If we’ve learned anything during the COVID-19 pandemic, it’s that cyberattacks have also become endemic. Just like the virus, anyone can be a victim of phishing. It only takes one click to cause a data breach and/or a ransomware attack and irreversible harm. But even before the pandemic, cybersecurity was a problem. The difference now is that everyone from governments to grandparents has woken up to the reality of this situation.
Over the last 15 years, especially during my time as an auditor in critical infrastructure protection (CIP), cybercriminals have become more proficient at getting inside organizations.
As a cybersecurity auditor, I built my career around understanding how people play a role in processes and technology when it comes to protecting our most critical assets. Whether it’s employees at a private sector firm protecting the data of their clients or a public utility tasked with keeping the lights on, bad actors are looking for ways to exploit people or systems to potentially launch ransomware and other malicious attacks.
Any cybersecurity issue, whether it’s an employee failing a phishing test or a system-wide vulnerability such as Log4j, should be treated like a hole that must be sealed. Log4j got a lot of attention because it is rare that a vulnerability of that scale would be exposed. It was the latest and greatest attack that impacted a lot of industries.
Unfortunately, it also demonstrated just how unprepared most organizations are to deal with a major incident like Log4j, Colonial Pipeline, Kaseya, etc.
Whether you’re an SMB or global enterprise, organizations should no longer differentiate between temporary and permanent fixes to their cybersecurity issues. If you’re running a complex system, you can’t just throw a patch on like a Band-Aid, nor can. you just turn the system off and on like you’re rebooting a machine.
You need to have a planned maintenance process that includes analyzing the impacted systems, testing them in a non-production environment, planning for an outage so you can roll out a patch and, if it all doesn’t go as planned, you must also have a way to roll it all back.
The responsibility is on us all to do better, especially the cybersecurity community. More regulations won’t fix this; it’s on the private sector to make sure there’s a process in place. It’s going to force customer-vendor relationships to be more transparent about their incident response and patch management processes.
Instead of pointing to the government, organizations in the private sector need to take on responsibility for doing the right thing. That doesn’t mean pointing the finger at your vendors, either, because that’s only going to introduce more stress and frustration.
This is one of the main reasons you see everyone in the cybersecurity world talking about building a culture of security where their people are trained to spot that phishing email and to report it to IT; that requires organizations to have technology in place to support that process of security awareness and threat mitigation.
Organizations that understand the importance of security awareness training also recognize the potential for compliance violations (such as SOC2 or NERC CIP), and those are the organizations that often have the fewest hiccups in their processes and the least amount of confusion among their people about the importance of cybersecurity measures in the first place.
Large enterprise organizations often fumble here because it’s easy to mess up. The bigger your team, the more opportunities for operational inefficiency.
It all comes back to remembering the big ‘why’ behind cybersecurity—to be secure. As an industry, we can no longer think about security as purely a means to achieve compliance. These critical times have shown us there is so much more at stake.
New threats are coming to our employees’ inboxes every day. It takes everyone in the organization to care about protecting it and its valuable data and digital assets. Security is a team effort, so even if IT is dedicated to patching the big vulnerabilities, it’s equally important to ensure employees understand they too are part of the organization’s critical infrastructure.
