This post first appeared on Federal News Network. Read the original article.
As more and more companies are targeted by state-sponsored cyberattacks, as well as shadowy cybercriminal organizations that operate with the tacit endorsement of hostile governments around the world, they have a responsibility to build cybersecurity into all their systems and operations. This means generating organizational alignment around cybersecurity priorities, working with government and law enforcement to target cybercriminal activity, and most importantly, developing a robust cybersecurity training platform.
How to defend your company in an era of cyberwarfare
News about crippling cyberattacks on critical infrastructure, governments cooperating with criminal syndicates on the darkweb, and rapidly increasing state cyberwarfare capacities can be intimidating for companies. How can they hope to stand up against such powerful cyber arsenals around the world? While this perception is understandable, it’s also misleading – even cyberattacks that are launched by powerful governments often rely on the deception of public officials or employees, which means these attacks can be prevented with cybersecurity training.
However, there’s a lot of work to be done.
According to a survey conducted by Arctic Wolf, 60% of executives believe their employees couldn’t identify a cyberattack that was targeting their business. A 2021 Keeper report on the impact of ransomware attacks found that almost a third of employees lacked adequate cybersecurity training prior to being attacked, while 29% didn’t even know what ransomware was. Although 90% of companies provided additional cybersecurity training after suffering a ransomware attack, we know the average cost of a data breach is $4.24 million, and it typically takes 287 days to get one under control.
What can companies do to protect themselves and the country from acts of cyberwarfare? Considering the fact that 85% of successful data breaches involve a human element, cybersecurity awareness is the single most effective countermeasure companies can use to identify and thwart cyberattacks. Here are several guidelines for making your training platform as effective as possible:
- Training should be engaging, consistent and focused on concrete learning outcomes, such as reduced click rates on phishing tests and knowledge retention.
- Employees should never be punished for reporting a potential cyberattack, even if they’re at fault. When employees make mistakes, these incidents should always be treated as learning opportunities. Positive reinforcement works better than punishment.
- Phishing simulations and tests should be an integral part of your cybersecurity training platform, as phishing is among the most common types of cyberattacks.
- Know the difference between cybersecurity training and learning. It’s essential to set specific goals for your cybersecurity training platform and hold your employees and managers accountable.
- Generate organizational alignment around cybersecurity. Just as companies in many different industries and sectors have to work with government and law enforcement to protect the country from state-sponsored cyberattacks, all departments and teams have to be aligned around your company’s cybersecurity priorities.
When cybersecurity education is frequently reinforced and employees are encouraged to report any suspicious activity, your workforce will build healthy cyber aware habits and ultimately establish a culture of cybersecurity at your company. If companies across the country make cybersecurity a central element of their culture, they’ll protect themselves and ensure that our national defense against acts of cyberwarfare will be much stronger.
Cyberwarfare is increasing in scale and intensity
According to a 2021 report published by the International Institute for Strategic Studies: “For many countries, cyber policies and capabilities have moved to center stage in international security.” A recent Atlantic Council report explains that offensive cyber capabilities “continue to proliferate with increasing complexity and to new types of actors.” As governments orient their focus toward cyberwarfare and their cyber capacities increase, we will see surging state-sponsored cyberattacks in the coming years.
A recent HP study found that the number of “significant” state-sponsored cyberattacks spiked by 100% from 2017 to 2020. In the study, 64% of the experts surveyed believe there has been a “worrying” or “very worrying” escalation of “tensions within cyberspace.” A survey conducted by the Economist Intelligence Unit and Cybersecurity Tech Accord found that 80% of businesses are worried about being targeted by a state-sponsored cyberattack, while a majority of respondents say this concern has increased over the past five years.
After the Russian invasion of Ukraine, the U.S. Cybersecurity and Infrastructure Security Agency issued a “Shields Up” warning which recommends that “all organizations – regardless of size – adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.” Before the invasion, a Russian cyberattack knocked out Ukrainian satellite operations by targeting a system operated by Viasat, an American company. Beyond affecting Ukraine’s military capabilities, the attack interrupted internet service for thousands of people across Europe.
HP notes that one-fifth of state-sponsored cyberattacks were related to regional conflicts between 2017 and 2020, but this proportion is likely to rise with increasing geopolitical tension around the world.
Companies are integral to our national defense against cyberwarfare
When hostile governments launch cyberattacks, companies are often directly targeted or hit with collateral damage. This is because many companies are responsible for overseeing important sectors like critical infrastructure, while interconnected networks and systems make it increasingly likely that an attack won’t remain isolated in a single country or organization. It didn’t take long for NotPetya to sweep around the world and cause a huge amount of damage in many countries. Geopolitical realities can put companies at risk as well – because so many governments are imposing sanctions on Russia, they’re all potential targets for cyberattacks.
CISA and other government agencies have been working with the private sector to strengthen our national cyber resilience for years. As the agency states on its website: “Public-private partnerships are the foundation for effective critical infrastructure security and resilience strategies, and timely, trusted information sharing among stakeholders is essential to the security of the nation’s critical infrastructure.”
A March 2022 study published by the Center for Strategic and International Studies reports that over 40% of cyberattacks targeted small and medium-sized businesses in 2021. This is a reminder that all companies are responsible for keeping their customers and communities safe from cyberthreats, no matter their size.
The HP report on state-sponsored cyberattacks found that the most frequent targets of these attacks are businesses and enterprises, which represent more than a third of all the victims analyzed. “Irrespective of sector or size,” the report explains, “business appears now to face comparable risks from Nation States as it has done from traditional cybercriminals.” Some businesses are more at risk than others. For example, at least 10 percent of state-sponsored cyberattacks hit critical infrastructure, while 90% of organizations in the utility, energy, health, and transportation sectors reported that they experienced at least one successful attack between 2017 and 2019.
Companies have been asked to contribute to the national defense many times throughout history; consider the American auto manufacturers which produced tanks, aircraft, and other types of military equipment during World War II. The difference today is that companies across every industry and sector now have a vital role to play in keeping the country safe.
Dr. Shaun McAlmont is CEO of NINJIO.