The arrival of the COVID-19 pandemic forced organizations worldwide to switch to remote work to keep the lights running. This allowed hackers to launch large-scale phishing and ransomware attacks, exploit vulnerabilities and ramp up supply chain attacks to earn big money. In this interview with Toolbox, VigiTrust CEO Mathieu Gorge explains why organizations were ill-prepared to face the new wave of cyber assault, what needs to be done to boost enterprise defenses, and the best ways to deal with a ransomware attack.
Over the past twelve months, organizations have learned the lessons of a hurried switch sans cybersecurity preparedness the hard way. Since 2020, the number of ransomware attacks targeting organizations worldwide surged by 150%, and the average ransomware payout tripled in the U.S., indicating the success enjoyed by cybercriminals. Supply chain attacks like the exploitation of flaws in Solarwinds’ IT monitoring platform and the Microsoft Exchange system exposed organizations across industries to network infiltration, and ransomware attacks targeting critical infrastructure organizations such as Colonial Pipeline disrupted the delivery of essential goods and services.
The successes enjoyed by the cybercrime industry since the arrival of the pandemic have made businesses seek long-lasting solutions to the menace. However, according to Mathieu GorgeOpens a new window , the CEO of VigiTrust, C-level executives, board members, and business owners must take a long, hard look at their own cybersecurity policies and practices and how committed they are to taking personal responsibility for cyber incidents affecting their operations and customers.
Watch our face-to-face interview with Mathieu Gorge:
Here are some of the highlights from this interview:
Will stringent fines act as a deterrent for organizations that don’t prioritize cybersecurity?
Fines are certainly a deterrent for organizations that are paying lip service to cybersecurity or managing and protecting their networks. However, fines on their own are not good enough. The real concerns are damage to reputation and damage to operations. To prevent these, organizations have to take steps to find out about incidents, contain incidents, investigate incidents, work with law enforcement and regulators, subject themselves to flash audits regularly, and make an undertaking that they are going to redesign their security and compliance programs.Â
Board members and C-level executives are today going through what VigiTrust terms as the five stages of cybersecurity response:Â
Denial: Cybersecurity does not apply to me. My job is to grow the business and create profits for shareholders and create employment. It’s not to worry about cybersecurity matters.
Anger: Leave me alone. I employ CISO, a compliance officer, and cybersecurity teams to handle these issues.
Bargaining: To avoid regulatory pressure, C-level executives and board members get third-party audits done to show their networks are safe and they are doing the right thing. However, we all know that is not good enough.
Depression: Oh my God, the regulator is at the door. They are going to seize my files, and they are going to disrupt my operations.
Acceptance: As an officer of the company, I accept I am personally responsible and liable if any incident occurs, and I will take steps to ensure that cybersecurity incidents do not happen on my watch.Â
These stages signify that business owners and decision-makers are averse from taking personal responsibility for cybersecurity incidents and are more inclined to delegate such responsibilities to the CISO until a major incident occurs. This needs to change. Cybersecurity has to be a board-level issue, and protecting an organization’s digital assets needs to come from top management.
The SolarWinds and Microsoft Exchange hacking episodes make it clear that decision-makers must take responsibility for the entire digital ecosystem- be it business silos, third parties, cloud assets, etc. Organizations must know about the entire data ecosystem in order to protect all the data and be accountable. While Solarwinds was about managing third parties, the Microsoft exchange hack was about vulnerability management and updating systems regularly.
Are CISOs not getting the required attention from the board?
There has been a lot of improvement in the industry, but a lot more needs to be done. CISOs should be invited to the Board at least on a quarterly basis and ideally at every board meeting. The challenge that CISOs have is that it is an extremely lonely job. Whenever an incident occurs, they are usually in the first line of fire. They sometimes struggle to articulate the message to the Board, and this is because board members are used to reasoning in business terms, not necessarily in technical or legal terms. The cybersecurity and compliance community needs to demystify cybersecurity for board members and key decision-makers, and this can be done by talking to them in business terms.
CISOs need to take into consideration the five pillarsOpens a new window of the cybersecurity framework, namely physical security, people security, data security, infrastructure security, and crisis management when interacting with the Board. This will make it easier for board members to understand the issues at hand and make informed decisions to boost the organization’s cyber preparedness.
The European Court of Justice invalidated the E.U.-U.S. Privacy Shield, thus hampering the smooth flow of data between Europe and the U.S. Will a federal law in the US be able to solve these challenges?
GDPR enables European governments to access citizens’ data for national security reasons, but the process is very well documented, making it difficult for governments to access such data for flimsy reasons. The security and privacy of people’s data has been deliberated upon in the U.S. by the last three administrations, but every time there has been pushback. Some states already have very strong regulations, while some have very lax rules, which has created an imbalance.
It is in the best interests of U.S. citizens and non-U.S. citizens that a federal data protection law is passed in the country. Only time will tell how long it will take for such legislation to be passed. It also depends on how such a law will be implemented at the national and state levels. At the least, the entire process of introducing and passing such legislation will be 2-3 years. However, considering that GDPR has turned out to be effective and has become the model legislation for many other countries, there is pressure on the U.S. to enact a similar law.
The average ransom payout in the U.S. tripled between 2019 and 2020, touching $300,000. Why are companies so willing to pay a ransom instead of spending equivalent amounts in remediation efforts?
The problem is a lack of education. The cybersecurity community always advises against paying a ransom as it does not guarantee that hackers will go away. Companies are usually desperate to get their data back and lack business continuity or disaster recovery plans to recover from a ransomware attack on their own. Many companies also don’t take legal advice or don’t have the culture of collaborating with authorities before an incident occurs, which is an absolute must. Authorities and regulators can educate companies on how to prevent ransomware attacks, and what to do in the event of such an attack.
Increasing ransom payments in 2020 and 2021 is because of a lack of education. The wholesale shift to remote work increased the risk exposure dramatically, and organizations didn’t provide the right anti-malware or anti-phishing training to their employees. Organizations are still nurturing a mindset that their priority is to keep the business running and not to provide phishing training. As a result, phishing and ransomware attacks will continue to rise in the coming days.
Security is a journey, not a destination. An organization may be PCI compliant or GDPR compliant, but the threat vectors change all the time, and the ecosystem changes, the staff changes all the time. So no organization can be 100% secure at all times. Therefore, continuous training, cyber preparedness, robust policies, engagement with law enforcement etc., can help an organization detect and prevent future attacks.
Should companies talk to hackers in the aftermath of a ransomware attack?
Talking to hackers is a dangerous game unless you are trained to do that. There are companies specialized in engaging with and talking to hackers. Hackers work in communities as well and share information and swap accounts. We shouldn’t underestimate the level of coordination they have. If an organization engages with hackers, it is possible that the latter will have the upper hand in the negotiations and will force the organization to pay more ransom than it should.
What should an organization do in the first 48 hours after discovering a ransomware attack?
Following are the steps an organization should take immediately after discovering such an attack:
- Check when did you conduct your last backup
- Check whether you actually need the data or not
- Engage with law enforcement
- Document everything
- Work on eradicating the issue so that the same incident does not happen again. This includes conducting forensic analysis with investigators, training, and updating policies.
About Mathieu GorgeOpens a new window :
Mathieu Gorge is the CEO and founder of VigiTrust. Mathieu is an established authority on IT security and risk management, with more than 20 years international experience. He is in high demand as a speaker at international security conferences, such as RSA, ISSA and ISACA, due in no small part to his reputation, experience and the success of VigiTrust’s 5 Pillars of Security Frameworkâ„¢. Mathieu’s areas of expertise include PCI DSS, GDPR, CCPA, HIPAA, VRM and ISO 27001. He has been involved in payment security for more than 15 years, and works closely with the PCI Council in the US and EU.
About VigiTrustOpens a new window :
VigiTrust is an award-winning provider of Integrated Risk Management (IRM) SaaS solutions to clients in 120 countries in the hospitality, retail, transportation, higher education, government, healthcare, and eCommerce industries. VigiTrust solutions allow clients and partners to prepare for, validate, and maintain compliance with legal and industry frameworks and regulations on data privacy, information governance, and compliance.
Do you think a lack of interest from decision makers is the primary reason for organizations suffering cyber attacks on a regular basis? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!