard said.

The fallout can be difficult to predict or control, especially when outside investigators are involved.

Companies fortunate enough to have cyber insurance can find themselves hamstrung by procedural roadblocks to recovery. Insurers may ask IT to stand back and wait for their team to arrive, which may take hours or days, Reichard said.

A similar problem can emerge when law enforcement gets involved. To an investigative agency, servers contain potential clues subject to chain-of-evidence protocols, which can restrict IT’s access to hardware and software.

“If your plans haven't accounted for the idea that your data center may have virtual yellow police tape around it, then you might not be setting the right expectations,” Reichard said.

Rather than considering the possibility of attack, CIOs should prepare for the eventuality, said John Allen, VP of cyber risk and compliance at cyber defense company Darktrace, during the panel.

The goal is to shift the conversation away from whether or not an attack might happen to what can be done to limit the impact, Allen said. 

CIOs can work with CISOs to move beyond patch cycles, reporting procedures and awareness training to the practical matter of bringing IT back online in the wake of an attack.