A week before bombs started falling in Ukraine, The US Cybersecurity and Infrastructure Security Agency (CISA) issued a "Shields Up" warning for US interests. The warning was followed by warnings of apocalyptic cyberattacks from pundits across the news and political spectrum. While the disastrous attacks have yet to materialize, there are still warnings to be noted and steps to be taken to minimize the chance of your organization becoming a casualty of a war that shows no signs of ending soon.
Now, for those who haven't yet read the "Shields Up" notice, here's the tl;dr version: "You know all that cybersecurity stuff we've been telling you to do for the last decade? We meant it. And we REALLY mean it now." There was nothing groundbreaking in the notice, no news of grand new threats or suggestions for bold new actions. Just a solid, screaming-red reminder that good cybersecurity practices are the best protection we have against everything from ransomware to zero-day attacks.
But since we're all looking for something to make us feel that we’re doing something special in response to a special set of circumstances, here's the best single approach you can take to leveling up your enterprise cybersecurity: Make better communications a higher priority.
Be a Good Listener
This is a 360-degree suggestion for communications. Start by listening to every reliable source of information you can find. If you're involved in any sort of critical infrastructure, for example, your organization should be a member of InfraGard, an FBI/private sector partnership for sharing information. There are similar partnerships, both more and less formal, in other market sectors. Make sure you have someone taking part in any for which you’re eligible.
Dedicate staff time to learning about new threats, new options for response, and the current state of the threat environment. If your staff is large enough, give different members "beats," or assignments to monitor particular information channels or topics. If the staff is smaller, work together to identify these information channels or topics, then make sure that some time is dedicated within each week to monitoring the sources for the latest developments. Then share the information that comes from the research.
You obviously want to share the information within the security and IT staff, but you should also plan to share the information with the rest of the organization. These are stressful times and good information will help keep employees feeling that they're more in control because you're telling them what's happening and what they can do about it. Be sure to communicate this in a language that's concise, nontechnical, and friendly. If you're looking for a disciplined way to do this, consider something like the pecha kucha format — 20 slides for 20 seconds each.
Another set of communications should be happening with your supply chain. This is an era in which regular communications with cloud providers, hosting companies, SaaS providers, and others should be frequent and regular. Ask them what they're doing to protect their infrastructure, what they're doing to protect your assets, and what their other customers are doing that seems to be working. Then share your strategies, your wins, and your concerns. Stressful times are not the occasion to go alone — take advantage of the collective knowledge of your supply chain.
It might be tempting to dismiss all of this as touch-feely activity in lieu of real action. It's not. Lack of communication leads to the proliferation of gaps in knowledge and protection — gaps that are the perfect hiding places and points of vulnerability for threat actors. Keep your most valuable cybersecurity assets — your people — at their strongest by making sure they are communicating within the organization and outside. Make communication a priority, and your organization will come out of 2022 stronger than when it walked in.