Protect Your Organization Against Potential Critical Threats – The CISA Advisory

On January 18, the Cybersecurity & Infrastructure Security Agency (CISA) released an advisory, Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats outlining fundamental security principles that all organizations should be adhering to. The report also highlighted the risk posed by the modern threat landscape. While there are a whole raft of things companies should be doing to protect themselves adequately on top of this, these guidelines help to set out the minimum standards organizations should be aiming for. Theoretically, this ought to help secure resources to ensure security programs are put in place and maintained accordingly, which mitigates risk exposure. Moreover, CISA leading the way and pushing the agenda will undoubtedly aid security professionals in driving the security agenda within organizations across the US. This advisory and Octobers OFAC Advisory demonstrate how seriously the US Federal Government is taking cybercrime.

Ukraine is the Barometer

The recent attacks in Ukraine precipitated this warning. They have been the victim of an ever-increasing barrage of attacks, thought to be attributed to the offensive from Russia. Recently, we have started to see more cross-border collaboration between nation-states in disrupting threat actor operations. As early as September, after a string of arrests due to a multi-national investigation, we told Dark Reading that the bust was significant because the threat actors were arrested in Ukraine, which the industry often views as a relative haven for cybercrime. On January 25, Canada issued a similar warning after announcing that their Foreign Affairs Ministry experienced an attack on January 19, 2022.

In addition, some states are now openly stating they consider cyber-attacks to constitute an act of war, and as such, that military response is proportionate (see the Netherlands – October 2021). While we are unlikely to see this play out in the near future, the political maneuvering of Western states, in particular, is indicating there will be more joint cross-border collaboration in tackling cybercrime. The threat of military action is just that, a threat designed to disincentive state-sponsored groups, even though full-scale escalation to military response is improbable.

Challenging for Small to Medium-sized Companies

Larger organizations who operate in heavily regulated industries (e.g. Financial Services) who allocate sufficient budget to securing their infrastructure will probably find a solid level of security maturity in place already. Most of these large organizations will almost certainly have the majority, if not all, of these fundamental principles in place. However, small and medium-sized organizations with less budget to allocate (or larger entities who refuse to invest in security effectively) will likely be less prepared and more prone to attack.

Prepare for the Worst

Ultimately, organizations are only as strong as their weakest link. Security measures can only act as layers of hurdles getting in the way of attackers. With enough time, resources, and skill, the most persistent and mature attackers will always get over these hurdles eventually. Even with best intentions and solid resource allocation to security programs, breaches still occur. Thus, organizations should not only look at trying to keep the bad guys out; they also need to be actively preparing for how they respond when they get in.