Was Friday’s Ransomware Attack Covered in Your Cyber Plan?

By Scott Laliberte, Managing Director
Technology Consulting

 

 

 

Less than a month ago, my colleague Adam Brand talked about the need to include ransomware in the cybersecurity repertoire of companies, emphasizing a business outcome-driven approach to cybersecurity, rather than a narrow-focused sensitive data perspective. Last Friday’s global ransomware attack brought this message home with a bang.

The wide-spread attack struck hospitals, companies and government offices around the world, with the majority of the attacks targeting Russia, Ukraine and Taiwan. It disrupted computers that support factories, banks and transport systems. The National Health Service in the United Kingdom was attacked, causing some surgical procedures to be cancelled and ambulances to be diverted. In addition, several major global companies reported they were hit by the attack, which currently is believed to have infected more than 200,000 computers globally, with some claiming the number is closer to 300,000.

The event is not unique but it is the biggest of its kind so far, and reinforces a harsh reality: Cyber attacks are not just about data loss or intrusions on privacy, but they can impact organizational operations, patient care (for healthcare providers) and critical infrastructure, and cause possible loss of life. Systems that support critical operations – such as medical devices and industrial control systems – often run on older technology that is more vulnerable to these attacks. You may have ignored these systems up till now because they do not contain critical data – ignore them no more.

In the wake of this latest attack, Protiviti issued a Flash Report today that summarizes the circumstances and reiterates the point we’ve made often before – namely, that cybersecurity needs to be extracted from the silo of IT security operations and considered in the context of the risk it poses to the business. The Flash Report also provides some immediate and longer-term recommendations for companies to shield themselves from future events like this one. Download the report here, and share your thoughts in the comments.

Undetected Breaches and Ransomware Change How We Think About Cybersecurity

By Adam Brand, Director
IT Security and Privacy

 

 

 

As new possibilities in information technology continue to transform organizations, they may outpace any cybersecurity protections already in place. Controls that seemed adequate yesterday might not be equal to the challenges presented by new technology and ever-evolving threats today. Our recently-published issue of Board Perspectives: Risk Oversight (Issue 90) discusses eight of today’s business realities directors should consider as they oversee cybersecurity risk, and it is worth a read. We’d like to comment further on two of these realities here.

  • The first reality represents a change in thinking: Whereas the adage of yesterday was “It’s not a matter of if a cyber risk event will occur, but a matter of when,” we now know that it’s better to acknowledge that cyber risk events are already occurring, whether we’re aware of them or not.
  • The second reality revises the familiar advice to identify and protect the critical data assets and information systems, aka “crown jewels,” extending that advice to include being aware of the adverse business outcomes that result from the unavailability or compromise of business-critical but non-sensitive data.

Both of these realities have one thing in common: Boards must remain open to new ways of thinking about cybersecurity, because organizations’ information technology assets — and the ways criminals exploit them — keep evolving. Or to paraphrase the Greek philosopher Heraclitus, the only constant in cyber threats is change.

Hunting for Hackers

Thinking “cyber risk events are not a matter of if, but a matter of when” is no longer sufficient — unless you think of “when” as having happened already. Breach statistics show that the vast majority of breaches are not self-detected. In one example from our own incident response practice, a firm that had several threat detection measures in place was blissfully unaware of a credit card breach until they were informed about it by the Secret Service. The attacker had been in the environment for over one year! This example is not uncommon, as breach statistics also show that the average time between an attack and its detection is over six months.

In hindsight, the proper response to this kind of threat would have been a proactive one — a technique known as “breach assessment” or “threat hunting.” Rather than using in-place technologies and processes as a check on prospective cyber risk events, threat hunting searches proactively for attacks already in progress by asking, “Are we already breached, but unaware of it?” More organizations are now augmenting their cyber defenses with the creation of internal “threat hunting” teams or engaging third parties for periodic breach assessments. Support of ongoing threat hunting and regular third-party breach assessments are two ways for boards to ward off the possibility of a long-term, undetected breach.

More Than Crown Jewels

Just a short time ago, “identifying and protecting critical data and systems” — aka, crown jewels — was the standard measure of adequate cyber risk management. However, a narrow focus on sensitive data, rather than an outcome-driven approach to cyber risk management, could cause an organization to overlook real threats elsewhere — like those presented by ransomware, for example. In the past few years, ransomware has changed the risk equation for companies by targeting operational rather than sensitive data. Encrypting non-sensitive information for ransom may not be the exact high-risk data loss we’ve all been warned about but it will cripple business operations nevertheless until the ransom is paid.

Until recently, firms who possessed only non-sensitive data could rest easy knowing they had no “crown jewels” to protect. They should rest no longer, as all firms are vulnerable to ransomware. Boards should be vigilant about this risk, and ensure that safeguards are in place — as well as continuity plans. Shifting focus from warding off a specific data breach — like the loss of sensitive data via a specific application — to considering all adverse business outcomes leads to more comprehensive cybersecurity solutions.

While all eight new business realities discussed in our latest Board Perspectives warrant attention, these two in particular highlight the need for evolving an organization’s approach to cyber risk oversight, now and in the future. You can read our latest Board Perspectives issue here, and we’d love to hear from you in the comment section below.