On Monday, the White House issued yet another warning about Russian cyberattacks, this time aimed directly at businesses. President Biden cited “evolving intelligence that the Russian government is exploring options for potential cyberattacks.” The warning includes an eight-point bulleted list of urgent steps to follow and five long-term strategies to employ for bolstering cybersecurity.
A previous warning issued in January was aimed at critical infrastructure and earlier this month we asked cybersecurity experts whether the war in Ukraine made the risk of Russian cyberattacks worse. As cybersecurity analyst Adam Levin told IndustryWeek in response to that question, even in the face of these warnings from the US government, “Companies that already have established cybersecurity policies will most likely respond accordingly and adjust their preparedness as needed. Companies that are limited by budget, staff or that haven’t prioritized cybersecurity will not.”
To companies that haven’t prioritized cybersecurity, one wonders whether frequent alerts from the White House and conversations about preparedness against the Russians may sound like the boy crying wolf. But what if the level of Russian cyberaggression does spike to such egregiously high levels as to practically demand businesses pay attention?
If the red alert alarms do go off, advice about running cybersecurity drills and deploying new security tools on PCs and encrypting data may be too little, too late. So, we asked our experts for a list of cybersecurity actions a business could reasonably expect to complete in only five business days.
Too Little May Be Too Late
“The need to implement security solutions and programs within five business days is like preparing for final exams the night before the exam; it's almost too late. Solutions like multi-factor authentication, extended detection and recovery (XDR) and backup systems can take weeks or months to procure and implement,” says James McQuiggan, security awareness expert at KnowBe4.
“Security awareness training programs with videos can be implemented quickly, within days to provide awareness to users,” McQuiggan continues. “Consider sitting down with IT, cybersecurity departments, legal and communications to review incident response plans in a breach or severe attack. It will be necessary for staff to be aware of what they need to do and avoid trying to figure that out when it happens.”
“The reality here is that there may be nothing to do but wait until the cyberattack is over, as it may affect the networks, sites and systems that your staff uses to do their job,” Levin continues. “Consider providing business-only devices to all employees (small businesses might be able to buy a few very quickly) and make them understand that only they can access the devices.”
“Assign new hard-to-crack passwords to anyone who has access to your data or network. Talk individually to every employee about phishing and how to recognize a phishing email. Audit all devices to make sure they have been updated and anti-malware software is running on them, and make sure that only they have access to their device,” says Levin.
“If U.S. organizations have waited until now to prepare for a cyberattack, it’s sheer luck that they haven't yet experienced one. Or worse, they have been attacked and don’t know it,” says Kurt Markley, U.S. managing director at Apricorn. “Organizations that do not have a defense strategy in place must perform an immediate backup of company data offline and off-premises.”
“Companies should keep at least three copies or versions of data stored on two different pieces of media, one of which is off-site, (what’s often called the 3-2-1 rule),” Markley continues. “Secure data backup can facilitate quick restoration of operations in the event of a breach or attack.”
“Patching is the single most important security process an organization can do to drastically improve their security posture,” says Matt Gyde, chairman and CEO of Foresite. “Threat actors are lazy, so they go for the easiest approach. If a threat actor knows that your front door is unlocked [you have a clear vulnerability], why bother checking the windows?”
“Besides aggressively patching all systems in the environment, the best thing to do is to have robust monitoring of the environment,” Gyde continues. “You cannot defend what you cannot see, and every organization has ‘black holes of rogue IT’ within them. Every asset must be monitored.”
“If I were an asset owner looking for the biggest way to improve security posture over the next five business days, I’d be focused on enabling my people,” says Ben Miller, vice president of professional service and R&D at industrial cybersecurity firm Dragos. “I’d make sure key staff…are aware of the heightened potential for attack and understand what to look for and what to escalate to the security teams.”
