Increased Cyber Awareness Must Lead to Equivalent Action

Recent and widely publicized cyber attacks must be the impetus for a renewed and more concerted and coordinated global commitment to strengthen cyber security capabilities.

In May, the WannaCry ransomware attacks struck, underscoring the potentially disastrous consequences for health care facilities and their patients when medical records and medical devices are compromised. June brought yet another major attack in Petya, originally characterized as another widespread ransomware attack, but later revealed to draw upon a form of malware that does not steal data but, in fact, destroys it.

These types of attacks, and those that will follow, accentuate the increasing concerns about the continued escalation of the global cyber security crisis. It’s no longer just about stealing money and data, but one that’s now placing human lives at risk. While health care has been a primary target this time around, more threats loom on the potential for breaches or compromised access to industrial control systems that could result in penetration of critical infrastructure systems such as electric utilities, oil and gas facilities, or nuclear energy plants. This shines a spotlight on the need for a unified global response now.

Amidst the challenges of the current threat landscape, there are promising signs that an increasing number of enterprise leaders and boards of directors are making the defense of their organization against ransomware and other cyber threats a top priority. ISACA’s State of Cyber Security 2017 research showed the percentage of organizations with Chief Information Security Officers (CISOs) is up to 65 percent, a 15-point rise over the year before. And in a micro-poll of the ISACA professional community in the immediate aftermath of the Petya incident, half of respondents indicated they took action after WannaCry to bolster their defenses – in case something like Petya showed up.

Additionally, half of the post-Petya poll respondents indicated their organizations provide ransomware awareness training to their staff, and more than half of organizations are applying software patches within the first week that they are available. That’s a good start. Promoting cyber security awareness and adhering to basic cyber security fundamentals needs to be as common in the global digital economy as seatbelts are in cars. We have a long way to go to make this the reality.

While the past several months have created an aura of inevitability around major attacks, more than 4 in 5 respondents to our micro-poll indicate they expect ransomware attacks will be even more prevalent in the second half of 2017.We cannot accept this level of havoc as a ‘new normal.’ Putting in place a viable incident response plan is critical, but what’s worthy of further investment is protection before an attack happens. Every organization should proactively employ cyber security awareness for all staff, performance-based cyber security skills training, timely hardware and software updates, and the hiring of the most highly skilled staff to ensure preparedness for the next attack, ransomware or otherwise. Start with an assumption that your organization will be the next target of a cyber attack.

Governments need to exhibit bold leadership and do more, too. This includes a commitment from G20 nations to expand cyber security research and training, and standardize some of the measures that individual nations are putting in place. G20 nations also should consider providing cyber security resources and support to nations that are not equipped to invest in themselves, as the connectivity of the global digital economy means all of us are in this together. This can help amplify the reach of encouraging efforts that are unfolding at national levels, such as the UK’s National Cyber Security Strategy and the recent executive order on cyber security in the US. Expanding public-private cyber security partnerships, while leveraging the resources of industry associations and academia, also should be part of the solution.

As a global community, we remain vulnerable to the cyber threats that already are here today, as well as the ones that will surface tomorrow. We cannot fall victim to cyber attack ‘fatigue’; attacks like the WannaCrys and Petyas cannot become “business as usual.” Cyber security is everybody’s business. Cyber security is more than pickpocketing; it’s a matter of public safety. Awareness must translate into resolve, not resignation. Only then will we make even greater leaps toward a more safe and secure future.

Editor’s note: This blog post by ISACA CEO Matt Loeb originally appeared in CSO.

Matt Loeb, CGEIT, CAE, FASAE, Chief Executive Officer, ISACA

[ISACA Now Blog]