There’s a saying in cybersecurity: “It’s not if, it’s when.” With the chances of becoming the target of a ransomware attack climbing, simply hoping it won’t happen isn’t a great strategy.
If you’re in a leadership role, you might be losing sleep over cyberattacks. And you’re not alone. The largest ransomware attack to date recently hit a popular supply-chain software.
It’s time to sit down with your CISO and other security team members to discuss your organisation’s cybersecurity defences. The questions below can help you discover what safeguards are in place and where you might be falling short in deterring cyber threats.
Do we have a vulnerability and patch management program? How do we measure its effectiveness?
Installing software patches and updating systems to eliminate vulnerabilities are the low-hanging fruit of security tasks. However, it’s not easy for busy security teams to get into a regular cadence regarding patching and upgrading, which means it’s painfully easy to let these tasks slide. The Kaseya ransomware attack affected as many as 1,500 businesses that use the company’s supply-side software. And it may have been caused by the company’s inconsistent patching programme. (In fact, employees appear to have complained to senior leaders about sloppy patching practises to no avail.)
If your security team confirms that your company has a patch management programme, then the next questions to ask are: How do we measure success, and what are the SLAs?
Patching can’t do much good if the patches are applied months or even years after they’re released.
Patching can’t do much good if the patches are applied months or even years after they’re released. Security teams must maintain and track currency in your management programmes and clearly demonstrate their effectiveness. Ideally, teams should target to install patches within days or maybe a couple of weeks. For major releases, the target should be n-1, or at worst, n-2.
If the security team tells you there is no patch management programme or the programme is too slow or ineffective, there’s no time like the present to get one started – or get your existing one amped up.
Do we have a recovery plan mapped out in case we do suffer a ransomware attack? How will we restore data?
Security teams should consider setting up forensics retainers with outside firms that clearly define SLAs, response and cost. And this arrangement needs to take place before attacks happen. The last thing anyone wants is to scramble for help as an attack is occurring.
The last thing anyone wants is to scramble for help as an attack is occurring.
As for data, it’s important to note the “ask” here: You need to know how data will be restored, as opposed to simply backed up. If data is backed up, that’s good. But if it takes several hours (or days) to be restored, that’s not good at all. While ransomware trackers have all of your mission-critical data locked up, do the C-suite and employees really expect everything to grind to a halt?
Consider engaging in a discussion with the CISO about the benefits of tiered security architectures and “data bunkers,” which can help retain large amounts of data and make it available immediately. Understand what the restore process looks like, what will be manual and how long it could take.
In addition, work with fellow executives to ensure that tiers of recovery are agreed on with other stakeholders. Application restoration priorities or tiers should be well-defined so that business units know the timeline for restoring applications and there are no surprises. The planning should also include critical infrastructure such as Active Directory and DNS. Without these services, other business applications can’t come back online or function correctly.
How often do we test how our systems would perform in the event of an attack?
The corollary to this question is, “How long until our data will be available again after an attack? One hour? Or 10 hours?” Only by running through all possible attack scenarios can the CISO and security team confidently benchmark the time to normal operations. As we heard security experts say recently, too many companies don’t even test workflows for restoring operations or gauge how much time they’ll need – or how they can improve upon those times.
You also need documentation for tests to prove effectiveness over time and to create an accurate, up-to-date heatmap. It should include details on which apps are tested, how frequently and what the results are. The documentation should also focus on critical infrastructure that can be rapidly restored in an outage since other applications depend on it.
If we are under attack, how will we communicate?
Security teams need well-defined communications plans when it’s time to inform leaders about the onset of a cyberattack. If systems and email are down, what’s the chosen method of reaching out to business units? It’s important to create and update lists of phone numbers and alternate email addresses for contacts within IT and security teams, senior leaders and outside security consultants such as the retained forensics team.
Security teams need well-defined communications plans when it’s time to inform leaders about the onset of a cyberattack.
Also critical: preparing an external communications plan for working with the media, regulators and legal teams. Contacts within local offices of law enforcement authorities may also serve useful. Also, include cyber insurance providers that can explain coverages and limitations.
How can we work together to assess cybersecurity risks?
If the CISO and the security team work in their own silo, cut off from senior leaders, there isn’t much hope in obtaining answers to any of the above questions on a timely basis. It’s better to connect with the CISO to hash out plans for regular briefings within boardrooms, so issues and emergencies get the attention of the C-suite.
To strengthen relationships among teams, spend time with the CISO and security staff to perform tabletop training exercises with real-world scenarios to see how attacks might evolve and where gaps exist.
Security should be everyone’s priority. Not just the IT team, not just the network admin, and not just the InfoSec team – everyone, including you.
The impacts of security threats can be far-reaching and devastating, affecting everything from revenue and productivity to your organisation’s reputation and even your customers’ businesses. Looking at the Kaseya attack, it’s clear that hackers know exactly what systems and data can cause the most damage. It’s in your best interest to understand your security strategy and partner with your security team to ensure they have the visibility, budget, and buy-in they need.