Russia’s war against Ukraine has been devastating on many levels. For companies in the U.S. and Europe, one of the top concerns continues to be significantly amped up cybersecurity threats.
In the following interview, Gary Salman, CEO of Black Talon Security in Katonah, New York, shares the biggest weakness in any company’s cybersecurity plan, how companies can respond, and why information chiefs should be on alert to “wiper malware.”
How has the Russia-Ukraine war impacted the urgency of cybersecurity issues for U.S. companies?
The answer to this is varied and primarily depends on the industry and whether Russia or Russia-affiliated hackers perceive value in degrading or denying access to the data and information of those companies. Though there is no specific intelligence released to the general public, we should all expect that Russia is considering ways in which it can inflict costs on the United States, its NATO allies and the EU.
It is reasonable to presume that Russian leadership is angry at the trajectory of their Ukrainian invasion and at the speed and breadth of NATO and EU responses. With that anger, Russia is surely looking for plausible deniable ways of affecting EU and U.S. critical industries, and with those effects achieve its political goals of weakening the anti-Russia political alliance. The probability of these effects rises the longer the war stays a hot conflict, though by no means drops to zero in the event of a ceasefire. U.S. companies in any of the 16 industries deemed critical by the U.S. Cybersecurity & Infrastructure Security Agency should absolutely have shifted to a temporary increased level of security awareness.
What steps should CIOs and IT departments be taking now to avoid potential cyberattacks?
Employee awareness reminders and short training reminders between three to five minutes are the first and easiest additional actions that CIOs can take. IT departments should also be increasing their ability to monitor and respond to anomalous user behavior as part of their standard repertoire of extra security in times of heightened likelihood of cyberattacks.
Every company should have a formal plan—or at least several ideas—of how it can improve its continuous cybersecurity monitoring with the resources it has or can divert to IT. This could be as simple as a higher frequency of checking privileged users and their respective roles to increasing off-system logging and log analytics for the next three to six months. The time has long since been ripe for companies to implement multi-factor authentication and cease the sharing of user accounts.
IT departments need to rehearse restoration of their critical data. Many a firm has struggled with the sharp and pointy circumstance of backup tapes, reliably made and taken offsite for months—but then being unreadable, or controllers failing or on backorder, or other fatal errors in the restoration plan. Possessing backups is only a third of a restoration plan!
Finally, companies should be more diligent in rehearsing their adaptations to a variety of cybersecurity situations. Unless the company has ceased to exist, it and its people will adapt. The goal is to make the adaptations more natural, less spur-of-the-moment, which decreases the chances for maladaptation—a form of adapting that companies should avoid.
What information should companies provide their employees to help prevent ransomware or malware attacks?
Humans remain the biggest weakness in every company security plan. Actuarially, the risk of company compromise through unwitting insiders is much more likely than the malicious insider—that is the whole point of phishing attacks. There are a number of firms in the market now that specialize in making cybersecurity training happen in small, easily digestible bites and very engaging—think three to four minutes every other week or once a month, rather than once a year.
Training that is clearly inspired by current events is also much more relatable than the annual 60-minute marathon of training typical in many companies. The training also needs to overcome the proverbial “It can’t happen to me/us” attitude, a perpetual issue for cybersecurity companies. Progressive Insurance’s character “Mayhem” in its commercials is a fun example of trying to overcome attitudes. Is something similar possible in the cybersecurity realm? Absolutely.
What is wiper malware and why is it becoming an increasingly prevalent form of cyberattack against businesses?
Wiper malware is more insidious than previous ransomware. Previous ransomware and its typical deployment aim to profit from the ransom. The insidiousness of wiper malware is that the majority of versions have no mechanism for recovering data. The sole purpose is the deliberate destruction of accessible data at a time optimal for the malicious actor and presumably least optimal for the business.
Malicious actors are not stupid or haphazard—striking before likely busy periods of businesses, or at the beginning of holidays/time periods with no one in the office is a common modus operandi. The fortunate aspect, so far, is that wiper malware does not yet seem to be spreading as fast in the wild as Petya, notPetya and others of the past have spread. Think of that fact as a temporary lull in the prevailing winds. Wiper malware will become more prevalent.