IT security experts have been warning governments, companies, and other organizations for years about risk for cyberattacks, offering concrete recommendations to help prevent attacks. Last week’s ransomware attack on one of the United States’ largest fuel pipelines is an all-too-frequent reminder that more needs to be done. Now.
Recent attacks have become bolder and more sophisticated and include invasions of government agencies, healthcare providers, schools and organizations of all types and sizes, including the likes of Twitter and Microsoft, the Department of Homeland Security, Scripps Health in California, and the National Basketball Association. But while most of these attacks have been on large, well-known brands, small business are also big targets for bad actors.
One unique response to the recent Colonial Pipeline attack came from the hackers themselves and is the first time I can recall a perpetrator issuing a formal statement. DarkSide, the alleged culprit, issued a statement on its website that said, in part, "our goal is to make money, and not creating problems for society."
Unfortunately, too many organizations have minimized or ignored the need for safeguards.
In an article on the insurance news site PropertyCasualty360o, James Lewis, a senior vice president and the Center for Strategic and International Studies, said the risk is not threat enough to take action.
Lewis stated, “…market forces alone aren’t going to push people to do the right thing. We’ve learned the hard way that there are some basics that make it very hard to get hacked. Most people don’t do it.”
There is more to prevention than lines of code. An incident response plan and crisis communications plan, updated and exercised, are vital to effectively mitigating the impact of a cyberattack. A significant event can slow down or cease operations, as in the pipeline case. Smaller attacks can still put the organization at risk for multi-million-dollar litigation and reputational damage that may be unrecoverable.
A cyber incident response plan addresses the who, what and how of responding to an attack. It outlines the response team member roles and steps to take to contain the damage, isolate the problem and restore systems. IT consultants or organizations like the National Institute of Standards and Technology offer robust cyber breach response guidelines.
The communications plan identifies priority stakeholders, outlines key messages and anticipates the questions that will be asked. In some cases, companies have contractual obligations to notify certain customers of a cyber event that should be included. Attorneys need to weigh in on all cyber crisis messaging to assure it meets legal and regulatory standards and provides vital information without creating undue exposure to liability. An insurer may also play a key role in how the event is managed and have final say in the response if they are to pay a claim.
By taking aggressive preventive measures, regularly educating employees and implementing a cyber crisis response and communications plan, organizations can be better prepared to mitigate a “Cyber Armageddon.” Today is the day to begin.