The Colonial Pipeline ransomware attack in May 2021 had the most far-reaching impact of any ransomware attack to-date, causing a shutdown of one of the United States’ largest pipelines, resulting in gas shortages and nationwide panic. Shortly after the attack, President Joe Biden signed an Executive Order aimed at strengthening the government’s cyber defenses. And while that’s a big step in the right direction, it will continue to be up to businesses and other organizations to ensure they have the proper processes, tools and people in place to reduce the likelihood of successful attacks—and be prepared to detect, respond, and recover if they do. To help you get started, we’ve listed eight crucial lessons learned from the latest cybersecurity attack to hit the headlines.
- Know your risks. When was the last time you conducted a Security Risk Assessment? These critical assessments review your organization’s information security controls from a technical, procedural, and policy standpoint to identify gaps against cybersecurity best practices and prioritize remediation efforts based on level of risk. From news reports Colonial Pipeline had performed some form of risk assessment over a year before the successful attack in May. If you can’t remember the last time you performed one, you’re likely due for another.
- Manage your risks. Performing a Security Risk Assessment is the first step, but following up on your findings and closing any gaps is critical when it comes to protecting critical data and systems. According to reports, Colonial Pipeline was aware for over a year of major risks in their cybersecurity controls that identified “glaring” problems and “poorly connected and secured systems.” Are you actively managing your risks and determining corrective actions? The most secure organizations review their corrective action plan regularly in monthly cybersecurity governance meetings focused on the best strategy to manage that risk.
- Assemble your people. Colonial Pipeline posted a job opening for a cybersecurity manager position weeks before the attack.Do you have the right cybersecurity team in place to plan a strategy of cyber resilience and also to carry it out? Is your board or executive leadership discussing cybersecurity risks regularly? Are top level risks being addressed quickly? If you answered “no” to any of these questions, you might want to consider opening key cybersecurity positions at the executive and technical levels or partnering with a provider who can ensure your organization has the proper cybersecurity processes in place.
- Patch regularly. It is very likely the attackers against Colonial exploited long-known vulnerabilities to gain a foothold and infiltrate their systems. Attacks leveraged against unpatched systems are incredibly common and will have a tremendous negative impact if not properly managed. Are you regularly patching security vulnerabilities in your operating systems and software? Do you have unpatched critical or high vulnerabilities that have been known for over 90 days? Patching is the best way to protect individual systems from well-known threats.
- Prepare for the unplanned. Are you prepared to respond to a ransomware attack? How do you know? Are you performing testing to determine if your systems are susceptible to the most common forms of ransomware? Do you have an incident response plan and are you testing it with annual tabletop exercises? If you needed to pay a ransom in Bitcoin, do you know how to get it? You’ll never be able to predict the type of breach that’ll hit, but you can predict how your organization will respond. By proactively reviewing your environment, mapping what data lives on site, in your cloud, and on third-party systems, reviewing your policies with a critical eye, and then leading you through a scenario to see how you would respond to a likely attack.
- Enable Detection & Response: If your company was attacked by ransomware, how long would it take you to find out? Do you have robust extended detection and response (XDR) capabilities in place to alert you to the first indication of compromise? How do you know you have not already been breached by an attacker biding their time and monitoring your data? If there’s one thing you should do for yourself, it’s making sure you have a complete MDR service that works that is being monitored by a well-trained team or partner. When you have an incident, you’ll be glad they’ve seen these issues before and have the talent and tools to respond immediately.
- Control your vendors. Vulnerabilities introduced by third-party vendors account for about two-thirds of all data breaches. What would be the impact if your vendors and third-party partners were attacked by ransomware and shutdown for an extended period? Do you know if they are taking proper measure to guard against ransomware? When you partner with a third party, it’s essential to evaluate how access and the platforms they use can create a pathway for bad actors to wreak havoc on your systems or data.
- Ensure compliance. The recent Executive Order and pending federal legislation may require organizations to quickly report breaches. Are you prepared to do so? Are you meeting other state and international privacy and cybersecurity compliance requirements? As policies change, Agio can help you establish a customized governance framework that ensures a strong cybersecurity posture and stands up to regulators when they come knocking.
Contact us for more information on cybersecurity governance, MDR and vendor risk services. Agio would love to help prepare your organization for the next threat.