At a time of technological transformation and “cyber everywhere”, the attack surface for organizations is exponentially growing and cyber criminals are going after operational systems and backup capabilities simultaneously in highly sophisticated ways—leading to enterprise-wide destructive cyber attacks.
That’s one of the key findings of a report by consulting firm Deloitte released earlier this year, before the coronavirus pandemic and its related security threats had yet to make a significant impact on the world.
As part of the research, Deloitte conducted an online poll of more than 2,800 C-level and other executives in December 2019, asking about cyber security and cyber recovery protocol. A majority of the respondents (65%) said the growing threat of destructive cyber attacks is one of the top cyber risks at their organization.
The report warned that it was time for senior leadership to modernize risk management programs and solutions in order to keep pace with the current threats and technologies, and to incorporate new educational tools, technical solutions, and business strategies.
“A truly viable cyber resilience program can benefit an organization’s ability to recover, respond, and be ready for a destructive cyber attack,” the report said.
The study cites as an example the well-publicized impact of the NotPetya attack, which spread beyond it’s intended target within a matter of seconds. Cyber attacks can compromise countless devices and quickly spread across global networks, rendering servers and endpoints inoperable.
Whether it’s destructive malware or ransomware, attacks such as these can propagate quickly and extensively impact an entire enterprise network, the report says.
“Even organizations with fundamentally sound risk management programs will need to adapt to emerging and elusive cyber risks and the destructive impacts they present,” the report said. “Improving cyber attack readiness, response, and recovery will require a new approach to many traditional risk domains.”
These types of attacks are successful for a number of reasons, Deloitte said. One is that many organizations have poor access management, which is often the open door through which a destructive attack will initiate and spread.
Another is weak cyber hygiene, which has a direct impact on enterprise security and can be most commonly seen in the form of missing patches, misconfigurations of systems, partially deployed security tools, and poor asset discovery and tracking.
Companies also tend to have poor asset management, with limited knowledge of specific applications, operating systems, or devices, and the relationship between those components. Another factor is the presence of flat networks, which allow adversaries to easily maneuver to any system. Minimal segmentation and zoning allow for lateral movement, the study said, expanding the adversary’s reach into the enterprise.
In addition, enterprises as part of their data recovery strategies use aggressive data redundancy for critical systems, and when malware is introduced these backup capabilities accelerate the spread across environments.
Finally, organizations have limited business awareness. “Leadership may still be operating under the assumption that the time, money, and effort put into traditional disaster recovery programs are going to protect them in a destructive malware scenario,” the report said. “They need to be aware of the gaps and refocus efforts on these emerging threats.”
A viable cyber resiliency program expands the boundaries of traditional risk domains to include new capabilities such as employee support services; out-of-band communication and collaboration tools; and a “cyber recovery vault”, the report says.
A cyber recovery vault is isolated on the network to limit lateral movement by bad actors, secures the environment physically and logically, prevents deletion or destruction of critical data, and can be analyzed to accelerate identification of suspicious activities.
Given the design of the vault, data sits in a cryogenically frozen state. That means malware might enter the vault but will be unable to deliver its payload. This makes it possible to extract and cleanse affected data, recover critical systems, and restore business operations as soon as possible, the report says.
More than one quarter of the survey respondents (26%) reported that their organization’s biggest challenge in implementing a cyber recovery vault is budget restrictions. Organizations concerned about costs should consider first deploying a critical materials vault limited to protecting essential services, Deloitte says.
“This accelerates protection against these threats, reduces the initial spend, and enables the organization to analyze additional protection requirements in parallel,” it says.
Unfortunately, at a time when so many enterprises are grappling with the challenges of a pandemic, they also continue to face significant cyber security threats that could bring the business to a halt. It’s more important than ever that security leaders and teams take the necessary steps to ensure that processes keep running as effectively and securely as possible.