For years, IT security experts warned governments, companies, and other organizations about the risk of cyberattacks, offering concrete recommendations to help prevent them.
Confirmed May 7, the ransomware attack on one of the United States’ largest fuel pipelines is an all-too-frequent reminder that more needs doing. Now.
Recent attacks have become bolder and more sophisticated and include invasions of government agencies, healthcare providers, schools and organizations of all types and sizes, including the likes of Twitter and Microsoft and the National Basketball Association. But while most attacks are against large, well-known brands, small business also is a big target for bad actors.
One unique response to the recent Colonial Pipeline attack came from the hackers themselves and is the first time I can recall a perpetrator issuing a formal statement.
DarkSide, the alleged culprit, said, in part, “Our goal is to make money...not creating problems for society.”
Safeguards Lacking
Unfortunately, too many organizations have minimized or ignored the need for safeguards.
James Lewis, SVP, at the Center for Strategic and International Studies, says the risk is not enough of a threat to prompt action.
“…Market forces alone aren’t going to push people to do the right thing. We’ve learned the hard way that there are some basics that make it very hard to get hacked. Most people don’t do it.”
There is more to prevention than lines of code. A cyber incident response plan addresses the who, what and how of responding to an attack. It outlines response-team members’ roles and steps that contain damage, isolate problems and restore systems. IT consultants or organizations like the NIST (National Institute of Standards and Technology) offer robust cyber breach response guidelines.
A communication plan identifies priority stakeholders–some contracts require special notification of clients–outlines key messages and anticipates questions. Attorneys need to weigh in on all cyber crisis messaging to assure it meets legal and regulatory standards and provides vital information without creating undue exposure to liability. In addition, an insurer may play a key role in how the event is managed and has final say in the response.
By taking aggressive preventive measures, regularly educating employees and implementing cyber crisis response and communication plans, organizations can better prepare to mitigate a ‘Cyber Armageddon.’ Begin today.
–Deb Hileman
Deb Hileman, SCMP, is president and CEO, Institute for Crisis Management.