On January 11 this year, three agencies of the U.S. government issued a Cybersecurity Advisory (CSA) to the public regarding cybersecurity threats state-sponsored by Russia. The Cybersecurity and Infrastructure Security Agency (CISA) was joined by the National Security Agency (NSA) along with the Federal Bureau of Investigation (FBI). The CSA includes the tactics, techniques, and procedures (TTPs) of Russian cyberattacks, how to detect these, respond to these, and mitigate these.
The release of this CSA early in 2022 is reflective of the trend that analysts expect for the year, which is a further increase over the surge in cybersecurity attacks in 2021. Forbes cited data from the Identity Theft Resource Center (ITRC) showing that the volume of cyber breaches in the first three quarters of 2021 alone already exceeded all of those in 2020.
Russia is not the only state that sponsors cyberattacks. The 14 Cyber Security Predictions for 2022 and Beyond by Mandiant, which gathered the opinions of global leaders and experts, included China, Iran, and North Korea as countries that are likely to use cyber espionage and cyber assaults. Add to these cybercriminals who are in it for the money.
The pandemic situation where a company has part of the workforce working on-site and others working remotely makes cybersecurity more difficult to manage. It also makes it even more crucial to have stronger defenses in place.
Physical security is also part of cybersecurity. It ensures that unauthorized persons cannot access equipment where they can retrieve data. For companies that have on-site data storage, this is even more critical. Physical entry to spaces with equipment storing sensitive data must only be limited to a few authorized persons. These spaces must have their own high-security access, preferably using biometrics to ascertain identity. Reliable biometric lock systems are readily available in leading hardware stores like Banner Solutions. Inconspicuous security cameras must monitor the entrance and the interior of the space. This will provide leads when an unauthorized entry occurs.
Even when a company prefers to have all its data stored on-site, it must have an off-site backup that is continuously updated. If any breach occurs, or even a fire or flooding that destroys on-site data, the backup must be immediately available without any gaps. This will ensure the continuity of the business and the services it provides to its clients.
Companies must train all personnel on cybersecurity measures. Even employees who have no direct access to sensitive data but are in the company’s internal email system can become unknowing door openers for hackers. If they click on a malicious attachment, link, or website, they can be letting the hackers into the company’s entire system. Having employees working outside the office increases the risk of exposure. Employees could be using personal computers that do not have enough security measures for work.
One way of mitigating this is by separating the general company email system from the rest of its digital systems. If a breach occurs through email, the damage will be minimal.
Access to data must be categorized on a need-to-know basis depending on the employee’s role in the company. Data will then be divided into silos or levels. If one is breached, the other silos must not be affected.
Best Practices in Cybersecurity
Companies can use the government’s cybersecurity best practices as a basis for their own measures. The U.S. Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program sets levels of cybersecurity standards required for contractors and suppliers who want to work with the DoD’s defense industrial base (DIB).
The first CMMC program was launched in 2020 with five levels of increasing stringency. The level required for a contractor or supplier depends on the type of service or product it provides to the DoD. Level 1 includes 17 practices in basic cyber hygiene, while Level 2 includes 72 practices considered intermediate cyber hygiene. On the other hand, Level 3 has 130 practices deemed to be good cyber hygiene, and Level 4 has 156 practices considered proactive cybersecurity. Finally, Level 5 has 171 practices considered advanced cybersecurity.
The latest version, CMMC 2.0, was announced in November 2021 and is expected to be effective between August to November 2022 after its formal rules are announced and commented on by the public. CMMC 2.0 only has three levels. The foundational level includes 17 practices and requires yearly self-assessment. The advanced level consists of 110 practices in line with the National Institute of Standards and Technology Special Publication (NIST SP) 800-171. In addition to yearly self-assessment, it requires third-party triannual assessment for sensitive national security information. The expert level has more than 110 practices also from NIST SP 800-171. The required triannual assessment is to be led by the government.
The U.S. Department of Labor (DOL) also has a Cybersecurity Program Best Practices document prepared by its Employee Benefits Security Administration. This detailed checklist covers all the bases and will benefit any company.