Cybersecurity Awareness Month just ended, but the need for cybersecurity awareness looms every single day in today’s digitally driven business world. To help protect you from being blind-sided in by the ever-changing threat landscape, Ed Stroz candidly advises on today’s and tomorrow’s most pressing cybersecurity concerns to help you set the agenda in your firm.
Q: Recently many of the most popular sites on the internet were rendered inaccessible by a massive DDOS attack. How can companies better protect against these kinds of attacks?
A: For businesses specifically, if you have a single DNS relationship, it’s like any single point of dependency. If something happens to it and you don’t have a redundancy to fall to, you are out of luck. As others have been saying: You may want to reconsider having more than one DNS provider. That said, you can’t spend unlimited amounts of money. So you need to weigh your vulnerability to this type of attack with the costs of protection.
But there is a shared responsibility for preventing these types of attacks. As enterprise consumers, and for individual consumers in general, even though everything seems fine—at home your smart refrigerator is working, at work your videoconferencing devices are working—these machines could also be launching unauthorized, massive information requests against some target on the internet. And it could be coming from some of your devices. This activity could be causing enormous disruption for legitimate traffic and may be preventing you from getting to the website you need to reach.
Changing the default passwords on connected devices, as many have already said, is essential. More protections will likely be needed. However it will take the participation of the device makers and responsible device users to take their security to the next level.
Consumers of all kinds should start asking questions about the devices they buy. How do I make sure this device can’t be weaponized? People think about it with food: Is it genetically modified? Is it environmentally friendly? But they haven’t yet started to think ethically about electronics. This will change. People will start saying they care if their devices can be weaponized, and they will be passing this preference on to the vendor. Then the companies who make and support these devices will have to increase the prioritization and the value of security on those devices, more than that they have in the past.
Q: Should organizations be preparing for any new types of attacks?
A: An attack on data integrity. At the end of July at the International Conference on Cyber Security, both James Comey, FBI Director, and Lisa Monaco, Assistant to the President for Homeland Security and Counterterrorism, talked about this threat. Here’s what it means. If an intruder can get into your system to steal data or to make it unavailable to you, he can also change this data unbeknownst to you. This stealthy type of attack could be aligned with traditional ransomware tactics, too. For instance, you receive a phone call: “I changed the results of some of your lab’s blood work. Give me $50,000, and I’ll restore the correct data.” With a DDOS attack, it’s designed to be noticed. With data integrity, you might not even know the data’s been changed until someone tells you or operations don’t work properly.
While we’re yet to see many of these attacks on the integrity of data, it’s this type of forward-looking perspective that’s necessary to detect and protect against them. I’m always telling people: “Don’t just react to yesterday’s news. Think about risk management in areas that haven’t been widely exploited yet.” If you don’t do tabletop information security exercises on attacks on the confidentiality, integrity, and availability of your data, you’re not covering the threat landscape.
Q: Ransomware itself is a topic many organizations are worried about. At a recent event at the NYSE, company directors asked us: Under what conditions should you pay the ransom?
A: I would change the question. Because it’s not about “should” you pay, it’s about whether or not you have to pay. You may have no choice. If the consequence of not paying is going to leave you in a worse position because you have no way to recover, the dollar cost of paying the ransom may be worth it in the short term.
Q: Won’t the attackers keep coming back for more?
A: You’re paying because you were unprepared. For the most common types of ransomware, if the person had a suitable backup to the infected device, such as a backup computer, you wouldn’t have to pay the ransom. Once you pay the ransom, then you need to ask yourself, “How do we change things so, that if the attackers come back, we can fend them off better?”
This kind of reactivity, though, is Cybersecurity 101. Whenever an attacker has successfully intruded upon your system, whether that’s through a default password on a smart device or a vulnerability in your perimeter caused by delaying an update, adaptation to prevent an attack from happening again is essential. You could arguably be negligent if you don’t plug up certain holes, but thoughtful planning to protect from possible future attacks, on the other hand, is how you really begin to secure your firm.