As companies look to the year ahead, they should make sure they are prepared for the types of cyber attacks they might encounter in 2019. The cyber threat environment is more sophisticated than ever, and nation-states have increasingly played a role, often in coordination with other actors.
Even the best chief information security officers are evaluating their programs against current threats and beefing up.
Many companies, however, have inadequate cyber-security programs and are not prepared for multipronged attacks or those that could create significant business interruption. For example, in nearly every cyber-risk assessment we conduct, the two lowest-scoring areas are incident response and business continuity/disaster recovery. In addition, many organizations have not identified mission-critical functions, do not have current or adequate inventories of their applications and data, and have not assigned ownership to these assets. When trouble hits, these gaps make for a pretty hot mess.
So it’s a two-pronged problem: an organization must first understand its assets and what they are used for and then understand the types of attacks that could hit them. When an organization has not paid attention to its assets, chances are it is clueless about its threat environment, its preparedness to counter an attack, and its ability to keep functioning.
Engage Business Units
Internally, many organizations still tend to view IT and cyber security in a silo and try to be involved as little as possible with them. They just want the systems—and business—to keep running. That attitude ignores the accepted best practice that business units should “own”—and be responsible for—the data and systems they use to perform their business functions. Business owners should approve access to their applications and data and authorize a system to operate, thereby taking responsibility for the risks the system and data bring to an organization. This is how risk management is spread across an organization.
In reality, however, managers somewhere in the organization usually request access to applications or data for new hires and send the request to IT, which then implements access. Business owner approval is not a common practice.
If business owners are not engaged in controlling access to their systems and data, they are likely not very involved in what happens during incident response or disaster recovery. Thus, a major incident sends IT and security teams scrambling to identify critical applications, their dependencies and the business functions that have been affected.
Test Your Plans
Well developed disaster recovery plans, based on an analysis of the impact on business, are an essential element of cyber-security programs, but they must be tested. Consider the company whose IT team confidently told management it did not need to pay a ransom because the company could simply restore the data—except that the company hadn’t tested its plan and ended up losing six months of data. Or consider the companies that thought they had it made in the shade with constant replication from one site to another, enabling them to switch to the alternate site at any moment. Those companies forgot about ransomware, which ran through their systems encrypting all their data—and their replicated site data (because they forgot about needing an offsite backup).
Now, consider the new threat environment, which utilizes the treasure trove of NSA cyber tools and zero-day exploits that were released in 2016 by the hacking group Shadow Brokers. Portions of these were used in the severe WannaCry, Petya, and NotPetya attacks in 2017. Projections on 2019 cyber attacks continue to list malware, ransomware, botnets, denial of service, website “drive-by campaigns” (which infect when you visit a website), phishing attacks, and advanced persistent threats (malware that lurks inside your system and stealthily attacks).
The exploitation of internet of things devices has been behind several of the worst cyber attacks in the past couple years, such as Stuxnet (and its offspring), which attacked programmable logic controllers in industrial control systems, and the Mirai botnet and similar bots, which attacked IoT devices and used them to cause huge denial of service attacks, shutting down major websites and turning off heating in buildings.
Expect more IoT attacks in 2019.
An estimated 23 billion IoT devices are connected to the internet now—everything from appliances to thermostats to building monitors and controls—with growth expected to reach 31 billion by 2020. Many of these devices are not patchable, were not built with embedded security, and are not included within the inventories of hardware in many cyber-security programs.
In 2019, we also will see more “clickless” attacks that exploit vulnerabilities in out-of-support hardware and software, such as WannaCry and NotPetya. This type of malware presents a major risk to the many organizations that have hung on to old equipment and applications.
Dmitri Alperovitch, co-founder and CTO of CrowdStrike, investigated and brought to light some of the most serious cyber-espionage attacks. Regarding the current threat environment, he said: “CrowdStrike research indicates that on average it takes an adversary one hour and 58 minutes to break outside of the initial point of intrusion and get deeply embedded into the network. This means that the best organizations should strive to detect intrusions within one minute, investigate within 10 and eject the adversary within the hour to stay ahead of the threats.” That’s a tall order, but it underscores the severity of attacks we are facing in 2019.
When organizations consider their cyber coverage in 2019, they would be well advised to think beyond breaches of personally identifiable information and look under the hood to see if some of the basics in their cyber-security program—such as asset inventories, incident response and business continuity and disaster recovery—are well developed and tested. The threat environment sets the pace, and companies that do not keep up with mature cyber-security programs and test their data recovery capabilities will be the easiest targets and suffer the biggest losses. Brokers and agents will do well to help their clients assess their vulnerabilities and the maturity of their cyber-security programs and develop a coverage plan to match.
Westby is CEO of Global Cyber Risk. firstname.lastname@example.org