Find out what it means and how to approach it.
We know the chances of being affected by a cyber attack are high. Pick your study and it says the same thing - expect a significant cyber attack in the next five years. If we know the cyber attacks are coming, then why are we almost always surprised by the reports? The threats are not “ten feet tall.” Just doing some basic things can make you much more ready to defend against or respond to a cyber attack.
The solution is “cyber-resilience.” It is the ability to continue your business or mission despite unwanted cyber activity.
Here are 4 tips to make your business much more cyber-resilient:
- Make your network defendable. You get to choose what the “terrain” and your attack surface look like. You get to choose your hardware, your software, and how it’s all connected together. Now is the time to act! For instance, you could:
- Ask your IT team or IT Services Provider where all of your access points are. The answer will be revealing, as there are often many “doors that need to be shut.” You must know how your network is accessed by both authorized (users who log in or use USB devices) and unauthorized (such as malware on a flash drive or someone who “hacks in” from the internet). You get to choose how your network and systems are accessed.
- Upgrade your operating systems (OS) and applications to current software. When you do this, choose your OS and applications based on at least three factors; the business you need to do, the significance of the threats for that software, and the ease/cost of sustainment such as patching and other maintenance.
- Define what is “normal” for your information systems. You must know what “normal” is so you can detect deviations from “normal.” It is much less threat-dependent to respond to anomalous activity. You can employ automatic responses or have a person in the loop, but either way it is critical that you can detect abnormal cyber activity. Specifically you could:
- Hire a managed service to deploy their software and detect and/or respond for you, or
- If you have the in-house expertise, deploy and use the right software to establish your baseline and then detect anomalies, or
- At least watch your network manually by monitoring network traffic and logs then detecting and responding.
- Plan and train. You must plan and train for what you’ll do when things go wrong, especially if you plan to respond “in house.” Either way, to effectively fight through abnormal events, you must write down your plan. It is important to note that having a written plan will help even if you plan to outsource your incident response (determine who you will call and have the relationship in place). And then train your team to know what to do - train, exercise, learn, and train some more. I recommend talking to a managed service provider either way so you can make an informed decision about this critical area.
- Take action now. This is your chance to choose your tailored approach. This is different from other business areas. You have the luxury of choosing what the terrain looks like, where you reside within it, and how you’ll respond to disruption. Cost, responsiveness, and effectiveness are all important but the most important factor is that you choose now and choose wisely!
Every situation is different but those in the Defense Industrial Base (DIB) and their customers are often heavily dependent on safe and fearless information systems in the face of great uncertainty. This makes cyber-resilience and having options a necessity. Now is the time to take steps toward acknowledging the reality. In war fighting parlance, we must maintain our freedom of action. You might not know what the attack will look like, and you might not respond exactly as planned, but you know it IS coming and you’ll need to be ready to act and keep the mission going. As Eisenhower said, “…plans are useless but planning is indispensable.”
Troy Johnson previously was the Technical Director for Cyber Operations, Development and Evaluation Center for Raytheon and the Director of Navy Cybersecurity Division for the Chief of Naval Operations staff. In addition, Troy was once the Navy’s Operational Designated Accreditation Authority (ODAA), was the intellectual leader for the Navy’s Task Force Cyber Awakening (TFCA) and subsequently established a permanent cyber security division on the Navy’s headquarters staff. Over the past 5 years Troy has been focused on priority risks to our government missions and business objectives.