By Diana Kelley, Cybersecurity Field Chief Technology Officer, Microsoft
Imagine for a moment that your entire network, including all your backups, is impacted by a cyberattack, and you cannot complete even a single customer banking transaction. That’s only one target; it’s not hard to extrapolate from here to attacks that shut down stock trades, real estate transactions, fund transfers, even to attacks on critical infrastructure like healthcare, energy, water system operators. In the event of a major attack, all these essential services will be unavailable until IT systems are restored to at least a baseline of operations.
Now, it doesn’t require professional cybersecurity expertise to understand the impact of shutting down critical services, which is why the new paradigm for cybersecurity must begin not with regulations but with a program to build cyber resilience.
The evolving nature of cyberattacks
According to the 2019 Poneman Institute report the global average cost of a data breach is USD 3.92 million. Protection against these costs isn’t easy. The issue facing data security experts is the nature of cybercrime – it’s never static. Once a successful defense is implemented cybercriminals are quick to pivot:
- New forms of attack like trojan cryptocurrency degrade computer performance and resources by inserting secret malware for mining cryptocurrencies like Bitcoin.
- An old form of attack, inbound phishing emails, increased by 250 percent in 2018. As phishing security becomes more sophisticated, so too are the attacks. Today’s phishing campaigns utilize a varied infrastructure and multiple attack points to get past stronger defenses.
- Attacks are also focusing on different parts of an organization, specifically software supply chains. 2018’s Dofoil targeted a peer-to-peer application within supply chain software and installed coin-mining malware
While most organizations understand the threat, they also need to focus on solutions that create a secure data environment which is resilient and able to defend itself against increasingly sophisticated cyberattacks.
Increasing an organization’s resilience
To help increase stability and lessen the impact to their citizens, an increasing number of government entities have drafted regulations requiring the largest organizations to achieve a true state of operational resilience.
While it will always be necessary to be fully compliant with regulations like GDPR, SOX, HIPAA, MAS, regional banking regulators, and any others that might be relevant to the specific industry, it simply isn’t sufficient for a mature cyber program to use this compliance as the only standard.
Organizations must build a program that incorporates defense in depth and implements fundamental security controls like MFA, encryption, network segmentation, patching, and isolation and reduction of exceptions. We also must consider how operations will continue after a catastrophic cyberattack and build systems that can both withstand attack and be instantaneously resilient even during such an attack.
Extending operational resiliency to cover cybersecurity program should not mean applying different principles to attacks, outages, and third-party failures than one would to physical attacks and natural hazards. In all cases, the emphasis is on having plans in place to deliver essential services whatever the cause of the disruption.
The winning combination: Defense in depth and sophistication of response
Imagine, if you will, how negligent it would be for your organization to never plan and prepare for a natural disaster. A cyber event is the equivalent: the same physical, legal, operational, technological, human, and communication standards must apply to preparation, response, and recovery. We should all consider it negligence if we do not have a cyber recovery plan in place.
The ability to do something as simple as restoring from recent backups will be tested in every ransomware attack, and many organizations will fail this test—not because they are not backing up their systems, but because they haven’t tested the quality of their backup procedures or practiced for a cyber event.
While the majority of firms have a disaster recovery plan on paper, nearly a quarter never test that and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.
Cybersecurity often focuses on defending against specific threats and vulnerabilities to mitigate cyber risk, but cyber resilience requires a more strategic and holistic view of what could go wrong and how an organization will address it as whole. We must continue to be vigilant and thorough in both security posture, which must be based on “defense in depth,” and in sophistication of response.The cyber events organizations face are real threats, and preparing for them must be treated like any other form of continuity and disaster recovery.