Telling Sign of the Times

On the morning of Tuesday, June 27, the headlines began rolling in from Europe. It was another cyber attack, yet it quickly became obvious that this wasn’t quite like the others we recall from recent incidents. News reports stated that the Ukraine took the brunt of the blow, with its government, Kiev airport, state power utility, and metro system all severely hit.

Large companies in Europe and the U.S. were also hit by the malware. Pictured below is a sign hastily created and placed in front of the DLA Piper office in Washington, D.C. It warns employees to refrain from turning on their computers – “No exceptions.” Also affected were the massive Danish shipping company AP Moller-Maersk, Russian giant state-owned oil company Rosneft, U.S. pharmaceutical company Merck, and British advertising powerhouse WPP.

First reports attributed the attack to the WannaCry-like Petya ransomware. Cybersecurity firm Kaspersky later discovered that the cause is a new, previously unseen “NotPetya” strain that had hit at least 2,000 users across the Ukraine, Russia, France, Germany, Italy, Poland, the UK, and the U.S.

Many analysts have been predicting a widespread global attack, and this incident set a new bar. It has become abundantly clear that no one is immune from attack. As such attacks become more common, affecting an ever-growing number of countries, organizations and users, awareness about associated dangers and motivation to do more will continue to grow, as it should.

The first tendency of many in situations like this is to wrongly blame the CISO. They have the ultimate responsibility for securing company networks, and their average 18-month lifespan at large companies are an indication of how responsible they are held, but that’s simply not realistic and ransomware points out why. The CISO can ensure that every network connection is protected and every perimeter secured, but much vulnerability will remain beyond his/her control.

It should be clear by now that cybersecurity must involve the entire organization – top to bottom. For example, the roles of HR and Procurement introduce new risks into the enterprise every day. When new employees are hired and given access to the company data they need to do their jobs, that’s a new risk that should be monitored and guarded. When new vendors are brought on, they should be vetted before connecting them to company networks. Engaging and training relevant parts of the workforce, not just in the IT department, are critical in supporting CISOs and in mitigating cyber risk.

Moreover, we aren’t facing a breakdown in technology. Most perimeter defense and network disruption detection technologies do their job effectively. What we are seeing is a failure to put the right people, processes, and policies in place to minimize the chance of a successful cyberattack. All the perimeter defenses in the world can’t stop a careless executive or employee from mindlessly clicking on a link. Engaging the entire company from the top down is critical in changing the current dynamic.

How ironic that it takes a whiteboard, such as the one from DLA Piper in the image above, to convey a message of such seriousness? What will it take for signs like DLA Piper’s message board to become extinct, rather than multiply across many companies? The key is adopting effective cyber risk governance processes. They must be based on an established national standard for assessing and monitoring cyber risk. The only rational choice of standards is NIST’s Cybersecurity Framework (CSF), and it should be implemented broadly.

Organizations must be committed from the top down. Without the backing of the CEO and board of directors or the equivalent, organizations will continue to play risk-balancing games instead of attacking the problem head-on.

This attack is just one of many to come.  What more must happen for leadership in companies and government agencies to realize the perimeter that is not solid is the internal one?