Ransomware: What every board member needs to ask their IT security team