The Cybersecurity and Infrastructure Security Agency (CISA) recently began a ” Shields Up program.” The program was developed in response to Russia’s invasion of Ukraine and the increased risk to American organizations due to a potential escalation of Russian aggression in cyberspace. It is designed to give organizations recommendations to improve their internal cybersecurity and keep American companies safer.
The recommendations include ensuring your software is updated, especially patching for critical vulnerabilities. It also counsels organizations to watch for threat actor activity from Russia and Ukraine while deploying modern security tools to continuously monitor and mitigate threats.
Other recommendations from Shields Up include:
Reduce: Implementing multifactor authentication across your organization, prioritize patching of known exploited vulnerabilities, disable ports and protocols not essential for business purposes, ensure you have strong cloud controls in place, and complete periodic vulnerability scanning.
Detect: Ensure that your cybersecurity staff has the tools and skills in place to discover and assess any unexpected or unusual network behavior. Enable logging to better investigate threats. Keeping logs for at least six months is good practice because events can often take time to identify. Ensure you have antivirus software in place across the network.
Prepare: Verify that you have designated a crisis response team and all main points of contact that will be necessary during a cyber incident. Also, conduct tabletop exercises so that participants understand their roles during an incident.
Tabletop exercises allow organizations to walk through an incident to ensure they are prepared. This is a fundamental part of proactive cybersecurity. Tabletops show you areas where you need to improve and critical questions and decision points to be answered and made.
One area where tabletops can be beneficial is hardening internal and external communications during an incident. What communications channels should be used? We recommend verbal communication as much as possible during an incident for a couple of reasons. The first is that if a network is compromised, communications on the network (e.g., email communications) could be compromised as well. The second reason is that written communications may be discoverable in a legal case following the incident.
Another way communication is important is how you will notify customers, vendors, regulators, and the media, if necessary. How often to communicate and what to communicate is also important to consider before an incident, not during, when mistakes in these areas could prove catastrophic.
Resilience: Ensure backup measures are in place so that you can quickly recover from a cyber incident. If using industrial control systems, CISA recommends conducting a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
Additional recommendations include:
Empowering Chief Information Security Officers (CISOs): We’ve long recommended that cybersecurity needs to be a board-level priority. Today, this has never been more apparent. It is important to ensure that cybersecurity has a seat at the table and, if you have a CISO, that this person is heard and heeded.
Lowering Reporting Thresholds: CISA is recommending that any indication of malicious cyber activity be reported to them to help identify an issue and hopefully stop further attacks. Sharing information can help the government and others avoid or stop cyberattacks.
Test Response Plans: Yes, all response plans should be regularly tested. Tabletop sessions should be held that include leaders from across the organization. We recommend they be conducted by a third party to help improve the tabletops and offer expert feedback on ways to improve. In any case, holding regular tabletop sessions is critical.
Continuity and Resiliency Testing: It is also important to continually test your ability to maintain operations during an incident and your ability to recover if an incident does bring down your operations or network.
Plan for the Worst: In a worst-case scenario, you may need to completely shut down your network. Is this something your organization could accomplish? If so, how would it detrimentally impact your organization? Conducting a Business Impact Analysis for such a time can help you understand how you would be affected in a worst-case scenario.
These are all important components to add to your organizational cybersecurity in a normal environment. They are even more critical in an environment of heightened digital threats.
Much of this is fundamental to good proactive cybersecurity. It is important to ensure your systems are up to date and patched; you are regularly monitoring for threats and continually testing your network for resiliency.
One thing we can’t stress enough is the importance of having a strong incident response program in place. This program should contain playbooks for all types of digital events you will face, such as external or internal data theft, ransomware, and third-party vendor exploitation. These playbooks should be bolstered with regular tabletop exercises that are attended by leaders across the organization.
We regularly build playbooks for organizations of different sizes and facilitate tabletop sessions as well. Through these tabletop sessions, we are able to watch our clients wrestle with important concerns around a response in a safe environment when the pressure is limited and not ratcheted up in an ongoing incident. This helps them to better prepare for when an incident does occur, and everyone in the organization is rowing in the same direction to limit the damage as much as possible. Today, people are forgiving of incidents, but they are not forgiving of a poor response.
As CISA might point out, good organizational cybersecurity may not just be good practice anymore. In some ways, it is also a patriotic duty.