By Simon Eyre, Managing Director and Head of Europe, leading Drawbridge
The regulatory landscape is changing fast when it comes to cyber security and operational resilience. Across the globe, governments are swiftly applying pressure to institutions to mitigate the catastrophic harm that cyberattacks can cause. These warnings are not to be taken lightly; in fact, earlier this year the N.Y. State Department of Financial Services noted that a cyber-attack could trigger the next great financial crisis.
The spate of high-profile, successful cyber-attacks over the past few years is evidence that attacks will continue. Some believe that today’s regulatory environment and increasing amounts of red tape may inadvertently be creating a situation where these bad actors may thrive. This leaves businesses with one option – act now, and act swiftly. Take cybersecurity due diligence seriously – and make it a business priority now.
The Current Regulatory Landscape
In the United States, attacks on critical infrastructure such as the colonial pipeline attack have compelled regulators to act and act fast. The Securities and Exchange Commission (SEC) published a number of reports encouraging businesses to engage regulators in their cybersecurity efforts. Beyond providing tactical advice, lawmakers are also taking cybersecurity threats seriously, with over 100 cybersecurity bills introduced this year alone in the U.S. Congress.
Across the pond, regulators in the U.K. and E.U. are also proactively responding to the threat of cyberattacks. In the U.K., the PRA, FCA, and the Bank of England are considering implementing a regulatory framework that will significantly affect financial institutions’ cybersecurity resilience. Further, the E.U.’s Digital Operational Resilience Act (DORA) is expected to come into effect in 2023, requiring organizations to prioritize secure technologies and resilience to ensure the integrity of financial institutions.
What do these regulations mean for your firm? It is critical that your business not approach cybersecurity as a simple rushed box-checking exercise to remain compliant. Take these changes as the needed push to curate a thorough and thoughtful approach to cybersecurity. While staying compliant is one goal, the ability to deliver on your customer promises, even if a breach occurs, is what will set you apart from your peers and build trust with customers.
Changes in the Ransomware Landscape
Cybercriminals never sleep. According to the FBI’s Internet Crime Complaint Center a cyberattack occurs every 39 seconds in the United States. Astonishingly, last year, 791,790 cybercrime complaints were received, causing over $4.1 billion in losses. Ransomware threat actors have one thing on their mind: the bottom line. The size of your organization does not matter, and cybercriminals do not discriminate when profit-seeking. At some point, either you, your vendors or partners will be targeted. Your data is at risk in any of these situations, and a large ransom may be requested.
The threat landscape is constantly evolving, as seen by the substantial increase in ransomware attacks over the last year. From 2019 to 2020, the average ransom paid increased by 171%, demonstrating the evolving tactics used by threat actors. The pandemic presented an opportunity for threat actors to exploit. As the workforce moved to remote working during the pandemic, threat actors quickly capitalized to exploit new vulnerabilities. Inherently, personal home networks do not have the same cyber protections as office-based networks. And using home computers that are out of date or lack malware protection can create a point of entry for attackers to gain access to your home network – and potentially break down the defenses on your corporate devices.
Today’s cybercriminals are well organized, persistent, and greedy, with some even aspiring to become cyber vigilantes. These criminals operate in a similar style to many businesses today; they look to invest their time and resources into opportunities with the highest rate of return. That means it’s critical that your business allocate resources and due diligence to establish both proactive security and reactive contingency plans. Gone are the days of response plans sitting on the shelf in binders. Implementing a robust cyber defense plan is not enough. You also must be prepared in case that plan fails.
Developing a Proactive Plan
The first step in formulating your proactive plan is to identify points of vulnerability and enhance your defenses to secure data before criminals strike. Cyber risks can come in many forms, such as not requiring two-factor authentication or legacy software that is easily manipulated and lacks the appropriate level of security. Cybercriminals seek out low-hanging fruit; exploiting old software or easily discoverable login credentials is a simple and easy way to access your systems. Identifying the problem areas within your organization is the first step to devising a solution. Next, thoroughly examine plans of your third-party vendors. Work only with vendors that demonstrate robust, proactive cybersecurity systems – and set the expectation that vendors must similarly vet companies. Setting these priorities can ensure that if a threat actor targets you or your vendors, access to your systems and the ability to access data will be complicated.
Knowledge is key in this evolving landscape. You must continuously track attacks on organizations like yours and work with cybersecurity experts who meticulously monitor and evaluate trends and new cyber-attack vectors to best inform your cybersecurity decisions. Further, the cybersecurity decision-makers in your organization should have separate responsibilities than the general IT team. Small IT teams usually maintain a diverse array of duties, including data and tech, which are essential to organizations’ daily needs – but leave little time and resources for cybersecurity. Now may be the time to reevaluate your approach to ensure your data is secure and your cybersecurity precautions are up to date across the organization.
After an Attack: What Now?
Ransomware attacks are devastating and can lead to longstanding ramifications. But they can also offer a great learning experience.
After a breach, be sure you understand which servers, data and networks were compromised, and which employees have access to the point of infection. You’ll also want to change passwords, secure the network and proactively notify your customers, employees and relevant government bodies of the breach. After the dust has settled, reflect on where your proactive plan failed, where precisely in your systems the breach occurred and how it succeeded. Asking questions and evaluating the breach in this manner ensures that you understand the extent of the breach and can use this knowledge to implement a more robust proactive plan in the future.
Malware, Ransomware, Spyware – the threat landscape is complex and evolving – which means cyber defenses must constantly evolve to meet new and more sophisticated attacks. Remember that protecting yourself requires efficiency, due diligence, commitment and resources.
The Game is Changing
As legislation and cyber threats constantly change, so should your cyber security precautions. The bottom line remains: how can we protect our data and assets? Evaluate notable security developments, analyze your preparedness and create an action plan for ways to improve. The Kaseya attack and others showed how ransomware attacks could significantly impact supply chains and lead to a domino effect in the industry and beyond. Now is not the time to simply follow a check the box exercise. It is critical to be proactive and develop a strategic cybersecurity plan that empowers your organization to maintain trust with your clients and demonstrate your preparedness and resilience in the face of ever more sophisticated threats.