Tim Callahan, SVP, Global Chief Security Officer, AFLAC
I love the start of a new year. It is an opportunity to reflect on the successes, failures and lessons learned from the previous year and resolve to set a fresh course. We can build on our successes and go about to the business of learning from, as to avoid repeating, our efforts that may not have been successful. For CISOs, that means reflecting on what the new year could bring. Thinking through the threat environment, renewing (or, for some, creating) our enterprise risk assessment and laying plans for the year. For 2017, there are three important areas of focus for CISOs to keep in the forefront of their minds.
According to Mandiant/FireEye, ransomware events increased by 35 percent from August 2015 to May 2016.1. In 2016,such attacks locked up hospitals’ valuable patient file systems. Not only that, but consider the impact it had onthe San Francisco transit service, where passengers were unable to pay due to another ransomware attack. It used to be a mere nuisance, affecting individual PCs and mostly consumers. Today, it is a true enterprise threat with the potential to affect the entire file system. It probably has the highest potential for direct and indirect economic impact to a company than any other malware.
The direct impact can be seen in the loss of valuable information in the corporate file system as well as the potential costs of the ransom itself. Even if you pay the ransom, there is no guarantee you will actually get a working code to unlock your files – if you get one at all. Most ransom demands have been relatively modest in cost when compared to the loss potential. However, as attackers prove more effective in locking a company’s files, it only makes sense that the cost to get your files back will increase.
However, there are also indirect, intangible impacts of data recovery that are sometimes more damaging. For example, what is the cost in loss of productivity with the impact to end users? Not to mention other costs; including labor to deal with users reporting suspect e-mails and other attacks and while hard to measure the cost of users not opening legitimate email messages for fear of it being spam. Also, what should be of great concern to any CISO as a genuine business partner is the impact that such events could have on your company’s reputation. Will consumers want to do business with companies that appear vulnerable to external attacks?
Organizations should look at their information replication and recovery protocol. Historically, we have all tried to achieve a greater speed of replication to ensure the best recovery point objective in a disaster. However, now we have to consider that if we are hit with ransomware, are we replicating too fast? Is there a possibility that we could replicate the malware to our backup systems? If we do, we can’t recover from backup.
We need to reassess our risk tolerance and enhance our defenses accordingly,while being careful not to go along with a plan just because it seems safe
While the most preventative strategies for ransomware are similar to any other malware, this one has a much greater potential for damage. We need to reassess our risk tolerance and enhance our defenses accordingly, while being careful not to go along with a plan just because it seems safe. For the same technique used in ransomware could just as easily be used as a destructive attack by a perpetrator with a different motive, like in hacktivism or nation-state. Since most ransom malware is delivered via email, there are many effective educational campaigns to warn users and provide safer email practices. Many companies have either hired a service or are internally running phishing campaigns to help educate users. This practice should continue throughout 2017.
Government and Regulatory Affairs
Too many CISOs are not involved with their company’s government and regulatory affairs teams or with associations that help influence legislative and regulatory actions. The concern, and thus the interest in cyber security, has grown so much that governmental entities are feeling pressured to act. However, good intentions can often lead to impractical or ineffective rules that force compliance but not necessarily good security. We must separate compliance from security – and the limited resources are not always appropriately allocated.
CISOs are the front-line practitioners and if involved, can help ensure that regulatory measures are more effective. Even if your company does not have or need a governmental affairs team, there are various groups you can join including; the National Technology Security Coalition, trade associations, and the various information-sharing and analysis centers. If nothing else, you can always contact your congressional representative and express your concerns. It is important that we are involved in the cybersecurity dialogue and know what is coming our way in order to modify our programs as changes occur.
Internet of Things
Gartner predicts there will be nearly 26 billion internet-connected devices by 2020. The smart home devices market alone is expected to reach more than $121 billion by 2022. Unfortunately, 2016 showed us how vulnerable these devices are to criminal use. The largest distributed denial of service (DDoS) attack used an internet of things (IoT) target bot/bot net to launch the attack that affected many companies. Stop for a moment to think about all the refrigerators, HVAC controls, industrial coffee makers, inventory systems, and cameras, among other devices that exist in today’s corporate environment. These devices have become so pervasive that many organizations have no idea how many there are or where they are on the network.
One leading security expert said, “Not only are these IoT devices unsecured, they are mostly unsecurable.” The truth is they were built for functionality, not security. Presently, the National Institute for Standards and Technology is working on standards for these devices.
CISOs must ensure they can account for all devices on their networks and include IoT devices in their security program. While they may not be individually securable, they can be put on a segment/VLAN and controlled by access control lists. The function must be understood to limit the communication. IoT devices must only be permitted to communicate with intended targets through IP restrictions. When possible, they should be limited to one-way communication such as the ability to receive a signal but not transmit. They must be monitored for anomalous activity to at least detect if a bot is present and call it out, as you would see in a DDoS.
CISOs should take into account these best practices without losing sight of what is critical to their own cyber security needs. Consider the best way to help rally your teams to face the ever-growing cyber threat. Identify the requisite capabilities your organization must have to counter these threats. Assess key learnings from last year in order to take an offensive approach as we head into 2017. After-all, the best defense is a good offense.
Founded in 1955, Aflac is a Fortune 500 company, providing financial protection to more than 50 million people worldwide.