Global cyberattacks like the one that struck Ukrainian government agencies and international businesses toward the end of June 2017 routinely spur urgent discussion about how to identify and counter the latest bespoke malware. In addition to heeding specific recommendations for addressing particular threats, it is critical for corporate leaders to strategically manage cyber risks from the boardroom on down.
The media narrative on cyberattacks is often episodic and driven by the latest crisis. Headlines frequently feature quirky names for malware intended to distinguish the latest threats from the last.The recent cyberattack called Petwrap or Petya has also been compared to WannaCry ransomware because both threats reportedly leverage sophisticated hacking tools leaked to the world in April, reportedly from the National Security Agency, by an anonymous group called the Shadow Brokers.
For the C-suite, however, management of cyber threats cannot be episodic. Rather than focusing on the seemingly endless stream of malware monikers, corporate directors, CEOs and other senior directors should stay focused on business risk. Managing cyber risks is like managing any other kind of business risk – it requires tradeoffs. It comes down to proactively aligning resources to mitigate the likelihood of cybersecurity incidents and limit the damage when some cyberattacks inevitably penetrate defenses.
As the Petya outbreak demonstrates, these threats are increasingly sophisticated and widespread. Geopolitical actors utilize hackers with world-class capabilities. This cyberattack, although technically similar in some ways to WannaCry, reportedly sought to disrupt Ukrainian organizations on the eve of a Ukrainian holiday celebrating independence from the Soviet Union. The complexity of the threat landscape underscores the need for corporate leaders to embed strong management of cyber and privacy risk management into the fiber of their organizations.
Fortunately, maintaining robust cyber hygiene can help companies mitigate significant risks. It takes committed leadership, however, to put this into action on a continuous basis. The Petya cyberattack spread partly via a particular vulnerability that Microsoft patched in March 2017 -- a vulnerability also exploited last month by WannaCry. Organizations that left the patch unimplemented not only after it was initially issued but also after the publicity on WannaCry exposed their systems to relatively more risk than leading companies that promptly updated their systems.
Here are a few pragmatic steps that companies can take to better manage these risks:
Strategic assessments of cyber threats and vulnerabilities - conducting risk assessments that show how creative hackers of different stripes might seek to undermine the organization’s security for various motives, and where security gaps exist, enabling the C-suite to better align resources to counter the most significant cyber risks;
Rapidly spotting and countering threats - strengthening the ability to rapidly identify, detect and contain threats, as well as broadening the sharing of threat data with peers and authorities to provide faster, actionable intelligence capable of driving measurable security improvements;
Robust business continuity planning and exercising - ensuring that individual user systems and key servers can be restored rapidly from backups, and that the frequency of backups aligns to the timeframe of data your organisation is prepared to lose in the event of any system being rendered unusable;
Crisis and incident response planning and exercising - ensuring that there are formal procedures in which employees and those responsible for the management of high priority incidents are well versed to streamline the organisation’s reaction to ransomware events and its ability to restore service to employees and customers;
Strong security hygiene policies and user awareness - preventing ransomware entering your IT environment through the most common delivery vector, phishing, by enforcing strong controls at your email gateways and network perimeters, and developing vigilant employees through robust awareness campaigns; and,
Rigorous patch and vulnerability management - the vulnerabilities exploited in the Petya attack have already been addressed via Microsoft ‘critical’ patches released in March 2017. A robust vulnerability management programme will help reduce the likelihood of exploitation.
Finally, it’s critical for corporate leaders to approach cyber risk management with a larger framework in mind. The US National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, for example, is a risk-based set of guidelines built around five key functions: identify, protect, detect, respond, and recover. This voluntary risk-management tool is becoming increasingly important across industry, particularly for critical infrastructure. In addition, use of this framework recently became mandatory for US federal agencies under the Trump administration’s May 2017 cybersecurity executive order.
Corporate leaders are facing increasing calls for accountability to manage emerging risks to cybersecurity and privacy. In 2016, for instance, the Department of Health and Human Services issued guidance directing hospitals to report ransomware attacks. Ultimately, however, significantly improving cybersecurity in organizations is not mainly about compliance but rather managing risks strategically across the entire enterprise. Leading companies stand to gain not only improved cybersecurity but also potentially an edge in the marketplace.
Cyber & Privacy Innovation Institute Leader, PwC US
Principal, Cybersecurity and Privacy, PwC US