Commentary From Crisis Management Expert Edward Segal, Bestselling Author of the Award- Winning Book "Crisis Ahead: 101 Ways to Prepare for and Bounce Back from Disasters, Scandals, and Other Emergencies" (Nicholas Brealey)
A lot has happened in response to the Colonial Pipeline cyberattack a year this month that created a crisis for the company and the country.
- President Joe Biden took steps to improve the country's defenses against future cyberattacks and signed a bill into law that is designed to improve the reporting of cybercrimes.
- Federal agencies issued warnings about potential ransomware and other attacks.
- Cyber experts urged companies and organizations to strengthen their cyber-related policies, procedures, staffing and resources.
But because cyber threats are constantly changing, companies and organizations cannot afford to assume that they are fully protected from future threats.
Cyberattack Reality Check
The cyberattack on Colonial Pipeline, together with other recent attacks and new research, have underscored these important realities:
Vulnerability
Sophistication
Preparation
Threats
Warnings
- You should pay attention to news reports and government warnings about the latest threats, and respond accordingly. You don't want to be the last one to know.
Plans
- Corporate crisis management plans should be reviewed, updated and tested regularly to ensure companies are prepared for the latest cyber-related threats.
Consequences
- The failure to prepare for or properly respond to cyberattacks can damage the image and reputation of companies and could result in fines or penalties by regulators.
Human Error
Heather Stratford is the founder of Drip7, a cyber security education platform. She said that "The Colonial Pipeline disaster taught us that people are the main entry point for cybersecurity attacks." According to Cyber Talk, 95% of cyber breaches result from human error.
"The 'person' is what needs to be 'fixed' or focused on when it comes to cybersecurity awareness, and this change generally does not happen overnight. Changing behavior is built on small incremental improvements, which over time tighten the control limits to improve behavior and minimize risk," Stratford observed.
Training Takes Time
"It is impossible to lose 30 pounds by going to the gym for an hour in January. Likewise, training employees once a year to improve critical behavior is not achievable through annual check box training.
"The only way to make a difference in the current cybersecurity epidemic is to increase the focus on the people of an organization, not just the systems in place," Stratford warned.
Advice For Business Leaders
Just as important as the lessons that have been learned since the Colonial Pipeline attack are the steps business leaders can take now to help protect their organizations from future attacks.
Limit Exposure
Bryan Hornung is the founder of Xact IT Solutions, a cybersecurity firm, and a co-author of tools books about cybersecurity including Adapt and Overcome and Under Attack. He observed that because of the Colonial Pipeline ransomware attack "making sure businesses have and continue to improve processes and procedures has been a huge learning lesson for business leaders.
"Specifically. having a proper offboarding plan for terminated employees that involves IT is critical. This is also why business continuity and incident response planning is critical and should be part of every organization's business plan," he counseled.
Strive For Cyber Resiliency
"All companies should be striving for cyber resiliency by identifying assets, putting a plan in place to protect those assets, implementing the tools to detect if those assets have been breached, developing a written plan to respond so everyone knows what to do, and executing a recovery that, if developed correctly, will make the event easier to get through," Hornung said.
"Without it, you are prone to mistakes, missteps, and human error, which leads to longer recovery times, and a larger loss of revenue. It's always less expensive to take care of things on the left side of "the boom" than on the right side after an event," he advised.
Go On The Offensive
Curt Aubley is a managing director at Deloitte Risk & Financial Advisory who specializes in cyber threat detection and response. He cautioned that "we've seen that adversaries continue to change their tools, techniques, and processes…"
But "organization are not as mature against these new attacks as they perceive they are. And, in many cases, the industry has not fully embraced cyber security intelligence programs to advance against new attack approaches," Aubley observed.
He recommended that "Companies need to go on the offense and use proactive threat hunting, machine learning, and self-healing systems. Further, we still see the need for companies to address longer-term resiliency planning as well, which includes integrated IT and OT cyber threat management, Zero Trust adoption, and focus on secure supply chain practices."
Ensure Controls Are In Place
Jason Rebholz is the chief information security officer at Corvus Insurance, an insurance technology company. He said organizations "must take steps to ensure preventative security controls are in place. More importantly, they should ensure that there are processes and technologies in place to establish resilience in the event of an attack."
###