The State of Cyber Threat
This year has seen no shortage of successful Cyber-attacks, each more devastating than anything previously known. This growing complexity of systems translates to larger and larger attack surfaces for Ransomware, Malware and ever more destructive, potentially life threatening attacks.
- Equifax hack affected over 240 million banking and credit card customers
- Ransomware attacks like WannaCry, Petya and Bad Rabbit shut down critical systems worldwide, including UK National Health Services (NHS) providers, forcing the cancellation of thousands of medical procedures
- Attacks like ROCA exploited Encryption flaws to shred the WiFi Security fabric along with forcing the mass reissue millions of Smart cards.
- Distributed Denial of Service (DDOS) Ransom attacks regularly exceed 100 GBs, even passing the Terabit per second thresholds, disrupting banking and online portals worldwide.
In short, Criminal and Nation states all have sophisticated tools in their arsenal. They can launch Cyber-attacks with enough power and sophistication to overwhelm the strongest enterprises.
The question of how to prevent or at least survive a successful attack should be above the fold for every executive brief. From the front line managers to the coaches and advisors on the board, this is a battle we all must engage.
What to Do Now
As the risk levels continues to mount, it is even more critical for organizations to perform an annual health checks on their connected systems. The protections of last year may not be adequate as Cyber Criminals continue to hone their attacks.
Because of the ever evolving threats, we are recommending and many organizations such as Health and Human Services and the New York Department of Financial Services concur, that all organizations perform at least one Risk Assessment every year. This can take the form of a simple self-assessment to an external 3rd party Risk Assessment.
External risk assessments perform two important functions. First, they provide a second set of eyes that can cut through to issues that have grown up over time. There are often low cost, no cost solutions to these issues but because of organizational inertia or corporate blind spots, they can serve as launching points for devastating attacks.
Second, they serve as a subtle nudge to the Information Technology staff to correct vulnerabilities they may be aware of but were pushed to the side. This can take the form of implementing stronger authentication for critical systems, completing upgrade campaigns that were side tracked or simply identifying issues in advance of a full assessment.
Increasing the Pace
The goal of these activities is to increase the tempo of risk management activities. As these increase in frequency and impact, the overall enterprise risk levels will begin to drop. This is virtuous cycle sought by Enterprise Risk Management. Outpacing the attackers is possible and that can make the difference between a good day and the worst day.