This past May, Colonial Pipeline was hit by a ransomware attack, forcing the company to shut down thousands of miles of pipeline to attempt to mitigate the damages.
The attack was described in an article by the New York Times, "The shutdown of such a vital pipeline … highlights the vulnerability of aging infrastructure that has been connected, directly or indirectly, to the internet."
In recent months, officials note, the frequency and sophistication of ransomware attacks have soared." 1 Also this past month, the Executive Order on Improving the Nation's Cybersecurity laid out the need to keep legacy software updated and in compliance with new requirements. 2 In my last article, "Third-Party Vendor Risk Management," I discussed the value of ongoing third-party vendor relationship management to mitigate cyber risk. Department siloes and information gaps are often present within organizational settings.
Disconnects in information sharing can be especially problematic in addressing existing vulnerabilities that have previously gone unnoticed. If employees know a certain cyber-security policy and practice it but a manager does not, it could be a sign of a deeper cultural problem.
Developing and Maintaining a Security Posture
When asked about how you would describe your security posture, what comes to mind? Unfortunately, it may be challenging to even know where to start. It should be noted that "security posture" simply means the general state of your organization's ability to handle cyber threats and risks that may compromise data and assets. While this definition is cyber-specific, it could also be expanded to include physical threats that may allow for the exfiltration of data or tampering with assets, such as unauthorized access to physical files containing personally identifying information.
During the course of a security assessment, many organizations are surprised when they learn that key members of upper management, information technology (IT), and employees may all give drastically different answers to this central question. While a member of IT may express doubts over network security, insecure legacy systems, or a general lack of policy and documentation, upper management may not be aware of the current security state at all or have much more limited knowledge. Or perhaps it may become apparent that, while employees are aware of their cyber-security responsibilities, they more or less play by their own rules when it comes to multifactor authentication, encryption, or password setting. Asking this simple question brings the importance of standardization, centralization, and information sharing to the forefront.
Standardizing Cyber-Security Policies
Standardizing cyber-security policies and practices throughout an organization, making them accessible, and sharing information regularly between departments is essential in understanding and improving your security posture. If a cloud migration has commenced or a new potential cyber threat is looming, such as an increasing number of ransomware attacks, 3 that should be well-communicated to all relevant stakeholders.
In addition to risk awareness, large IT projects tend to affect everyone, making communication pivotal in identifying issues sooner rather than later. This practice helps to ensure smoother implementation and execution phases, taking cyber security into account from the outset of a project rather than as an afterthought. This issue becomes much more pressing when considering the vast number of legacy systems that are now connected to the Internet. As with the Colonial Pipeline attack, critical infrastructure may be at particular risk of causing catastrophic damages should it be compromised.
As organizations and companies take greater advantage of the Internet of Things and technology that allows for increased efficiency, it's important to address the lack of standardization in cyber-security policies and procedures. Cyber risks may be mitigated with proactive planning and information sharing between key stakeholders. In light of the growth in state-sponsored cyber attacks, organizations and companies should be especially diligent in addressing vulnerabilities and supporting strong cyber-security cultures.