How has the COVID-19 pandemic shifted organizations’ cybersecurity approaches?
Mike Del Giudice: The pandemic introduced several unique challenges, particularly early on, that demonstrated organizations’ general lack of preparedness for such an event. Many solutions that could have improved overall resilience were in place and available, but for various reasons, organizations were not using them at optimal levels. However, as a consequence of the pandemic, these solutions are coming to the forefront as organizational awareness has increased.
For example, remote working options likely will be more readily available going forward, requiring organizations to adopt solutions supporting a more virtual work environment. Securing home networks should be a top concern as remote work options continue to emerge.
Additionally, organizations are moving to the cloud at a more aggressive pace than they were before the pandemic. Cloud migration had been a trend for a while, but the pandemic demonstrated the value in having cloud-based resources that are accessible regardless of where employees work. Many of these solutions have advanced security capabilities that organizations easily can adopt to improve their security posture.
One security solution that has seen an increased priority is multifactor authentication (MFA). MFA has been on most security road maps for a while, but the pandemic has brought this to the forefront because of an increase in accessibility to MFA solutions in combination with the security benefits for an increasingly remote workforce. Recently, MFA adoption is also being influenced by insurance providers that include MFA as a requirement for coverage.
You mention insurance pushing requirements for multifactor authentication. Do you recommend organizations have cyber insurance?
Mike Del Giudice: All organizations should consider cyber insurance to help mitigate their cybersecurity risks. Cyber insurance might not be relevant in all scenarios, but for most organizations, insurance provides a viable solution to manage the financial impact if a security incident occurs. Organizations should consider both cybersecurity coverage, which addresses items such as costs for data restoration or data extortion (ransoms), and coverage for phishing schemes, which could be covered under commercial crime or fraud policies. Organizations should work with their providers to confirm they have the appropriate coverage for the threats they are concerned about.
In addition to financial benefits, insurance companies can provide a great resource in the event of a security incident. Insurance providers typically have relationships with a range of organizations that can provide legal, technical, or communications support. While not necessarily the primary purpose of insurance, having access to resources that can help in a crisis can be reassuring.
Ransomware appears in so many headlines these days. What can organizations do to protect against this threat?
Mike Del Giudice: There is no silver bullet when it comes to ransomware. The most effective strategy is to develop a layered approach to managing risk, which means increasing cyber resilience through a combination of preventive, detective, and responsive controls.
Preventive controls focus on decreasing the likelihood or impact of a ransomware event. Organizations can implement control considerations such as:
- Conducting employee awareness training. Developing and implementing programs that educate employees on how to identify and respond to suspicious messaging is an invaluable component of strengthening an organization’s security posture. The goal is to minimize the number of employees who respond to the attacker while maximizing the number of employees who alert the organization to the suspicious activity.
- Performing content filtering. Filtering known malicious content so employees are not presented with the opportunity to interact with the messaging can help fend off email-based attacks. Email filters can block suspicious messages. Web filters and firewalls can restrict communications with known malicious sites and actors.
- Strengthening endpoint security. Technical controls should be put in place to minimize potential damage when an employee does interact with a malicious email or website. Endpoint protection can proactively prevent unauthorized activity or programs on the local device. Administrative privileges to the endpoints must be restricted to only authorized personnel, and organizations should consider privileged access management solutions to help secure local administrator access. Systems should be kept up to date and patched against the latest vulnerabilities.
- Monitoring for suspicious activity. The ability to quickly identify and respond to ransomware – or any threat – often can be the difference between a successful response program and one that lacks appropriate safeguards. Organizations need to proactively set up solutions to collect and correlate logs across servers, applications, and network systems to identify and alert on suspicious activity.
- Testing the environment. Periodic testing of the environment can yield valuable insights into security gaps, risky processes, or network vulnerabilities. While sometimes a compliance-driven exercise, penetration testing can identify weaknesses and attack paths and help take an organization’s cybersecurity maturity to the next level. Organizations that perform ransomware simulations on themselves can help evaluate endpoint controls, test network-based and preventive controls for vulnerabilities, and determine if backups are properly protected.
- Backing up organizational data. If an organization experiences a ransomware attack, the decision about whether to pay the ransom comes down to the quality of its backups. Organizations must proactively set up programs to back up organizational data, including creating offline copies that are isolated from an extensive ransomware attack that spreads across the network.
- Developing incident response programs. Organizations should develop an incident response program that defines the actions the organization will take in the event of a security incident. In addition, these plans should identify key partners to support the organization’s response. These partners could include legal support, information technology or forensic expertise, or even communications specialists that would be necessary to complement organizational resources. Establishing these relationships in advance can increase efficiency by proactively establishing contractual relationships and escalation protocols rather than trying to negotiate during an active incident.
- Practicing response programs. Organizations that respond the most effectively practice their response programs regularly. This practice includes tabletop exercises, where key personnel come together to walk through example security events to increase awareness of roles and identify gaps in the existing program.
Implementing a layered security strategy can be intimidating for even mature organizations, especially when cybersecurity resources are difficult to hire and retain. How can organizations, particularly small to midsized companies, successfully address these risks?
Mike Del Giudice: Organizations should first identify those areas where they need the most support and then engage vendors that can supplement their internal capabilities. I already mentioned working with partners to support incident response programs, but organizations can enlist vendors to help with many cybersecurity programs.
One common solution is to engage a managed detection and response (MDR) vendor that can monitor the network by collecting and correlating logs across the network to identify suspicious activity. This vendor can establish escalation procedures to notify an organization when suspicious activity is identified while also providing support as the organization responds to a security incident.
MDR is just one example, as vendors can supplement cybersecurity teams in several areas, including managing firewalls, deploying patches, overseeing third parties, conducting vulnerabilities scanning, or just providing resources with cybersecurity expertise that traditionally would not be available to most organizations.
It seems like the cybersecurity landscape is continually evolving. If you had a crystal ball, what would you predict the next 12 to 24 months might look like?
Mike Del Giudice: It’s difficult to speculate on what attackers will be doing in 24 months. Technologies such as deepfake will render phishing schemes and ransomware even more effective, making a focus on cyber resiliency that much more important.
While multifactor authentication is a priority for many organizations today, I think the next focus will be on endpoint detection and response (EDR). Particularly with an increasingly remote workforce, protecting the endpoint must be a critical component of defending against malicious activity. EDR strengthens security at the endpoint by providing increased visibility into and advanced analysis of system activity to proactively block and alert on anything suspicious. These solutions can decrease the time it takes to identify and, more importantly, respond to a potential threat.
In terms of account access, advances in authentication will emerge to help simplify the user experience. Passwordless authentication will continue to evolve and become more accessible in corporate environments. This improvement could increase strong password adoption by creating a more convenient user experience while decreasing the administrative burden with traditional MFA leverage tokens.
Finally, I anticipate continued regulatory focus on cybersecurity. Privacy laws will expand and evolve. Potential fines for companies failing to secure sensitive data likely will increase. Regulations such as the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) standard will be implemented to secure federal supply chains.
No matter what’s ahead, what is certain is that organizations that take a proactive approach in shoring up their security can fare better with whatever challenges arise.