When a major hack hits the news, enterprise IT teams scramble to prepare for the fallout. Any organization directly affected by a breach is bound to come under fire, along with the effectiveness of existing security deployments that were unable to protect them. However, every significant data exposure also causes companies to wonder when a similar event might happen to them. The recent news about the White House and State Department hacks, now attributed to malware created by Russian hacking group CozyDuke, should serve as another reminder to organizations of the evolving sophistication in remote access attacks and to prepare accordingly. Unfortunately, however, the reality is that many organizations will continue to think that such an event can never happen to them, or if they do, will either ignore the threat completely or overcompensate by investing limited security resources into traditional IT defenses at the expense of more subliminal sources of infection.
Legacy endpoint and perimeter deployments such as firewalls and intrusion detection serve as essential defense-in-depth safeguards for data security, but cybersecurity is more than just vendor sensors and total security is impossible. If the White House is susceptible to a sophisticated cyber attack or the National Security Agency vulnerable to a cataclysmic insider threat, other organizations with smaller security budgets and comparatively less manpower and expertise will be no different. The next time you sit down with your team to evaluate your enterprise risk landscape, take a lesson from the CozyDuke attack or from any number of previously victimized entities and consider the following steps.
1. Start with a plan.
The least effective approach to security is a reactionary one. If you’re not thinking clearly or fully evaluating your organization’s risks and needs, you’re likely to focus too heavily on one area of exposure. Instead, your team should aim to develop a tailored and panoramic understanding of the threats to your industry and company, to include the sensitive data you are obligated to protect like corporate trade secrets or customer privacy data such as health and payment card information. Such a plan would seek to prioritize data based on its risk sensitivity and criticality to corporate innovation, execution, and reputation, as well as understand when it might be most imperiled based on the multitude of ways a creative adversary might target it. If you adhere to the philosophy that the data you have is worth stealing, you can then contemplate some inventive scenarios where potential threats to it are most severe. Use this to align security investments and resources against these potential problem areas.
2. Spread out your resources.
As CozyDuke proved, phishing attacks should be one of your company’s top security concerns. In 2013, Kaspersky Lab reported that the number of Internet users hit by phishing attacks had increased by 87 percent since the previous year. However, these numbers are no reason to forget that various other breach tactics and potential security risks are growing at equally alarming rates. While your employees should be properly educated on tips for safe computing and awareness of the increasing professionalism and credibility of phishers like CozyDuke, your risk management budget should also include accommodation for less-technically focused areas. This includes education on the behavioral precursors exhibited by malicious insiders, the litany of human engineering techniques practiced by determined competitors or adversaries, and ensuring internal policies and procedures for data security are matured through consistent application and enforcement.
3. Consider your industry and audience.
Depending on your industry and the stakeholders you serve, certain risks won’t apply to your business – while others may increase tenfold. In highly regulated industries such as healthcare, it is no secret that covered entities must comply with stringent guidelines covering information assurance of protected health information. For those companies operating globally within competitive industries such as high-tech or manufacturing, similar standards should be rigorously followed as well but instead with a focus on compliance to those best practices addressing threat exposure from foreign travel, including danger from nation-states known for prolific industrial espionage and competitive intelligence adversaries alike.
4. Prepare for continuity.
Once your holistic security vulnerabilities have been identified and solutions put in place to remediate them, your security posture will be considerably improved but your work isn’t over. An effective risk management plan is founded on the adoption of mature security practices, continuously assessing risk, and ensuring the resiliency of your organization should a cyber event occur.
If your enterprise is breached, every team, employee and transaction will be affected. The CozyDuke hack, among many other recent attacks, makes it clear that some of the most malicious security infections in today’s IT landscape only require an end user to be tricked a single time. From that initial compromise, hackers can establish a foothold within a network and start the standard attack cycle – where recovery can take months or even years. As you update security strategies and build out new initiatives, remember that a holistic understanding of your cybersecurity risk should be your primary goal. When today’s threats are putting all organizations at risk, remember that while attacks may be inevitable, the extent of your victimhood will always be a function of preparedness. It starts with a tailored understanding of your enterprise posture relative to risk, the maturity of the cybersecurity culture you implement, and your plans for business continuity when a devastating attack or breach does occur.