The United States’ top cybersecurity regulator published a special bulletin this week listing numerous measures companies should implement immediately to ward off possible attacks from Russia during its Ukraine invasion.
CISA, the Cybersecurity Infrastructure and Security Agency, issued the bulletin on Tuesday in conjunction with the Department of Homeland Security. Both agencies stressed that they have no evidence of any specific cyber attacks Russia might be planning, but “we are mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine.”
In other words — head in the game, people! Corporations around the world need to prepare now for any distractions or disruptions Vladimir Putin might cause abroad while he tries to take over Ukraine.
CISA dubbed its bulletin “Shields Up,” which is totally corny but nevertheless captures the cautionary posture CISA wants companies to take. The guidance applies to all organizations of any size or industry. None of it is mandatory. All of it is common sense, and you should embrace it.
Steps to Reduce the Chance of an Intrusion
- Confirm that all remote access to the organization’s network, as well as privileged or administrative access even within the network, requires multi-factor authentication.
- Assure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
- Confirm that IT personnel have disabled all ports and protocols that aren’t essential for business purposes.
- If the organization is using cloud services, assure that IT personnel have reviewed and implemented strong controls. (CISA has guidance on this if you need it.)
Steps to Detect Potential Intrusions Quickly
- Assure that IT personnel are focused on identifying and assessing any unexpected or unusual network behavior. Enable logging to better investigate issues or events.
- Confirm that the company’s entire network is protected by antivirus and anti-malware software, and that signatures in these tools are updated.
- If you work with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
Be Prepared for an Intrusion
- Designate a crisis-response team with main points of contact for a suspected cyber incident and roles/responsibilities within the organization, including technology, communications, compliance, and business continuity.
- Assure the availability of key personnel; identify ways to provide surge support for responding to an incident.
- Conduct a tabletop exercise to assure that all participants understand their roles during an incident.
Maximize Resilience to a Destructive Incident
- Test your backup procedures to assure that critical data can be restored quickly if you’re hit by ransomware or a destructive cyberattack; assure that backups are isolated from network connections.
- If your business uses industrial control systems or operational technology, conduct a test of manual controls to assure that critical functions remain operable even if the corporate network is unavailable or untrusted.
If you want more suggestions or advice, you can also search the #ShieldsUp hashtag on Twitter. I’ve seen several cybersecurity firms start to circulate their own customer bulletins there.
Audit and Compliance Role
Obviously the IT security team bears primary responsibility for preparing the company for possible cyber attack. That said, compliance, audit, and legal teams can play important supporting roles to assure that the company is maximally prepared and can respond to an attack with agility.
For example, internal audit teams can assess the company’s patch management processes, which are crucial to ward off the unauthenticated attacks that can give a company nightmarish trouble. They can also double-check that the company has mapped the location of its critical data, identified all mission-critical IT systems, and implemented an effective business continuity plan.
Compliance teams, meanwhile, can help with policy management and employee training relevant to cybersecurity; or work with the IT security team to develop due diligence questionnaires for third parties that might pose risk to you. Compliance teams might also play important roles after an attack, if it results in a privacy breach that needs to be disclosed or if your company cooperates with law enforcement to find the perpetrators.
Speaking of law enforcement: the Biden Administration has already been talking up the importance of reporting cyber attacks to the authorities, and then cooperating with law enforcement, since last year. This is an even more important consideration now, when what looks like a company-specific attack might be part of a broader national security threat from Russia.
Obviously the decision to report should be made by the CEO in consultation with the board and general counsel, but the ethical thing to do here is to report. Perhaps this is an opportunity to talk with the board and reaffirm what the company’s policy will be if the worst does indeed happen.