Until recently, the word "Colonial” evoked images of pilgrims wearing funny hats settling in America, not the May 2021 attack on a significant pipeline. Colonial Pipeline, which originates in Houston, Texas, was targeted by a Russia-linked hacker ring that may have been the largest ever on a US utility system.
Through September 2021, there were 1,291 breaches in the United States, compared with 1,108 in all of 2020, putting the country on pace to break the all-time record of 1,529 breaches set in 2017, according to the Identity Theft Research Center.
On May 12, 2021, President Joe Biden declared in an executive order that the nation "faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people's security and privacy.” He also noted the need for "bold changes and significant investments” in order to deter the continued rise of cyberattacks.
Everyone agrees cybersecurity is an urgent issue, but uncertainty still reins in how companies tackle it. The typical IT team is struggling under the weight of a variety of increasingly sophisticated intrusions, from social engineering attacks that fool users into compromising systems and confidential information to exploitation of obscure software vulnerabilities.
However obvious the threat may be, threat, navigating the cybersecurity space with all its technologies, jargon, and regulations may be intimidating for many organizations. Smaller organizations especially may struggle with this during a tumultuous time when there are so many competing priorities.
So, what are companies to do? What practical steps can they now take to defend their critical infrastructure and avoid the financial and reputational damage that could result from a breach?
A holistic approach to address cybersecurity looking at the five following steps is the most effective strategy:
1. Zero trust: The zero-trust security model assumes that all traffic on a network could be a threat and requires that every user go through an authentication process and be authorized before they access sensitive applications or data. Though zero trust does not protect against every possible attack, it reduces risk. It speeds up threat detection in today's world, where cloud computing has dramatically expanded the attack surface and rendered traditional notions of perimeter security obsolete.
Basim Al-Ruwaii, chief information security officer, Saudi Aramco, and Georges De Moura, head of industry solutions, Centre for Cybersecurity, World Economic Forum Geneva, said in October 2021: "Now is the time to embrace Zero-Trust, as the pandemic accelerates adoption of Cloud and remote working technologies, and businesses grapple with more stringent regulation."
As the authors noted, it is important "to recognize that there is no silver bullet product and no unique way to implement Zero-Trust. It requires a layered security approach that covers the entire digital infrastructure, legacy and modern systems, with a focus on having the adequate controls where the user accesses digital resources and a reduced reliance on perimeter security.”
2. Software bill of materials: Many organizations don't have a clear idea of what they need to protect in the first place. As enterprises have grown and become more complex, it's not unusual for companies to lose track of all the software they're responsible for.
A company first needs to know what it has before being able to properly secure all its assets and vulnerable endpoints. This is a crucial and oft-overlooked step in establishing a solid security posture is carefully cataloging all applications and dependencies. Not an easy or fun task, but necessary.
3. Automated vulnerability management: Small teams dealing with a big problem: That's the standard scenario at most companies regarding cybersecurity. The number and diversity of threats make it difficult for humans to keep up. Machines can help.
With continuous vulnerability management technology, organizations can automatically assess and track vulnerabilities in the infrastructure and applications. This tooling has become essential in providing rapid notification of known vulnerabilities before attackers can exploit them.
4. Secure configuration. A corollary to Step 3 involves the configuration of enterprise assets. Human error in configuring hardware and software can expose them to attack. For instance, the common mistake of continuing to use default passwords (for example, a very simple one implemented by the manufacturer of an Internet of Things device) rather than resetting them to unique, hard-to-crack passwords, or even better with multifactor or password-less authentication.
Again, it's automation to the rescue. Technology exists to take manual processes prone to error out of the equation and let smart machines handle secure configuration and hardening.
5. Regulatory awareness. Organizations are under intense pressure to abide by a range of regulatory requirements and guidelines worldwide, from the NIST Cybersecurity Framework in the US to the European Union's NIS2 directive to industry-specific rules like PCI-DSS in financial services and HIPAA in healthcare.
Companies often struggle with how to deal with all these requirements, and if an organization lacks sufficient compliance resources in-house, it should turn to a trusted specialist vendor to help.
By following these five steps, organizations can be well prepared for whatever may come this year.