Transforming your approach to weather the storm
We have all witnessed, first-hand, the impact COVID-19 has had on our lives, our communities, and on our businesses, but this has not slowed down bad actors and their desire to disrupt our way of life.
If you’ve had your eyes and ears on the news lately, you know that we’ve witnessed some of the most daring, blatant, impactful, and costly cybersecurity attacks of our lifetime. In January of 2021, we learned of the SolarWinds attack in which hackers compromised the infrastructure of the SolarWinds software company, then used that access to produce and distribute trojan horse embedded software updates to the company’s end-users. SolarWinds stated that its customers included 425 of the US Fortune 500 companies, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, as well as hundreds of universities, colleges and small to large sized businesses; 18,000 organizations worldwide.
In January of 2021, at least 30,000 organizations across the United States had been hacked by an aggressive Chinese cyber espionage unit focused on stealing email from victim organizations. The espionage group exploited recently-discovered flaws in the Microsoft Exchange Server email software, which was used to seed thousands of organizations worldwide with tools that gave attackers remote control over affected systems.
Most recently, Colonial Pipeline allegedly paid nearly $5 million in response to a ransomware attack that shut down the country’s largest fuel pipeline impacting the majority of the US eastern seaboard. This impact was so significant that on Wednesday, May 12th, President Biden signed an executive order to strengthen U.S cybersecurity defenses.
Many small and medium-sized business owners do not know, or do not believe that we are in a cyber war. Many that are aware that cyberwarfare rages around us don’t know how to use the weapons they have at hand, or at least within reach. Most Small and Medium-sized Business (SMB) owners could not imagine their business assets being the target of a cyberattack. The alarming truth is that they have become highly valued targets in this cyberwar. In the midst of an economic recovery led by SMBs, these companies need to protect their corporate assets as diligently as do large corporations. Over the last number of years, many news contributors and politicians have said that the economy would be rebuilt on the backs of small businesses. This reality has positioned SMBs as very attractive to hackers looking to disrupt our economic recovery.
The threat and profitability of cybercrime are ever-increasing. As of a 2020 report, cybercrime damage will reach $6 trillion annually by the end of 2021, which is greater than the profitability of the combined world-wide drug trade and more than the GNP of a number of small countries. A cyberattack can be devastating, wreaking financial havoc and causing damage to reputation and loss of clients. Most countries wouldn’t confront the US militarily but are very successful taking us on in cyberspace. These attacks have a devastating impact on our economy, forcing many businesses to significantly increase their IT and security budgets. Numerous SMBs are collapsing under the weight of expensive technology to close the cyber gaps or are going out of business entirely due to ransomware attacks they can’t afford to pay.
Moving forward with stronger cyberhygiene during these challenging times
Unfortunately, many organizations have no defined cybersecurity strategy, policy, or plan, to up their cybergame. They are in reactive mode, closing the gaps as they learn they exist. They tend to avoid spending money up front to build layers of protection around their company data and IT assets but are willing to spend “whatever it costs” to restore service during an attack. Trust me, it’s a lot easier to spend the money up front to protect, than to spend 4-5 times as much to recover.
Cybersecurity training is a key component in the overall cybersecurity solution but is often the most neglected. Training need not be highly technical and costly. Security awareness training is inexpensive and very effective in bringing the issue of cybersecurity “top of mind” as they say. Awareness training provides your team with a valuable weapon for fending off the enemy in this cyberwar. Teaching your team how to recognize an attempt to circumvent the front line is critical and often overlooked. This is not accomplished with the limited mandatory security awareness training many companies may provide once a year. What’s needed is an ongoing program that provides a 3–5-minute reminder each week to help team members keep the idea of security hygiene in the forefront. Programs should provide monthly phishing simulation attacks and monitor undesired clicks on links that should never have been opened. Organizations have seen click rates drop from 67-70% upon starting a security awareness training program, to just 3-5% after twelve months.
Beyond security awareness training, there is a plethora of technical training available. If your organization has an IT staff, technical training in hardening servers and network devices, locking down Office 365 and MS Exchange, securing webservers, and following IT and security best practices, is essential. There are training platforms available that offer one-year subscriptions at a low cost to provide your technical resources all the training they can consume. This approach also provides a great perk to technical employees that “live to learn.”
The most important training is the one most often overlooked. It’s the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). The framework provides five functions- IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER- which are subdivided into twenty-three categories. Each category is broken down into sub-categories of security controls; 108 in all. This framework provides industry best practices in each of the above functions covering the full lifecycle of a cybersecurity plan. First, identify the organization’s assets, then be sure they are protected. Setup mechanisms for detecting any compromise to those assets, establish how your team will respond to a threat or breach, and implement strategies for recovering from such threats or breaches. This approach gives your team a plan to follow to establish a strong security posture.
There are also a number of variations of the NIST-CSF including those for government agencies (NIST 800-53), federal contractors (NIST 800-171), and other security standards such as ISO 27001.
There are several options available online for the NIST-CSF training and its variations, training for including what the controls are and why they are important. If you’re looking for more beyond the what and why, there is a program getting a lot of industry recognition which also covers how the controls are instrumented and implemented within an organization. This is the NIST Cybersecurity Professional (NCSP®) Training Program. This program provides the necessary technical details and the organizational information needed to establish a company-wide security program.
The value of learning about a security framework such as NIST-CSF, is that it gives the organization a target to shoot for and a plan of action to get there. The framework is loaded with industry- and government-accepted best practices, and capabilities an organization must have to weather the storm of cyberwarfare. This approach takes the guesswork out of cybersecurity maturity planning and helps organizations put proactive tactics in place to help reach a strategic goal: cybersecurity maturity that is measurable and can be improved upon.
Plan action summary
- Implement the training listed above: awareness training, technical skills training, and practical implementation training around your chosen cybersecurity framework.
- Connect with qualified cybersecurity professionals that are trained and certified in the NIST-CSF and/or the security framework your organization must adhere to.
- Perform a cybersecurity assessment in alignment with that framework. I strongly recommend utilizing a compliance platform in line with the security framework the organization is using. Getting away from the chaos of using spreadsheets will make the journey much more tolerable.
- Based on the gaps identified, create a Plan Of Action with Milestones (POAM). One-year, 3-year, and 5-year plans based on a CMMI-like maturity models work best for this. Execute on this plan and be true to the milestones defined.
- Implement a Continual Security Improvement (CSI) approach so that the organization is always improving cybersecurity posture and maturity.
- Conduct yearly self-assessments against your security framework controls and the associated policies and procedures established by your organization.
- Invest in multi-layered protection now to avoid spending money while under duress in the event of an attack.
Remember, it’s not “if” an incident will occur, it’s “when” an incident will occur. The difference in your response and recovery will depend on how prepared you are to weather the storm when it arrives.
Mike Battistella is the President of Solutions3 LLC, an IT Management Company focusing on Cyber Security Training & Governance, IT Service Management, IT Operations Management, Critical Notification, and Technical Training. Mike is also the North American Regional Director for Cybersecurity-Professionals and the CMMC Academy. He can be reached at info@solutions3llc.com or (201) 891-0477. For more information, feel free to visit https://www.solutions3llc.com/.