On April 17, 2018, the U.K. and U.S. governments issued an unprecedented statement calling out Russia as the originator of cyberattacks on businesses and public sector organizations during 2017.
According to the statement, routers — the devices that direct traffic around corporate networks and the Internet — were targeted, resulting in widespread disruptions.
What this means
Nation state initiated attacks are not new. Previous attacks such as Stuxnet (which targeted the Iranian nuclear program) or the hack of a major movie studio in 2014 have been assigned to other governments, and many nation states are now considered to have a defensive or offensive cyber capability. The U.K. became the first government to officially recognize an offensive cyber capability in 2013.
However, the widespread damage from high profile cyberattacks in 2017 has raised the game. Attributing cyberattacks is notoriously difficult, so a high degree of confidence is needed before publicly assigning responsibility. The joint statement — the first of its kind — reflects a significant and rising level of concern globally about offensive cyber programs operated by nation states.
Assessing the level of risk to an organization is particularly difficult, because cyberattacks can often have far reaching and unintended consequences. Every organization needs to have an effective program to manage this risk, but traditional approaches to threat assessment are no longer effective. It’s also not easy to determine whether existing security programs are a sufficient response to this risk — resulting in increasing concern in the board room, and challenging security and technology leaders to demonstrate they’re doing enough.
How to respond
Organizations should start by responding directly to the government recommendations. In addition to identifying and addressing any potentially compromised routers, it’s critical to ensure basic technology controls are effective, most notably:
- Ensuring that patching processes extend to all devices on their network, and are implemented effectively: The Equifax breach in 2017 resulted from a single failed patch, but reportedly impacted an estimated 143 million users. Patching needs to extend beyond servers and desktops to network equipment and infrastructure, with patches implemented quickly and effective checks in place to ensure deployment.
- Effectively hardening systems: Removing features that aren’t required and configuring devices for maximum security, instead of implementing systems with default settings and capabilities. This is about more than changing passwords — it means ensuring that deprecated protocols are disabled and secure configuration standards maintained.
However, while these are good first steps, addressing IT housekeeping isn’t enough to have full confidence in a security program. Organizations must also consider the contribution made by people to their cyber posture and identify any gaps where their security programs could be insufficient.
People can be both asset and liability — one inadvertent click can cause a host of problems, but one rapidly reported incident can save millions. However, many organizations still rely on annual compliance training or occasional email notifications to bring the workforce up-to-speed. Additionally, very few companies really understand how their corporate culture could contribute to the success or failure of their security programs.
Undertaking a regular, objective cyber-risk-assessment to baseline, identify and respond to the root causes of employee behavior is critical if effective remediation actions are to be implemented. Employees don’t just need to know the policies, they need to understand their role in protecting the organization and reporting incidents in a timely and effective manner.
Finally, it’s no longer sufficient to build a security program based on a subjective view of external threats. As the landscape is increasingly uncertain and unpredictable, rather than building a narrative view of concerns that will only provide a partial view of risk, organizations should look to quantify and understand their cyber risks using multiple data points — including the maturity of internal controls, historical and current incident data from both within and outside the company, and a quantitative assessment of the likelihood and impact of future cyber events.
By following this approach, boards and security leaders can ensure that programs are sufficient, appropriate and defensible — providing a clear rationale for additional investment where it will yield a positive return to the organization. Following an assessment of current control gaps, initiatives should be considered to address these gaps based on maximizing the risk return to the company. Willis Towers Watson’s Cyber Risk Profile Diagnostic is designed to deliver this, bringing together controls assessment, action planning and risk quantification in one place. Without this type of analysis, boards and security leaders have no way to know whether their program is truly sufficient.
Boards of Directors: 6 key challenge areas for your CISO, CHRO and Risk Managers
Ensuring that cyber programs are effective is a particularly challenging task for directors and boards. The following questions will help you identify whether your security program is likely to be effective in managing the risks discussed in this article:
- Did we have any vulnerable CISCO routers, and have we followed the government recommendations? How long did it take us to do this, and what did we learn?
- How quickly do we patch? Does this extend to network devices as well as servers, and how do we know nothing has been missed?
- Do we have configuration standards agreed by security to ensure all devices, not just servers, are hardened? Do these follow recommended best practices, and how do we show they’ve applied to all systems?
- How do we assess and quantify cyber risks? Do we have a data-led approach based on the likelihood and financial impact of potential incidents, or are we reliant on a subjective assessment of threats?
- How do we know that our people really understand how to protect our data, and what to do in the event of an incident? Do we undertake continuous targeted training, and how do we measure its impact on our culture, rather than just completion or click rates?
- How do we know we’re doing enough? Is our security program led by the need to minimize the overall cost of cyberattacks on our company or by investment constraints? How can we demonstrate that we’re investing sufficiently and in the right areas to maximize the risk reduction obtained? Are we confident we’re transferring residual risk effectively, and have we reviewed key scenarios to ensure we’d be able to claim should we need to?
While no organization can be guaranteed that it will be able to minimize the impact of a cyberattack, taking these steps can help ensure that they are best positioned to respond to a wide range of scenarios.
Learn more about comprehensive cybersecurity from Willis Towers Watson.