Risk beyond ransomware: Three steps to improving your cybersecurity
Ransomware attacks increased 65 percent increase between 2018 and 2019.
The bad actors in this situation are business people who are attacking using campaigns like a sophisticated marketer: with catchy subject lines, smart keyword analysis and even compelling calls to action. They prey upon topical issues – such as the current Novel Coronavirus-19 pandemic – to take advantage of our fears, uncertainties and doubts. But, unlike COVID-19, there is nothing novel about their attack tactics. They use the same approaches that they have for decades for one simple reason: because they work.
Today’s environment is a perfect storm for attackers. Our teams are scared, tired and overwhelmed, leading them to be more distracted than usual. This includes all our IT and cybersecurity teams too. We’re not in our normal office environment where we can more readily watch systems for nefarious traffic.
Following are three approaches to help manage cyber risks.
#1 Back to Basics
Step 1: Slow down, give yourself time to think. Believe it or not, that urgent email can wait a second or two while you process what it says. Try to simplify and focus. Remember this: complexity is the enemy of information security.
Step 2: Understand risk. You cannot understand risk unless you assess it. Every good information security program starts with a good risk assessment. This is true in the private sector, and it’s critical in the public sector where budgets are tighter and the political stakes are higher.
Remember, information security or cybersecurity is risk management. Without proper risk assessments, you can’t manage risk, much less prioritize tasks and justify budgets.
A simple example. Should you shore up your back up strategy before you mature your vulnerability management program (patches and configurations)? Do you patch before you reconfigure your firewall? A risk assessment will identify the need for this and help you prioritize where you spend your next cybersecurity dollar.
#2 Put Your Business Hat On
It’s time to ask if politics should play a role in information security. The government organizations who show the most success in cybersecurity are those who approach the discipline more like a business issue and less like a government (or political) one. By approaching cybersecurity with our business hats on, we can make smarter decisions with our budget and make prioritized choices about what to purchase and deploy and what processes are going to give the greatest cybersecurity benefit.
Healthcare entities that were early to approach their work from a business standpoint are a good example. In the early 2000s healthcare organizations were losing significant amounts of money in part due to inefficiencies in care delivery. Some, like St. Joseph Health Center in St. Louis, looked to business practices refined in the 1980s to improve quality and productivity while enhancing patient care, reducing medication errors and infection rates.
Approaching cybersecurity in city and county governments is no different. By taking the best of business and applying those tactics across divisions, you will be able to identify risk and make smart decisions. You will utilize your resources and budgets better, producing better results. Protecting our communities from cyber threats is the point, doing it better is the way.
#3 Manage Third-Party Information Security Risk
If more people understood the significance of third-party information security risk, more people would manage it much better, or at the very least, manage it. The sad fact is most government entities fail to manage third-party information security risk, and of those who do, most do it poorly.
Identifying cyber risk originating from outside or network has gained significant steam in the last two years. According to a 2018 Ponemon survey, companies share confidential information with, on average, 583 third parties. The same report showed that 59 percent of companies reported having experienced a data breach caused by one of their third parties in the past 12 months. Likely the data is worse in state and local governments.
This is very significant in terms of risk. When a breach occurs (remember risk elimination is not possible), how do we justify our failure to account for third-party information security risk?
Just like businesses, state and local governments rely on third parties to perform certain activities or services on their behalf. Use third-party support for compliance efforts, voter registration, processing payments, handling property titles, and hundreds of other things. Third parties are being used to manage and utilize sensitive citizen data in more ways than most people realize. The only way to ensure third-party risks don’t unnecessarily put citizens at risk is to turn to risk assessments to help identify the holes.
It’s easy to get overwhelmed when considering how to manage cyber risk within a state or local government, particularly knowing that COVID-19 related threats will plague us for a long time. The good news is that many of entities, in the shadow of the 2019 ransomware attacks, put plans in place to protect our organizations that are relevant and applicable today and well into the future.
Remember, complexity is the enemy of cybersecurity, so before you start investing dollars and resources into shiny new cybersecurity programs, hit pause. Think like a businessperson, invest in thorough and continual risk assessments to help you build a solid plan to guide your efforts, and get those third-party risks under control.
Evan Francen is the CEO of SecurityStudio has extensive experience designing solutions for complex information security problems and is well-versed in governmental and industry-specific frameworks, regulations, standards and guidelines including NIST CSF, ISO/IEC 27000, FISMA, HIPAA, GLBA, PCI-DSS, FDA CFR Part 11, SOX and COBIT. He is the chief designer of FISASCORE, the information security language spoken by more than 1,500 companies in the United States.