When it comes to parity in technology, it’s no secret there’s a massive gender gap. Despite being 47% of the labor force, women only account for 24% of all technology positions. Specific to the European market, the UK sees only 19% of the tech workforce filled by women and the EU only 17.5% on average. Diversity in leadership and the boardroom show a similarly daunting gap, with only 20% of board seats held by women in 2020.

That being said, as societies and companies prioritize equality and gender representation, we’re seeing these figures improve. In fact, data from this year shows that 51% of companies now have a female board member, up from just 40% a year earlier. What’s more, during the same time period, the number of females on board grew–from 7% to 11%. 

While moving in a positive direction, this data is reflective of public companies. What’s not said in the data is the private, non-reporting sector (start-ups, scale-ups, etc.) have a wider gender gap than public companies. And let’s be honest, 11% is still a wide deficit.

While the progress made thus far is encouraging, we’re surprised at the slow pace. Companies know they’ll reap rewards when bringing different perspectives to the board. Research tells us that diversity in the boardroom helps mitigate the issues surrounding “groupthink”. From All Raise’s 2020 Annual Report:

Gender parity at the board level enables the most senior decision makers of a company to reliably lead their companies to innovate, execute and ultimately, be successful. But to successfully achieve gender representation in the boardroom, there must be a larger pipeline of candidates to fill board seats.

At Sapphire Ventures, we’ve seen this problem firsthand. Our investors are oftentimes board members and our value-add Portfolio Growth team frequently works with our portfolio companies to think through their board strategies and ways in which to diversify directors and observers. As such, we feel we’re intimately aware of the impact of a diverse board and our team is working hard to bridge the gap.  

For example, Sapphire co-architected All Raise’s Board Xcelerate with Sequoia Capital and GGV to diversify the boards of high-growth tech companies. To help further uncover diverse board talent, we’ve kicked off a board-readiness campaign featuring regular workshops beginning in 2019, for aspiring diverse board members in our CxO network. The goal of these workshops is to build a pool of qualified, female board executives to fill the influx of board opportunities with diverse leadership. The campaign has led to board placements such as Wendy Pfeiffer, CIO of Nutanix, who discovered her first board role via Sapphire.

In mid-October, we held our first board-readiness workshop in Europe. We walked away with some insightful trends and best practices on how to make that first board leap from our panel of board directors, CEOs and recruiters representing companies such as KPMG, Facebook, Blackstone, Tom Tom, Matillion, SAP and Volkswagen that we wanted to share here: 

The power of the network

To secure your seat, you must leverage your connections in the smartest ways possible. Ensure that you’re connected with directors who are “boarded up,” heads of talent at VC firms (for venture-backed, privately held boards), and recruiting firms like True Search and Erevena.

At our event, several speakers emphasized the differences between a board search and the search for an executive or operating role. In both cases, candidates must showcase their background and unique talents. However, since close to 50% of board appointments happen through personal networking, word of mouth, shareholder suggestions and other informal channels, figuring out how and with whom you connect in this case is critical to success.

As the saying goes, it’s not only what you know, it’s also who you know. To the qualified board candidate, networking can be the biggest catalyst to landing a board interview. Diverse board candidates that have strong networks (like the one Sapphire Ventures is building) are well-equipped for landing first introductions.

Landing the interview and beyond

According to our panelists, and somewhat of a surprise to us, interviewing for a board seat is not that different from a regular job interview.

According to Angelika Huber-Strasser of KPMG, “the process can be as intense as a job interview with multiple conversations and presentations, but might go more quickly than a non-board process.” 

As a first step, make sure to have a strong board bio and have workshopped it with your network. It’s effectively a CV, only different. It defines your personal brand and says in what areas you’re considered to be an expert. Additionally, it outlines what strengths you’ve developed that a board would value. Where résumés tend to be organized chronologically and describe in detail an individual’s past roles, board bios do not. They are one page, include a photograph, are written in the third person and don’t provide a list of past positions. The focus is on a person’s value proposition and personal brand. 

From there, remember that securing your first board role is tied to more than just an interview. Aligning to the company’s needs and the CEO’s is of increasing importance–as with private boards the CEO relies heavily on their board for guidance on maintaining the rapid growth of the business. 

Often the CEO sets the tone for the board’s culture, but as we heard from our workshop, sometimes that can be an issue. Culture of a board can require change to accommodate new, diverse board members. It’ll take some intrepid executives to help change that culture and pave the way for future members who might not be as adaptable. From research done by Ernst & Young, boards can help set a tone for culture at a company by embodying the same ideals.

Board onboarding is a must 

Deepa Gautam-Nigge, a Senior Director of M&A at SAP, mentioned how onboarding for board roles is a priority. “Ask for onboarding when you join a board. Meet the company executives, get comfortable with the culture and read the documents that can help you understand how the company works today. You can’t help change an organization for the better if you don’t understand where they are coming from.”

There won’t necessarily be KPIs that you can attribute success or failure to, but that’s OK. CEOs want to know less of how you’re operating, and more of how you’re thinking. Can you help the company grow faster? Can you advise on a specific pain point the company is going through? Are you able to absorb what the company is doing now to see the short and long-term opportunities for success? You gain this from in-depth onboarding, which, unlike a full-time job, is not something to assume is part of the process.

Serving the board, the CEO & yourself

A common mistake of a new board member is running before you can walk. When you first join a board, it’s easy to do too much too fast. This issue is especially common amongst diverse board members. The advice coming out of the workshop was simple: take your time, learn how the board operates, find a mentor and figure out what your sweet spot is so that you can pounce on opportunities to shine.

At our workshop, we showcased insights from existing board members, recruiters and CEOs. One takeaway from our CEOs is the relationship between a board and the company’s leader. Knowing when oversight turns to overstepping is the sign of a thoughtful board leader. CEOs are eager to help guide board directors to actions that are helpful and those that are not. The simple truth of it is the CEO is aware that the board is their “manager” (to use a simple analogy), so it’s important to treat the CEO with the same care and respect you would direct reports.

Lastly, it was noted by our lineup of experts that you should know when a board opportunity has run its course. Based on a study by Spencer Stuart, the average tenure of a board member is just over 4 years. Whether it is an over-extension of responsibility, compensation or a realization that your skills no longer match the needs, resigning from a board is not something to fear. In fact, it shows great insight into how your professional career is progressing and where opportunities for growth and change exist. 

Looking ahead

At Sapphire, we think the path towards board parity requires a lot of work, and it begins with training. As we move into 2022, the team at Sapphire Ventures is excited to host more board readiness events each quarter with a focus on growing our diverse candidate pool. The need to further diversify boards is becoming even more important as Germany and other EU nations move to pass legislation on gender parity in the boardroom. This means more room for first-time board leaders as the population of qualified board members tries to keep pace.

If you’re interested in learning more about Sapphire Ventures’ diverse board candidate endeavours, please contact [email protected] to get involved.

Summer 2021 has been eye opening for many of us. The U.S. West Coast continues to be on fire (an annual trend nowadays), while parts of the East Coast recently saw their wettest summer. Another category 4 hurricane struck New Orleans on the anniversary of Katrina, the remnants of which walloped a wholly unprepared New York City metro area. On a global scale, historic flooding in China, Germany and Belgium destroyed towns in what was considered to be a once in a millennium flood. Amidst a UN designated code red for human driven global heating, climate change is a now problem affecting the way we live and do business today. 

But there is hope on the horizon: rapidly improving battery technologies, renewable energy prices decades ahead of plan and even carbon negative chemicals. Entrepreneurs are building next gen decarbonization technologies, and key stakeholders are turning up the heat, pressuring the world’s largest companies to begin to decarbonize. At the same time, consumers have shifted towards sustainable products, driving 50% of aggregate CPG growth between 2013 and 2018. Most importantly, corporate executives are waking up to the situation at hand. 

Facing the reality of a deteriorating environment and intense pressure from both consumers demanding carbon free products and investors demanding visibility into both transitional and acute climate risk, 21% of the global 2000, representing $14T in annual revenue have committed to net-zero emissions targets. In addition, driven by a surge in responsible investing, public market investors are getting in the fray and demanding carbon transitions of the largest companies.

We know the future is decarbonized, but navigating the transition won’t be simple for the vast majority of companies. Software will be a necessary ingredient to a climate transition. Here at Sapphire, we like to back companies behind the strongest megatrends, and there is no tailwind stronger than climate change. Along with hard-tech, we believe that a whole suite of software tools will help power the decarbonized economy. We call these platforms: B2B Sustainability Software.

What is B2B sustainability software?

Carbon touches nearly every industry. From jet fuel in planes to the carbon “emitted” by cows, carbon is everywhere, yet nowhere in that it can’t be easily measured. Whole industries will need to decarbonize over the next several decades, but there is a fundamental data visibility problem that needs to be addressed first. Carbon cannot be scanned via an RFID tag. It can’t be stored and monitored as easily as data in a warehouse. The good news is that new software platforms are providing the necessary visibility into the carbon footprint of the world’s largest companies that desperately need it. Visibility is step 1. Decarbonization is step 2.

We define B2B Sustainability Software as software products that help corporations across verticals drive their sustainability agenda through a wide range of potential use cases. We are seeing excitement across the entire industry, but have witnessed the most activity within three sub-verticals: carbon accounting & reporting, carbon offsetting and supply chain transparency. Let’s dive in.

Carbon accounting & reporting

Faced with public market investor and downstream customer demands for carbon neutrality, the world’s largest companies have scrambled over the past 18 months to not only announce a carbon neutrality target, but get a handle on their own carbon footprint. Therein lies the problem–determining an organization’s carbon footprint is a complex endeavor.

In comparison to financial accounting, with a few data sources, one easily converted currency and a handful of key calculations, carbon accounting runs amok with data sources from all over a company’s operations, currency in all sorts of different units (kwH vs. kgs of cement vs. BTUs, etc.) and several hundred calculations confusing the end result. It is no wonder that previously, the global 2,000 have either a) not tracked their carbon footprint or b) used human-centric, manual processes, to track it. Consulting firms like Bain, BCG and McKinsey have historically dominated the space, but new tech platforms have an opportunity to digitize these workflows to accurately calculate, monitor and predict carbon footprint, as well as provide insights through AI/ML.

The market is highly competitive as a number of startups are attempting to build the right solution for F500 companies, but we believe that there is room for a number of players in what is shaping up to be a massive market with regional regulatory idiosyncrasies. Different regulatory environments will give ample opportunity to companies both in the U.S. and Europe.

We also believe that the carbon footprint management layer will be the linchpin that enables a whole ecosystem of applications that could never have been dreamt up without this core piece of information. The way we see it, carbon footprint management companies will serve as a crucial piece along an entire value chain that enables decarbonization.

Carbon offsetting – Digital marketplaces and verification

As much as we love to work from our pajamas, business and personal travel will remain for the foreseeable future, and electric planes are still very much a pipe dream. Despite the promise of startups attempting to decarbonize the world’s largest industries, many essential processes today, like cement, aerospace and steel production, are likely decades away from economical alternatives. That said, companies that deal in these industries, notably several U.S.-based airlines, still aspire to achieve carbon neutrality long before it will be technologically feasible to be fully decarbonized. Thankfully, carbon offsets can help.

Most people know what a carbon offset is, but as a refresher, a carbon offset is a financial transaction where the purchaser (a net positive carbon emitter) pays a net negative carbon emitter to sequester carbon for them. Several startups are developing next gen technologies to store carbon, but the most economically viable option today relies on a fundamental biological process: photosynthesis. As trees photosynthesize energy from the sun, they pull carbon out of the air, store it in their trunks and emit the oxygen we breathe in exchange.

Carbon offset projects have existed for years, and McKinsey estimates that the market for carbon offsets could be worth $50Bn by 2030 and 5-10x larger by 2050. However, today’s carbon market lacks the liquidity and visibility necessary for efficient trading, because carbon credits are highly heterogeneous and there is systematic over-crediting of forest offsets–California’s $2B offset program has been shown to be overvalued by hundreds of millions of dollars.

 Forests come in all different shapes and sizes, some capturing far more carbon than others. In Northern California, the beloved Redwood forests along the coast capture as much as 250x more carbon than their more inland peers, but there is no clear demarcation line between these carbon dense temperate rainforests and their less carbon dense, dryer inland cousins. These wide differences can lead to little visibility into the success of the offset. This, coupled with the analogue functioning of these old-school marketplaces, it’s no wonder that they are fundamentally broken and incapable of achieving their one singular aim: sequestering carbon.

We think that rapidly improving satellite imagery combined with the power of AI/ML can achieve a verified tech enabled carbon marketplace that not only simplifies the process for purchase of carbon offsets, but also provides significant financial incentive for new carbon offset projects to get off the ground. A huge opportunity exists for companies to unlock these carbon markets and the natural power of the earth to heal itself.

Supply chain transparency

A company’s carbon footprint does not stop with its direct carbon and energy use. It extends further upstream to the carbon footprint of its inputs and raw materials, as well as downstream to the use, distribution and end of life treatment of its products. A company’s carbon footprint is broadly bucketed within three scopes.

1. Scope 1 refers to direct emissions from the reporting company
2. Scope 2 includes all purchased electricity
3. Scope 3 includes all other emissions associated with the production, distribution and use of a company’s product.

Scope 3 emissions represent the vast majority of a company’s carbon footprint that are often hidden behind archaic and analogue supply chains. Digitization of supply chain processes enables every organization to have better control over the impact of their actions and respond to any sustainability-related issues. While a good solution, only 50% of organizations have digitized their supply chain. As individual companies are beginning to understand their carbon footprint by digitizing their supply chain, they are forcing their suppliers and customers to look beyond their direct carbon emission (Scope 1) and indirect energy consumption (Scope 2) as the majority of company carbon emissions result from upstream vendor and downstream customer activities (Scope 3). In looking at existing data, of the 239 companies that signed up for the Science Based Targets Initiative in 2020, 94% included commitments to reduce these Scope 3 emissions which account for ~80% of their overall climate impact. And according to Gartner, by 2025, 50% of the world’s largest tech and services companies will use a demonstrated commitment to net zero emissions as a supplier selection criterion up from 3% today.

While useful, product-level emissions data is not available for everything companies procure today, and many suppliers don’t understand their own Scope 1 and 2 emissions. Addressing this data gap will require collaboration between multiple players in the value chain. So what does this mean for the startup ecosystem? There is a huge market opportunity for a startup to build digital supply chain management tools that provide customers better insight to their own supply chain, sustainable procurement and overall corporate sustainability.

More areas to be excited about

As the climate warms up, seas turn angrier and wildfires turn unrulier, companies like Kettle, Cervest and Climate AI are building the next generation of climate risk intelligence to protect companies’ vital assets from climate related catastrophes. Companies like Leap, Heila and Piclo are rethinking the software necessary to power the decentralized electricity grid of tomorrow. Clarity AI is empowering the growing generation of impact minded investors hoping to achieve carbon free and sustainable investment portfolios. Lastly, a new cohort of e-commerce enablement companies, including Recurate, Archive and Treet, are focusing not on better clickthrough and conversion rates, but on empowering the world’s most forward thinking brands to recycle and resell their worn goods through branded and proprietary digital resale marketplaces. These companies play in sub sectors of sustainability on their own, and much can be written about each. We are excited about all of these areas,  in addition to the use cases that no one has come up with yet.

Entrepreneurs tackling the world’s biggest Problems

We believe that the sense of urgency to create solutions solving climate change has only just begun. The peak of climate enthusiasm is years away, but the vibrancy of the early stage climate tech ecosystem, powered by a list of rapidly growing world class investors including, G2VP, Lowercarbon, The Westly Group, Pale Blue Dot, Obvious, Salesforce Impact and Breakthrough Energy (to name but a few), validates the momentum behind the space.

We view the companies and sustainability sectors outlined in this post as Sustainability 1.0, attacking the most pressing and obvious use cases for software in the drive towards decarbonization. We know that there are many sustainability related problems that remain to be solved, and we can’t wait to see this future generation of sustainability companies flourish into companies of consequence. But we are also excited to witness what the next generation of climate enthusiastic entrepreneurs build in their quest to heal the planet. 

If you are building software for the decarbonized economy, we would love to hear from you. You can reach us at [email protected] and [email protected].

Being data-driven is not a new concept for global enterprises. However, we’re now experiencing a shift across the enterprise data stack as a growing number of disparate cloud applications collide with legacy on-premise systems to produce more data than most companies know what to do with. Yet even with this shift and the continued importance of data to make more and better-informed decisions, enterprises still have a difficult time ensuring their data is accurate, consistent, accessible, up to date and secure.

Over the past decades, we’ve seen data within the enterprise evolve from monolithic systems with limited data capture, processing and storage capabilities to a more robust, scalable and open data ecosystem. We’ve also seen machine learning and artificial intelligence gain momentum across use cases within the enterprise to drive better insights. And we are now witnessing the emergence of a “data unification layer” across the increasingly fragmented and modular modern stack with new data tooling solutions helping data scientists, engineers and business analysts analyze, share, protect and manage data. These new data solutions address the ongoing data-related challenges faced by enterprises and are reshaping the data tooling market entirely. 

At Sapphire, backing emerging players supporting the data ecosystem has been core to our investment strategy from the start, and we’re proud to have supported dozens of companies of consequence across the data stack. Most recently, we’re thrilled to have reaffirmed our commitment to data-focused European startups by once again backing our portfolio companies Matillion and Adverity as they move on to their next stages of growth. Manchester-based Matillion has emerged as a company of consequence in the extract, transform, load (ETL) space, and we are excited to continue to support their growth with their recently announced $150M Series E financing. We’re also excited to continue to support our Vienna-based portfolio company Adverity, which is building the industry-leading intelligent marketing analytics platform, in their $120M Series D financing.

When looking at the newest trends in the data ecosystem, we are particularly excited by the ambitious founders building new data tooling companies in Europe and Israel, as we believe there has never been a better time to build a data tooling company here.

Global Trends Across the Modern Data Stack

Globally, more enterprises are adopting a modern data stack as companies move their processes from on prem to the cloud and collect more data across disparate sources. As a result, we are seeing several key trends across the modern data stack take shape:

• Data sources and storage solutions are moving to the cloud
• Data manipulation, reporting and dashboarding are becoming more available to non-technical users
• Data security, privacy and governance are becoming more central to the full data stack 
• The modern data stack is increasingly fragmented and modular leading to the rise of data ops tooling and a data tooling unification layer

In particular, we are seeing an explosion of startups in the emerging data tooling unification layer across:

• Data monitoring, quality and observability – Address poor-quality data through discovering, prioritizing and resolving data issues 
• Data collaboration – Facilitate better insights and sharing of data internal and external across teams and companies 
• Data privacy, security, management and governance – Protect, govern and secure data across an organization

The European & Israeli Data Tooling Landscape

Our approach to investing in the data space is to back the best company in the market no matter where the team is located. That said, we’ve been paying close attention to the developments in the European and Israeli ecosystems, so we wanted to share our view of the data tooling landscape with a special focus on what we believe to be standout companies coming out of these regions:

Starred companies represent current or exited Sapphire investments. Snowflake is a Sapphire investment at IPO

European and Israeli startups are building new tools across the modern data stack providing better solutions for companies across all industries. We are seeing these companies expand internationally and become global category winners. We expect that European and Israeli entrepreneurs will continue to lead on creating innovative solutions and that these ecosystems will continue to be hotbeds for the next generation of data tools.

Top Predictions for the European & Israeli Data Tooling Ecosystem

1. Data tooling will attract huge amounts of investment – It’s not surprising given the many ambitious founders we meet in the data space that capital continues to pour into data-focused startups in Europe and Israel with over $14B invested in 2020, according to PitchBook data from July 2021. We expect this number to dramatically increase even further this year, with deal sizes also increasing due to more ambitious founders tackling data-related problems with novel solutions.

2. The data ecosystem will see a human capital flywheel – As the tech ecosystem continues to mature, we will see more employees leave large tech companies and scale-ups to launch their own data-focused companies. A clear example of this is Maarten Masschelien, who left Collibra to co-found and launch Soda. We expect to see more examples of founders like this starting their own businesses in the future. Additionally, given the strong technical depth in the European ecosystem, we expect to see the community of buyers and data engineers, scientists and analysts continue to flourish.

3. Product-led-growth will become a popular GTM strategy – Already, we are seeing that next-gen data startups are adopting product-led growth strategies to drive adoption and momentum. The approach removes the need for expensive on-the-ground sales forces in new markets and provides a fast time-to-value for enterprises. In parts of the data tooling sector, top-down enterprise sales will remain a necessity, but we believe that more and more solutions offering a free entry version and/or being built on top of open-source projects and bottom-up adoption will permeate into enterprises.

Get in Touch

We’re proud to have backed companies across the full data stack and believe that innovative opportunities will continue to emerge as companies adopt modern data tools. If you are building a company in this space, we’d like to hear from you. And if there are innovative data tooling solutions that we may be missing in our landscape, please don’t hesitate to let us know at: [email protected]. 

Special thanks to Tyler Crown for his help in researching and publishing this piece.

It feels like daily we see headlines of a new ransomware attack. Even if you’re not diligently staying on top of cybersecurity news, it’s hard to deny that the scope and frequency of these attacks are increasing.  

In 2021 alone, we witnessed major incidents with an oil pipeline, a meat processing facility and a managed-service provider–all experiencing massive data breaches. If it seems like there have been more attacks lately, it’s because there have been. According to Blackfog’s State of Ransomware tracker, each month of 2021 has seen more attacks than it’s 2020 predecessor.

Given the enormous spike in cyber attacks, we recently held a roundtable on the topic with security experts from our enterprise network. Our goal was simple: to learn how to “deal” with the current ransomware problem, whether that meant prevention, preparation or mitigation. 

What we learned from the group, which included executives from organizations like Secureworks, AEG, Netskope, Harrods, the FBI and others, was that ransomware should be treated as an expected problem. In other words, enterprises should think that it will happen to them. It’s not a question of if, but when.

Attacks are Becoming More Sophisticated 

As the prevalence of these attacks has increased, we’ve seen a small change in the type of attacks taking place. Historically, system intrusions were encryption-oriented. Meaning, a set of systems would be encrypted with a private key that, upon payment of the ransom, would be released to the victim. 

We are now seeing another, more public type of ransomware becoming popular, dubbed the “name-and-shame” attack. This type of intrusion is considered double-extortion as the victim is not only compromised, but the attacker also threatens to release the acquired, confidential information publicly. Due to the ever-growing interest in these attacks, this “public shaming” serves to cause reputational damage to companies, which no amount of paid ransom can recover. The bigger the target in these situations, the larger the ransom–due to implications on stock price, customer loyalty, regulatory bodies and so on.

We also learned in our roundtable that it’s now possible for attackers to be inside a victim’s systems for much longer before announcing their presence. This “patience” is caused by a change in mindset of attackers; they now see more value in the information within systems versus simply the fact that systems are breached. Rather than announcing their presence upon entry, hackers are able to stay quiet while they browse a company’s system for the best source of data.

Prevention Is and Always Has Been Key

On the top of every CISO’s mind is prevention. That is the gold-standard mindset of any good security professional: how do you protect against intrusion. In speaking with top security leaders, we uncovered attacks can happen one of three ways: 

1. By scanning and exploiting public systems
2. By stealing employee credentials 
3. Via commodity software installations

The solutions to these attack vectors are quite straightforward and have been in practice for years, though to varying degrees of thoroughness:

• Patch all systems and conduct regular penetration testing
• Deploy multi-factor authentication as a majority of attacks are currently via social engineering
• Deploy network and endpoint detection solutions (via Sapphire portfolio companies Netskope and Exabeam, for instance)
• Employ a zero-trust framework
• Utilize data governance and analytics solutions (Sapphire portfolio companies Privacera and Uptycs can help here)
• Create an incident response plan
• Practice good digital-asset management (consider Sapphire portfolio company Jupiter One to help in this area)

On that note, it’s worth highlighting that a big and important lesson came out of the attack on Kaseya in July 2021. If you deploy a MSP, you might not be in control of all your systems. Make sure your third-party providers stick to the same rigor that you do for security.

Coming out of the roundtable, a quote stuck with us in this conversation: 

“Think that you are 3 to 5 years behind the criminals. Your goal is to be better than the next target on their list, so they find getting into your systems just beyond their level of effort.”

Strategies for Staying Prepared

Preparing for an attack has many facets, especially since each attack is different than the other, so we’ve distilled it into a few key points to consider:

1. Stress-test your response: There’s no way to really be ready for the day of an attack, as most executives agreed that “your IQ drops 20 points when in real-response mode.” So the best way to prep is to:
   • Create an incident response plan and put together tabletop exercises for your team to get familiar with protocol
   • “Bring down” any systems you can to do hands-on training
   • Learn the basics of isolation and containment.
2. Prepare the business: Our current IT expectation is one of efficiency. The business should know that, in the event of an attack, efficiency will be de-prioritized. Business systems will be down and backups will be in play. Know the efficiency of your backup and what percentage is quick to recover. Regularly test your offline recovery to give a likely scenario to the business for an attack.
3. Your non-IT response: In your incident response plan, you should have critical mass points. When X happens, what is the corresponding Y action? Know the basic services that you can have available if you need to take your system down. Prepare your marketing and PR teams with a ransomware toolkit. And know which law enforcement agencies you’ll need to contact.

We reached out to the team at the FBI who joined our roundtable for their take on further steps for preparedness. According to San Francisco FBI Assistant Special Agent in Charge Elvis Chan:

“Given the current crescendo of ransomware and supply chain attacks, I have three pieces of advice for companies:

1. Reach out now and establish a relationship with your local FBI field office. As a victim, you don’t want your first phone call to the FBI on a Friday night when your networks are locked out and your hair is on fire. 
2. Your company should implement multi-factor authentication in order to access your corporate email accounts and networks. A significant portion of the cyberattacks we observe involve brute force attacks, such as password spraying. 
3. In the longer term, you should work toward implementing a “zero trust” network architecture.  This will involve prioritizing the most valuable data within a company and hardening them within the network.”

Recovery Options are Limited at Best

Insurance on ransomware resolution is booming at the moment, but perhaps too fast for some creditors. With the frequency of attacks, premiums are increasing, even leading to “co-insurance payment” structures where both the insurers and victims are on the hook for payment. Speak to your legal team and understand if you have a contractual obligation for insurance. If not, the price of cyber insurance is likely not worth the coverage at the moment.

The most obvious resolution to a ransomware attack is to pay the ransom. Gain the key to decrypt, fix up your systems and move on. Take the Colonial Pipeline incident as an example. Payment was their way out. And lucky for them, the U.S. government was able to recover nearly half what they paid, but this is very much the exception to the norm. 

Payment is a dangerous and increasingly unpopular option, which further perpetuates the attractiveness of cyber attacks for these criminals. Furthermore, late last year, the U.S. Treasury indicated that there may be major legal implications to paying any ransom that originates from a sanctioned country. 

The Rub

We wish we had better news. It doesn’t  appear that the public ransomware problem is going away anytime soon. With attackers becoming more emboldened and going after larger targets, there is a sense of foreboding that many CISOs have. Through our conversations with the executives at our roundtable, the advice is simply to hope for the best, practice proper cyber hygiene and security posture management, but prepare for the worst. Regularly updating and checking internal and external systems might seem like a tall task amidst the hundreds of other priorities, but close alignment with overall leadership (CEO, CIO, etc.) is the first step to normalizing a secure company framework.