Congress passed a new law in March that requires organizations responsible for critical infrastructure to report cybersecurity incidents to the Cybersecurity Infrastructure Security Agency (CISA) within 72 hours. The bill also states that CISA must be notified of ransomware payments within 24 hours.
This law — Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) — follows “evolving intelligence” and alerts for Russian government cyberattacks amid Russia’s invasion of Ukraine.
In light of the new legislation, we caught up with Jerry Leishman, executive vice president at CORTAC Group, a Seattle-area firm that provides security and compliance help to companies including U.S. Department of Defense supply chain and commercial contractors.
Leishman, a former Microsoft manager, shared five tips for companies to stay secure online. He emphasized that cybercriminals aim for easy targets that are not covering basic hygiene and therefore easy to compromise.
- Use multifactor authentication (MFA). Although multifactor authentication is not a silver bullet to security, Alex Weinert, director of identity security at Microsoft, estimates that using MFA makes security breaches 99.9% less likely. Securing accounts with MFA helps as companies grapple with increased breaches as a direct result of remote work campaigns where employees access company assets through personal devices. Leishman suggested all end users apply MFA to third party devices.
- Maintain business continuity. If your company is hit with ransomware, having stable backups to pivot to will circumnavigate having to pay the ransom (where there is no guarantee that the malicious actor will give the correct key for decryption). In the U.S. alone, ransomware payments cost more than $590 million during the first half of 2021, an increase from $416 million in 2020. Leishman recommends regular, if not daily, backups to foster strong resiliency in the face of an attack.
- Use endpoint protection. Threats tend to congregate at trust boundaries, or where information is exchanged in cyberspace. Endpoint protection analyzes data before they flow through these boundaries to prevent malware from entering the network. Local startups and major companies sell endpoint protection software solutions for companies seeking to outsource rather than build software. Leishman suggests having “tabletop” exercises where security practitioners simulate an attack to find weak points in the incident response model.
- Have an incident response plan. The National Institute of Standards and Technology, the organization responsible for U.S. security standards, provided recommendations for incident response. Affected organizations should have a clear plan and points of contact on staff to handle responses during an incident.
- Protecting the human factors. Security practitioners recognize humans as the weak link in security. Deloitte reported that 91% of cyberattacks begin with a successful phishing attempt where a user clicks on a link or willingly gives a malicious actor their credentials. Access inside a network is critical for complex malicious actors to initiate the reconnaissance stage of the cyber kill chain. Reconnaissance allows malicious actors to begin collecting information about a network and its users to initiate a more devastating attack or pursue lateral movement. The human vulnerability can be mitigated through end-user training and by strict roles-based access that abides by the principle of least privilege where a user can only access what is necessary to complete their job.