CEO and board member at Optiv, a cyber advisory and solutions leader.
Getty
With every passing day, the threat of a large-scale cyberattack in the U.S. seems imminent. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued heightened alerts to organizations to prepare for an unprecedented level of cyberattacks from outside the country. The White House has also urged the private sector to harden cyber defenses. How should the corporate world prepare for a potential cyberattack to avoid being caught in the crosshairs?
First, we need to take this threat seriously, especially now. If you’ve been in the corporate world as long as I have, you know we all need to be ready for anything because cyberattacks are like the Wild West: There are no rules of engagement.
So, what can we expect?
The majority of cyberattacks we are likely to experience personally will be social engineering, both email and text-based. We can also expect to see more crowd-sourced attacks against corporate infrastructure. It’s also possible that organizations will likely be hit with DDoS attacks, increased phishing and social engineering attacks and ransomware—and not the traditional kind. We’ll likely see more destructive versions of ransomware that destroy data and don’t bother with the ransom. These cyberattacks are designed to create chaos and disrupt the flow of information.
To protect against potential cyberattacks, your chief information officers (CIOs) and chief information security officers (CISOs) are likely already working on risk mitigation efforts. In addition to questions you should be asking your CIOs/CISOs now, a good first step is to identify the assets, data and files most critical to your company and ensure they’re backed up using corporate-approved solutions. Consider streamlining the remaining information, systems and technologies to reduce the attack surface and strengthen your security posture.
Next, focus on implementing the security controls, processes and protocols that will make it difficult for adversaries to transit through your network. I recommend utilizing a zero-trust model in which no person or device is trusted by default. All should be authenticated before access is allowed to anything. This approach should also extend to the physical world and is fundamental to the sustainability of the business.
Detecting and containing a breach takes, on average, according to IBM, 280 days. The goal here is to find the right tools to detect and deter threats, initiate response actions and strengthen your security strategies and resiliency. New technologies like artificial intelligence, machine learning and data analytics can help your security teams make better sense of their data, which leads to smarter security and business decisions.
Companies should also build a culture of cybersecurity across the company. You need to get employee buy-in on cyber so everyone from interns to the C-suite understands why good cyber hygiene is important. That means explaining to them what’s at stake personally, as well as the bottom line if company data is compromised or stolen and how their individual actions can affect the company’s security. Building a security culture is vital to a company’s long-term fiscal health.
Finally, and perhaps most importantly, don’t forget the basics:
• Avoid clicking on links in unsolicited emails and be extra-cautious with email attachments.
• Protect your passwords. Make them long, strong and unique and avoid easily guessable patterns. Do the same for your personal passwords and use multifactor authentication wherever possible.
• Propaganda is rampant, so be mindful when accessing websites and social media for related news.
• Reboot and ensure your devices, browsers and applications are up to date.
• Verify requests for private information.
• Remain on high alert and report anything suspicious to your security team.
While no company is completely safe from the threat of nation-state attacks, defending against the potential of one should be an important part of any organization’s risk assessment and cybersecurity and resilience strategy.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
