While the most preventative strategies for ransomware are similar to any other malware, this one has a much greater potential for damage. We need to reassess our risk tolerance and enhance our defenses accordingly, while being careful not to go along with a plan just because it seems safe. For the same technique used in ransomware could just as easily be used as a destructive attack by a perpetrator with a different motive, like in hacktivism or nation-state. Since most ransom malware is delivered via email, there are many effective educational campaigns to warn users and provide safer email practices. Many companies have either hired a service or are internally running phishing campaigns to help educate users. This practice should continue throughout 2017.

Government and Regulatory Affairs

Too many CISOs are not involved with their company’s government and regulatory affairs teams or with associations that help influence legislative and regulatory actions. The concern, and thus the interest in cyber security, has grown so much that governmental entities are feeling pressured to act. However, good intentions can often lead to impractical or ineffective rules that force compliance but not necessarily good security. We must separate compliance from security – and the limited resources are not always appropriately allocated.

CISOs are the front-line practitioners and if involved, can help ensure that regulatory measures are more effective. Even if your company does not have or need a governmental affairs team, there are various groups you can join including; the National Technology Security Coalition, trade associations, and the various information-sharing and analysis centers. If nothing else, you can always contact your congressional representative and express your concerns. It is important that we are involved in the cybersecurity dialogue and know what is coming our way in order to modify our programs as changes occur.

Internet of Things

Gartner predicts there will be nearly 26 billion internet-connected devices by 2020. The smart home devices market alone is expected to reach more than $121 billion by 2022. Unfortunately, 2016 showed us how vulnerable these devices are to criminal use. The largest distributed denial of service (DDoS) attack used an internet of things (IoT) target bot/bot net to launch the attack that affected many companies. Stop for a moment to think about all the refrigerators, HVAC controls, industrial coffee makers, inventory systems, and cameras, among other devices that exist in today’s corporate environment. These devices have become so pervasive that many organizations have no idea how many there are or where they are on the network.

One leading security expert said, “Not only are these IoT devices unsecured, they are mostly unsecurable.” The truth is they were built for functionality, not security. Presently, the National Institute for Standards and Technology is working on standards for these devices.

CISOs must ensure they can account for all devices on their networks and include IoT devices in their security program. While they may not be individually securable, they can be put on a segment/VLAN and controlled by access control lists. The function must be understood to limit the communication. IoT devices must only be permitted to communicate with intended targets through IP restrictions. When possible, they should be limited to one-way communication such as the ability to receive a signal but not transmit. They must be monitored for anomalous activity to at least detect if a bot is present and call it out, as you would see in a DDoS.

CISOs should take into account these best practices without losing sight of what is critical to their own cyber security needs. Consider the best way to help rally your teams to face the ever-growing cyber threat. Identify the requisite capabilities your organization must have to counter these threats. Assess key learnings from last year in order to take an offensive approach as we head into 2017. After-all, the best defense is a good offense.

Founded in 1955, Aflac is a Fortune 500 company, providing financial protection to more than 50 million people worldwide.