Is your cybersecurity posture resilient enough to survive a pandemic? You’re about to find out. Teri Robinson reports.
Long before the coronavirus made the jump from bat to humans, most organizations had prioritized cybersecurity and operational resilience, or at least given it lip service, recognizing that while stopping all threats at the doorstep is impossible, withstanding and mitigating them is entirely doable - and desirable.
“The problem with security is that you can’t win – aim for that and you’ll fail,” says Unisys Chief Trust Officer Tom Patterson. “But if you aim for resilience you can absolutely win, you can take a punch but you keep on going.”
The quick spread of COVID-19 has lent urgency to that mission and underscored the importance of building resilience. “Cyber, or digital resilience should be considered essential - like water, gas, and telephone/internet. Maintaining essential services that keep the lights on, keep people operating in their roles, and keep the digital world safe from attack is critical,” says RedSeal CEO Ray Rothrock, who penned the book Digital Resilience: Is Your Company Ready for the Next Cyber Threat?
Indeed, security teams daily battle a rising tide of challenging cyberattacks.
Noting that the “sophistication of cyberattacks blur the line between the digital and the physical realm,” CEO Mickey Bresman points to the “immeasurable damage” inflicted by targeted strikes aimed at taking out industrial control systems, transportation networks as well as hospitals.
Ransomware, for example, “has evolved into a multi-billion-dollar industry, and it is far worse than we know – unfortunately, many victims quietly pay off their attackers without ever notifying the authorities,” says Bresman. “If you follow the money, it finances illegal narcotics, weapons, terrorism, human trafficking, and child exploitation.”
Cyber resilience, in that respect, can serve a greater purpose than protecting just the enterprise. “Cyber resilience makes the world a safer place by curbing the funding of evil,” says Bresman. “Because when organizations can say ‘no’ to ransom and blackmail demands, we’re all safer.”
If the sheer volume and growing sophistication of attacks and the wicked intent of miscreants aren’t enough to convince organizations to invest in resiliency, the costs that they must somehow absorb or offset as a result of those attacks should. An IBM/Ponemon study pegs the average cost of a data breach in organizations where more than 50,000 records are compromised tops $6.3 million. And a breached U.S. company on average loses $4.13 million in business globally.
The National Cyber Security Alliance says 60 percent of SMBs pay the ultimate price, going out of business within six months of an attack. The high costs of mitigating a breach and bringing a company back online might explain why cyber insurance has slowly grown in popularity. Marsh says that 42 percent of its U.S.-based clients bought cyber insurance last year, up from 38 percent the year before.
Attacks show no sign of easing up but rather will continue to grow in volume and complexity as cybercriminals and nation-state actors, undaunted but rather inspired by a sweeping pandemic, find opportunities to make money, wreak havoc and pilfer valuable information. “Creating resiliency is an investment – a form of insurance – that must be balanced against the risk failure of that system poses to the bigger systems it contributes to,” says Gerrit Lansing, field CTO at Stealthbits.
What does resiliency look like?
While security teams and experts might have differing metrics for gauging resiliency, they tend to agree on the overarching need and many of the best practices to achieve it.
“Resiliency is viewed by some to be the latest buzzword replacing continuity or recovery, but to me it really means placing the appropriate people, processes, and procedures in place to ensure you’re limiting the need for enacting a continuity or recovery plan,” says Shared Assessments Vice President and CISO Tom Garrubba.
Resilient organizations share numerous traits. According to Accenture they place a premium on collaboration – 79 percent say collaboration will be key to battling cyberattacks and 57 percent collaborate with partners to test resilience. “By adopting a realistic, broad-based, collaborative approach to cybersecurity and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond quickly, and appropriately,” says Steve Durbin, managing director at the Information Security Forum (ISF).
Their efforts apparently pay off. Organizations that place a premium on collaboration have a breach ratio of six percent compared with 13 percent for organizations that don’t prioritize it, Accenture found.
Those that lead in resilience also put priority on incident detection – with 58 percent prioritizing detection speed – and bolster existing capabilities with 39 percent sustaining the capabilities they already have. Just shy of a third – 30 percent provide training for more than three quarters of their users, Accenture said. And 62 percent make it a point to hire skilled personnel, Ponemon found.
Those efforts resulted in a 27 percent dip in breaches over the preceding 12-month period with 15 percent of these leader companies having more than 500,000 records exposed in the previous year compared to 44 percent of non-leaders.
“History has proven that businesses which have put a lot of formal thought into surviving and responding to all types of disasters have been far more likely to survive if they actually occur,” says Roger Grimes, data drive defense evangelist at KnowBe4. “After 9/11, I remember reading that most companies directly impacted by 9/11 in downtime Manhattan, of the ones that had resiliency plans, most survived. And the ones that didn’t, most never recovered.”
The benefits of building resiliency are clear, yet, despite best intentions, many organizations are falling short and they know it. IBM/Ponemon found that only 42 percent give high marks to their organizations’ ability to minimize or mitigate IT security risk. And on a very basic underpinning of resilience – an incident response plan – the majority, 77 percent, simply don’t have one.
Perhaps, they haven’t been motivated. Or their best intentions have been sidelined as they put out everyday cybersecurity fires.
Enter the virus. Dystopian conjurings aside, COVID-19 is hardly the deadly Captain Trips from Stephen King’s The Stand, wiping out 98 percent of those in its path, but it has quashed or upended business and security plans – putting both to the test under the most extreme of circumstances and exposing gaps and lapses in glaring relief. Companies quickly found that their VPNs couldn’t handle the strain, that privacy was at risk as workers – and students – flock to teleconferencing platforms like Zoom and Microsoft Teams to stay connected, and that the already thorny issue of patch management just got even more challenging even as the organizations and the data and employees security teams are charged with protecting come under increasing attack.
But it’s not too late to bolster resilience by getting the policies and procedures in place. ”To look at the current situation, many organizations are forced to have employees work-from-home, and while companies like Amazon and Facebook are fully prepared to make this shift quickly, many organizations are not prepared to support this new remote workforce,” said Hysolate CEO Marc Gaffan. “These organizations must quickly build a plan to assess the risks involved with enabling remote access and implement security measures quickly to mitigate the increased risk this poses. This includes evaluating the workstations/laptops that employees are using, how their connecting to corporate and sensitive environments, what applications they require access to in order to be productive, etc.”
Ultimately, “it comes down to maturity. Was there a thoughtful plan and decisions taken to mitigate the right risks in the right amounts so the company could continue operations without an unreasonable expenditure or business interruption?” says Cerberus Sentinel President Bill Santos.
A solid set of policies and procedures “will help mitigate risk during normal operations within the processes and workflows of an organization” as well as aiding security teams in preparing for, responding to and recovering from cyberattacks, says Elan Shapira, head of research at Panorays.
Conduct a business impact analysis. Assess and prioritize “all business functions and processes, including their interdependencies, as part of a work flow analysis, is of paramount importance,” says Garrubba. “In fact, it starts there. You cannot know your dependencies without going through this exercise (the who’s, what’s, where’s, when’s, and yes – even the why’s). Once you know these, you’re halfway there!” In particularly “identify, assess and manage the risks associated with network and information systems” across the supply chain, which has taken a particular hit during the COVID-19 crisis.
Involve employees and raise awareness. Now, more than ever, it’s important for security teams to remind employees of security policies that they should follow and push out alerts to any particular security incident that might threaten. Be sure to provide employees with a line of communication to ask questions or report possible security incidents, like phishing attempts.
Collaborate. As COVID-19 has forced populations and organizations to realize, they’re not in a crisis alone. There is much to be learned – and quicker mitigation – by working in concert with others in the private and public sectors. As noted earlier, organizations that collaborate see a downtick in incidents and a shortening of response time.
Update incident response plan. “Create an incident response management program to ensure business continuity even if your organization becomes the victim of a cyberattack,” says Shapira, or perhaps a pandemic. This should be a no brainer, but disturbingly, Censuswide found in a survey of 200 U.K. decisionmakers that “one third of companies haven’t upgraded cybersecurity systems, despite the pandemic and a surge in remote working.” With an incident response plan in place, “adding in additional dimensions like continuous monitoring, redundancy, segmentation, and others serve to improve the overall resiliency of a company’s operation in the face of evolving threat actors,” says Chris Rothe, co-founder and chief product officer of Red Canary.
Patch, please. As the 2017 Equifax breach showed, delays in patching can result in a devastating data breach or malware infection. Then again, if security teams act too hastily and without a plan, they can potentially open up their corporate systems or employee devices to additional exploits due to incomplete patching or careless use of remote administration tools.
“In the immediate future, patch management concerns will extend far beyond the established, known, managed and curated networks into a potentially chaotic mix of uncontrolled system versions and devices of thousands of employees,” says Eric Welling, North American lead for the Accenture Security, Cyber Investigation and Forensics Response (CIFR) group. “The balance between functionality and security is a longstanding consideration, but the extra pressure from COVID-19 will require both agile implementation and a methodical approach to ensuring continuity while remaining secure.”
Adopt a cloud infrastructure. Companies that have been hesitant to move to the cloud may want to rethink their position – managing apps and the a newly remote workforce can be easier in the cloud, provided, Garrubba says, organizations “adhere to security best practices, as well as elastic workloads, multizone computing and other relevant capabilities.”
Lead from the top. “Ensure that the program is overseen from the top of the organization and built into the business,” says Shapira. As New York Governor Andrew Cuomo and others have shown, leaders calm the ranks and by example strengthen strategies and plans for dealing with a threat. Bresman likens cybersecurity leaders to being “on the front lines of a new war – one that has virtually no boundaries and does not play by any rules.”
Management can set tone and ensure a focus on resilience. “An organization’s resiliency is not just about system redundancy, backup processes, and formal risk management,” says Lansing from Stealthbits. “It’s also about creating a culture where resilient thinking can thrive and that starts with an environment that is accepting of failure and embraces the lessons learned from it,” he points out.
Follow good cyber hygiene practices. Anyone paying attention to Dr. Anthony Fauci and other health experts the last few months knows that washing hands and maintaining social distance are key to stopping the pandemic’s spread. As Ebola survivor Dr. Craig Spencer, recently said the COVID-19 “virus can’t infect you if the virus doesn’t meet you.” The same goes in cybersecurity. Particularly as employees work remotely, it’s more important than ever to encourage the basics – changing passwords, using multifactor authentication and not clicking on malicious links and email attachments.
Test, test, test. Again, what’s good for gaining control over the spread of a pandemic is good advice for security teams looking to build and ensure resilience. “The other must haves is the testing; what good is a plan if it’s not tested? Test scenarios should be realistic and plausible,” says Garrubba. “You actually want to see some failures during testing as this helps you to recalibrate your strategy.” Shapira underscores the importance, too, of “focusing on application security and using automated scanning and testing to continuously identify potential vulnerabilities.”
But individual companies aren’t the only ones who should be looking to inoculate against threats.
The pandemic should motivate the industry to bolster resiliency, with Dixon advising:
Incentivize the adoption of next-generation defense. Now is the time to deploy the full promise of the Fourth Industrial Revolution and expand the use of advanced security automation capabilities, including machine learning and artificial intelligence.
This includes smart automation that can take complex security workflows, shared intelligence and knowledge of adversary behaviour, and respond to potential risks at machine speed entirely without human intervention. This will enable us to scale our collective response and dramatically drive down the cost of security to make it more accessible.
Accelerate skills development. Developing future frameworks to develop leaders will be essential if the industry is to create new mass-market business models and not just boutique services.
Address market imbalances: It may take a cyber version of the U.K.’s NHS to realign priorities of industry to realize the collective good. Security is “a basic need and one that will need to be addressed by leaders to remediate the gap between the cyber haves and have-nots.
That “will be of paramount importance to the future of the Fourth Industrial Revolution and the wellbeing of the social fabric.”
While most organizations “are still sorting out their cyberstrategy, working on fundamentals and reducing vulnerabilities as best they can,” Rothrock worries that the pandemic might have the opposite effect and “put cyber spending on the chopping block” as organizations struggle to control costs during economic shutdown.
“They should be careful,” he says. “Because of the dependency on digital systems to keep businesses operating, to cut expenses to this would mean introducing risk, and we all need to be reducing risk right now, not introducing more.”
While no one will be immune to every threat, building resiliency will put security teams in a stronger position to blunt the impact of attacks.
“We’re not able to stop everything, we just need to make sure it doesn’t stop us,” says Patterson. “Let’s make sure when something happens, we can withstand it, we’re not the frontpage news.” N
A business continuity
in the age of coronavirus
Cyber threats don’t stop just because a pandemic has sent the workforce home, including security teams. When the majority of the security team is no longer conducting daily risk assessments, vulnerability scans, and other onsite operational procedures required to ensure the organization’s confidentiality, integrity and availability (CIA), a business continuity process can help companies create systems of prevention and recovery – and continue security operations.
The following checklist can help baseline a company’s ability to continue its security operations in such a crisis.
- Can you remotely access the security solutions that you use daily to monitor for malicious behavior on the network and end-user devices such as PCs?
- Can you remotely make configuration changes to your security solution set?
- Can you remotely upgrade or patch your security solutions set?
- Does a PC being located remotely change any of your containment or eradication processes?
- Does the additional IP address added by VPN access affect your ability to map an IP address to a username?
- If you are leveraging user behavior analysis does the fact that the user is now coming through VPN affect its ability to map the IP address to the end-user?
- Can you remotely contain a server by isolating it from the network?
- Can you remotely drop a network link to the offices in order to contain a potential malware outbreak (for example)?
- Can you remotely contain a PC and conduct a forensic investigation?
- Can you remotely access your critical servers and databases to investigate potential malicious behavior?
- If everyone is working remotely what IP traffic should you be seeing on the corporate network? This is important if someone has taken advantage of no one being at the facility.
- Are your facilities monitored with security cameras? This is also important to ensure people are not accessing areas which are normally populated and restricted.
- If you did have to send a team member into the building, have you walked through who that would be and the escalation and approvals that would be required to make that happen.
Source: Cybersecurity Collaborative