The recent ransomware attack of the Colonial Pipeline has reinvigorated calls from legislators to strengthen the defenses of U.S. pipelines and the electric power grid. Over the last several years, a repeatable pattern is becoming apparent with each major cyberattack. A critical cyber-attack occurs that is followed by outrage that result in statements from government leaders with calls for action - all followed by proposed ideas on how to better mitigate the risk of cyberattacks in the future. Yet, it seems that time goes by and with the next major attack the cycle starts all over again. This time, government is taking a more rigorous approach to proposing solutions to end the vicious cycle.
On May 11, 2021, President Biden signed an Executive Order that includes several requirements for companies to do business with the federal government. Among these requirements is a mandate that all software sold to the federal government follow imposed cybersecurity standards within nine months. The order also includes a requirement that the government deploy encryption and multi-factor authentication solutions.
There are also appeals for a new government authority to hold companies accountable if they fail to comply. Oregon Senator Ron Wyden is advocating for legislation that forces companies to secure their computer systems, with civil and criminal penalties for critical infrastructure firms with weak cybersecurity posture and strategy. As is often the case after a major cyberattack, there is renewed debate within government for minimum cybersecurity standards across businesses. As usual, there are two sides to the debate. On one side are proponents for minimum security standards mandated by the government. On the other side are those who don’t want to overburden organizations with government mandated security requirements.
So, why does it seem that companies do not take cybersecurity seriously enough? One of the major reasons we keep seeing these headlines and attacks are becoming more and more costly as in the case of Colonial Pipeline attack, is likely due to a lack of resources and overworked security personnel. The security industry has a serious gap in resources, roughly 3.5 million security jobs are unfilled. Universities are not able to train students quickly enough compared to the desperately needed, unfilled security positions. Security personnel are overworked and know they are a target. They may even know an attack is imminent, but they don’t have the time or budget to prepare for such an attack. And when various security systems are generating alarms, they tend to go undetected because internal IT resources aren’t able to dedicate the time to manage and monitor the numerous security solutions. Additionally, IT resources are spread thin across the many requirements of their roles, often not allowing them with sufficient time to get trained on each security platform.
Ransomware is a threat that all companies, agencies and the like must prepare for. Ransomware attacks are highly effective and more often than not, a ransom is paid as organizations simply cannot afford to have system downtime or to deal with the crisis of having their stolen sensitive data leaked. In order to effectively combat this threat, companies need to invest more time, budget, and resources into their security personnel and in recruiting new talent. But there are ways that organizations can protect themselves from the likelihood of a ransomware occurring, and from being operationally crippled when a ransomware attack occurs.
Until recently, the notion of encryption has been the last thing that evolved in terms of data security. Encrypted data was only safe when no one was using it. To use data, it had to be decrypted, and that has been a big vulnerability. However, now organizations can reshape the way they protect their most sensitive and valuable data without compromising their ability to manipulate data at top speeds in any manner. With game changing encryption technologies that keep data encrypted at all times, companies can now prevent attackers from being able to access, use, or release an enterprise’s data even after they steal the data. This has several advantages. First off, if an adversary is doing reconnaissance and looking to locate and exfiltrate data, it will be a wasted effort as the data is encrypted and unusable to the attacker. This may be enough to deter an attacker from conducting a ransomware attack, as he/she no longer has anything of value to bargain with. Secondly, even if an attacker steals database, the attacker’s data is rendered useless, and the attacker is no longer able to use the stolen data as leverage for blackmail for ransom.
Most organizations do believe cybersecurity is paramount, but don’t know how to obtain the highest possible level of protection with what little budget and resources they have that are already spread thin. To help organizations take a proactive approach to cybersecurity, it is important for cybersecurity vendors to provide comprehensive solutions that provide end-to-end security that is enriched with threat intelligence, as well as recommendations to building a holistic security framework. This translates into companies requiring fewer solutions that result in a more cost-effective approach. Additionally, security personnel that are bogged down can prioritize their focus with SIEMs enriched with intelligence, coupled with encrypting their most sensitive data stores. More and more, companies are understanding that their sensitive data is their most valuable asset. With that, they must recognize that a new approach to their security framework is needed. Taking a data-first approach to protect their most valuable assets and finding a solution that allows them to continue using the data safely and securely, creates a solid baseline on which to layer other security solutions.
Lastly, President Biden’s Executive Order is a move in the right direction in terms of instilling just how important cybersecurity ought to be to organizations. But along with that, organizations must be educated on the latest cybersecurity solutions that can be game changing both from alleviating security resource constraints as well as providing new solutions for vulnerabilities that have been opening the doors for cyber attackers for a long time. Just as important is IT security personnel’s’ and organizations’ willingness to be open-minded to new, innovative solutions that are available to them instead of disqualifying gamechangers in the market by chalking them up to being no different than solutions that have existed before.