Ransomware has become a familiar front page news topic thanks to recent high-profile attacks against a major meat producer and an East Coast operator of a critical oil pipeline. Also, consider the attack on a provider of software tools to IT outsourcing shops that let hackers paralyze hundreds of businesses on all five continents.
No doubt the ransomware threat is serious, and now Washington is mobilizing to wipe out a scourge it formerly treated only as a criminal nuisance. But the outcome of this battle will rest less on how we respond to ransomware, per se, and more on how we approach cybersecurity broadly. Unfortunately, as the great comic strip character, Pogo, put it long ago, “We have met the enemy, and he is us.”
Promoting best practices to detect and respond to ransomware is key, but it’s also important that organizations focus on stopping poor security practices to prevent it. And for reasons I’ll soon explain, that’s where we’re still falling short — by a wide margin.
Until recently, ransomware wasn’t viewed as a national concern, largely because the attacks usually weren’t large enough. The Biden administration has a robust appreciation for the risks posed by ransomware and cybersecurity, more generally. But its eagerness to effect change may not be enough to stir the widespread inertia in the private sector.
Security Discipline Missing
A lot of companies, in particular small and medium-sized organizations, still don’t have a chief information security officer (CISO) or even teams dedicated to security. I’ve come across examples where the person sitting at the front desk is also charged with the responsibility to change the Wi-Fi password once a month. That may be an extreme, but it speaks to the truth on the ground where the situation is often quite bad.
Meanwhile, the sudden obsession about ransomware distracts us from recognizing that we’re talking about a style of attack, just one threat among others. Ransomware just so happens to be very visible and so it gets talked about a lot in the news nowadays. Still, let’s avoid assuming that it’s the only security worry.
We need to muster a broader response that focuses on adopting security as a discipline and build the foundation for a solid security program (Prevent, Detect, Respond). That’s going to drive a lot more change. Unfortunately, it’s also a lot harder and tedious to put into practice.
A lot of companies either haven’t adopted that discipline or have made do with shortcuts, folding security into some other function inside IT. That shortsighted approach not only fails to treat cybersecurity seriously, but it also mixes contradicting goals. The person responsible for the corporate network, whose goal is reliability, speed and availability, isn’t necessarily going to understand what a ransomware or phishing attack involves. How to prevent or mitigate a breach may not be evident, especially when preventative measures like patching may get in the way of their stated goals.
By this point, there can’t be any more debate over the argument that security should be treated as a separate discipline, one that that’s adequately funded and staffed like any other important job inside the organization. Any organization can find itself under attack tomorrow, and you can’t have five guys doing security for a company with thousands of people.
Fixing the Problem
That failure to treat cybersecurity as a discipline leaves companies vulnerable to making otherwise avoidable mistakes. I commonly see organizations using products and services from suppliers where security was given short shrift during the development process. The only way companies can mitigate that risk is by building the capability to thoroughly vet third parties to make sure that the security-worthiness of any products meets their standards.
And that calls for a more sophisticated approach, which goes back to how we treat suppliers and customers within the context of overall cybersecurity.
- Policy is always the foundation of any security program, so refresh yours to make sure it’s sufficiently robust to meet the gathering threats and evolve with new threats and technologies.
- Enhance, or, in some cases, start end user awareness programs from scratch. Focus on cybersecurity and train employees and executives to recognize the phishing ruses that attackers use to infect networks with ransomware and other malware. Ransomware attacks often are related to awareness —and lack thereof — because they always start with somebody clicking on a booby-trapped email link.
- Establish a vulnerability assessment program. Identify your devices to find and fix or mitigate any flaws before attackers can locate them.
- Shine the spotlight on third-party security. Elevate supplier security and make it a regular part of the assessment process. Otherwise, even the best security program is vulnerable to attack. This isn’t hyperbole. Once you grant network access to an outside firm, even for a short-term contract, everything’s on the line. If a consultant accesses your network using an insecure device, you’re in trouble.
Notice that I’m not calling for specific technical fixes like firewall configurations to solve specific, tactical problems. Let’s get over that flavor of the month approach. It’s time to get strategic and start building solid pillars that will support a lasting security foundation.
Otherwise, we’re going to be reading about more of these mega-security nightmares, whether caused by ransomware or something else that comes down the pike.
Chris Jacquet is Vice President and Chief Information Security Officer at Hitachi Vantara.