Reduce the risk of cyber attacks with frameworks, assessments
Don't rely on a compliance mandate to reduce the risk of cyber attacks or on a cyber insurer to cover an attack's aftermath. Assessments and frameworks are key to staying safe.
Large-scale cyber attacks will continue to pose a substantial risk to companies, individuals and economies in 2022. Several factors contribute to this trend, and unfortunately, policies and technical responses have yet to reduce the frequency and impact of cyber attacks.
Organizations should take the following actions to minimize the risks associated with the expanding threat landscape.
Cyber insurance: A tool and criminal market driver
Threat actors have substantial financial motivation to produce, distribute and operate high-quality products that generate revenue for their respective organizations.
From an insurer's perspective, a ransomware "product" that affects dozens of its enterprise clients is a material risk -- particularly if the insured have not yet invested in adequate controls to minimize risks and instead hope their insurance policies will cover cyber attacks.
Cybersecurity insurance providers have started reducing coverage, creating specific carve-outs for ransomware attacks and encouraging companies to either self-insure or deploy technologies to lower the risk of an attack.
At the same time, threat actors have diversified and specialized. A Kaspersky report showed modern threat actors often resemble traditional businesses, with a technical director, finance director, marketing director and support staff to operate the malicious software. The rise of a horizontal supply chain providing malware, stolen credentials, initial access, cloud-hosted infrastructure and help desk functions has enabled threat actors to adopt agile ways of working at a lower price point.
Venture capitalists have similarly poured billions into the cybersecurity market, but these investments have done little to reduce attacks. Although many cybersecurity technologies exist, those tools are only effective when deployed correctly, operated consistently and not ignored.
Threat actors continue to profit despite the rise of insurance and innovation, resulting in a set of policy responses. Under the new Civil Cyber-Fraud Initiative, the Department of Justice has threatened to use the False Claims Act to enforce penalties against contractors or companies that receive federal funds but fail to adequately secure their networks or attempt to hide a breach.
The Securities and Exchange Commission recently asked companies affected by the SolarWinds attack to disclose information on security incidents that have occurred since. Also, Congress is working on several bills based on recommendations from the Cyberspace Solarium Commission with the intent of creating a department or agency to address these issues on a wider scale.
Organizations should reassess the risks they face in light of these policies and consider the impact a congressional investigation would have on a company's reputation.
Internal and external assessments: The need to evaluate security controls
Organizations that want to minimize the risks of regulatory scrutiny, litigation and financial or reputational damages should consider an independent or internal threat-informed assessment based on a formal cybersecurity framework.
Companies in the defense industrial base are already subject to independent assessments under the Cybersecurity Maturity Model Certification, which is a formal assessment and certification of controls based primarily on the NIST Cybersecurity Framework (NIST CSF). A less formal internal or external assessment can help all organizations identify their control gaps and develop a roadmap to remediate those gaps.
Unfortunately, many organizations simply select a regulatory framework and remediate based on identified gaps. This worked when the largest risk was regulatory damages, such as when a HIPAA fine represented a healthcare provider's worst-case scenario.
Too many organizations select controls that meet compliance requirements but don't reduce risks. To effectively select controls, organizations should identify current threats to the organization and then prioritize increasing the maturity of those controls with gaps and threats first.
Implementing and operating technical controls based on a formal cybersecurity framework, such as NIST CSF, NIST 800-171 or Center for Internet Security Critical Security Controls, is the best option. Organizations should also ensure their IT security policies reflect their current stance on cybersecurity.
Updated policies that refer to a cybersecurity framework won't reduce the number of attacks a company sustains, but they do offer benefits based on cyber safe harbor laws passed in Connecticut, Ohio and Utah. These safe harbor laws incentivize organizations to select and deploy a cybersecurity framework by providing an affirmative tort defense in the case of a breach.
It's likely insurance providers will begin to request evidence of adherence or adoption of a cybersecurity framework as a condition of coverage or to provide favorable pricing.
The best defense is to select a framework, prioritize controls based on threats and risks, and move quickly to control gaps.
About the author
Kayne McGladrey is a cybersecurity strategist at Ascent Solutions and an IEEE senior member. McGladrey has 20-plus years of experience working with Fortune 500 and Global 100 companies to effectively blend information technology and management to cultivate and build cybersecurity best practices.