We have all been shocked by developments in Ukraine in the last few days. Our thoughts and prayers are with the people caught up in the midst of this.
However, it would be remiss of us not to consider what impact the fallout has on our organizations. Right now, we are seeing evidence of a 10x increased “probing” of systems coming from both Russia and China (we can’t explain China’s involvement). One of the potential impacts will come from cyberattacks against Western businesses, and this is the one that has taken up most of my thinking in the last couple of days. Having taken the time to review the situation with peer organizations and cyber security experts over the weekend, we have this advice and information for you:
What To Do Right Now
The first question to consider is: how has your risk changed in light of recent events?
If Russia uses Cyberwarfare against the West, it is most likely to be in 4 forms:
1. Attacks against Critical Infrastructure
Generally, Banks, energy, or infrastructure companies. Are you one of those, or in the supply chain to one of those? If so, then your risk might have changed significantly. Most people in this category will have identified measures to put in place for a time like this. If not, you should review this heightened risk against other business priorities and decide if you need to change your immediate plans to accommodate responding to these events.
2. Overspill events
For “regular” businesses with no direct and specific threat, it is possible that there will be deliberate or inadvertent overspill of activity which will impact “regular” businesses. This has happened before when Russia launched a cyberattack on Ukraine in 2017 which had a major global impact. Any of us could be impacted by this.
3. General disruption on Western businesses.
Russia has been known in the past to “sponsor” cybercriminals in its sphere of influence to increase their activities. And with some high profile threat-actors have committed their support (Russia-based ransomware group Conti issues warning to Kremlin foes | Reuters) The aim of this is simply to cause disruption to western economies. Any of us could be impacted by this.
I should say at this point, that we also don’t know everything that could happen. It is possible, depending on how this goes, that Russia has techniques we haven’t seen before, or will use old techniques in new ways. You might see headlines in this area. However, we simply don’t know and therefore can’t usefully plan around that.
Which category do you fall into? What actions can you take?
For “regular” businesses, we suggest the below actions:
What To Do In The Short Term
Assuming you are a “regular” business in the above definition:
- Be realistic – you likely haven’t got time to do too much extra and your resources in this area are in high demand. Hopefully, you have already worked on the bulk of what you needed to have in place (e.g. Following CIS Implementation Group 1 or similar).
- Review your existing technical controls.
- Is Multifactor Authentication enforced uniformly? Often, we cannot enforce MFA for all users, so manual reviews are required to ensure that no user is configured without it.
- Are your internal systems up to date, both with Windows Updates as well as the applications you use?
- Is your Endpoint Security (Antivirus and Anti-Malware) installed on all systems, up-to-date, and configured uniformly?
- Threat Prevention and Detection: In addition to antivirus and anti-malware tools, Endpoint Detection and Response (EDR) helps detect threats on endpoint devices (servers, computers, etc.) and provides critical information and tools during an attack. For example, during an attack, an EDR tool can cut your computer off from your organization’s network—locking out the threat actor and preventing the further spread of a dangerous virus.
- Review your Firewall Best Practices: verify they are correctly configured and kept up to date.
- Have all servers or services that are available directly to the internet updated and hardened for security?
- Review your backup strategy. Are they working as expected? Are your offline backups secure and isolated in the event of a breach?
- Ask your team to be extra vigilant. Let them know the organization is at heightened risk and why, and that they should be extra vigilant and suspicious of:
- Emails asking you to click a link or open an attachment or make a payment.
- Make sure you verify who sent it before clicking or opening it.
- Pop-up messages on your computer you haven’t seen before – don’t just dismiss them, stop and check what they are.
- Phone calls asking for information – verify the caller, if in doubt call them back on the number you have saved for them.
- Consider using these events as an impetus to push through some actions you have on your list but have fallen below other priorities. These will be different depending on your position but might include things like setting up a password manager, so you aren’t reusing passwords, setting up Multifactor Authentication on any application that supports it, running a tabletop “fire drill” on your response plans.
However, you are not going to be able to get much more than this done in a short space of time. But make sure you have or are in discussion with, your Insurance Broker about Cyber Cover.
What To Do In The Longer-term
As you contemplate these events, do you wish your organization was in a better place regarding cyber security? If not, you can stop reading now and get back to work.
If yes, here is some high-level guidance:
- If you don’t have a cyber security framework in place, add this to your next board meeting. Whether that be CIS, NIST, ISO, or CyberSecure Canada. They will generally address around 80% of the risk you are exposed to from cyber attacks. I don’t think there are any businesses where it makes sense to accept the risks of not doing this versus the costs of doing it.
- Treat Cyber Security as a journey. Most of us are right at the start of this journey. Until recently it wasn’t a significant problem for our businesses. It is now and will get worse before it gets better.
- Put some time aside to create a rhythm in your organization to move your journey forwards.
- You need a map, on which you can mark where you are and where you want to get to
- You will likely need a guide to help you navigate an efficient path. For most SMEs, your IT people are the best place to start. They should be able to help you understand the roles, people, and processes you need to have in place, and the metrics you can use to measure success.
- To judge if you are on track: You should end up with a regular meeting to discuss this with your guide and that leads to recommendations being taken to your board or senior leadership to make decisions. They are then added to a roadmap and you will start to see progress being made.
Start now. If you already feel you are behind, then you need to get moving.
If you need want to discuss anything around this then please reach out.