With the recent cyber-attacks between Russia and Ukraine and the current intelligence coming from the US Government, organizations want to shore up their defenses to reduce the risk of a successful attack by any nation-state.
Considering the target is towards the US-defined critical infrastructure, organizations must implement the various safety requirements to protect their data and systems.
The US has "evolving intelligence" that the Russian government is "exploring options for potential cyberattacks," President Joe Biden said in a statement on Monday. "It's part of Russia's playbook," Biden said.
The President also called on private sector companies to "harden your cyber defenses immediately" with measures such as multi-factor authentication, up-to-date security software and tools, secure data backups, and routine training drills. One of the bullets has our full agreement:
Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly;
“To be clear, there is no certainty there will be a cyber incident on critical infrastructure,” White House deputy national security adviser for cyber and emerging technology Anne Neuberger told reporters during a briefing on Monday afternoon. “So why am I here? Because this is a call to action and a call to responsibility for all of us,” she said.
Boards to approve and fast-track security spending
To mitigate threat tactics put forth by CISA's "Shields Up" will require boards to approve and fast-track spending for products and services not already implemented.
Some of the items that are the quickest return on investment and implementation time would be reviewing incident plans and recovery strategies in the event of an attack. Review and mitigate risks to external facing systems and verify they are fully patched and current on all security updates.
What you need is a robust security culture
The most impactful will be to ensure employees receive education, know the latest attack methods, and be vigilant on all unexpected emails requiring any urgency for action. Security awareness training is essential, and it's the first step towards having a robust security culture for the users and the organization's overall cyber resiliency.
An organization with a strong security culture is 52x less likely to provide credentials to cybercriminals unsuspectingly, exposing the organization to unnecessary brand reputation, loss of revenue, or data loss.
Users with security top of mind enable them to identify suspicious emails and report them to reduce the risk of further door openings for cybercriminals to gain entry to systems, networks, and data quickly. More in an article at The Hill.