While cyber warfare has not yet featured prominently in the conflict between Russia and Ukraine, the White House on 21 March 2022 issued a warning highlighting the importance for all organizations—especially those in critical sectors—to harden their cyber defenses.1 The guidance cited evolving intelligence indicating that Russia’s formidable cyber forces have been preparing to unleash a new wave of cyber attacks on both Ukraine’s and the West’s energy, finance, and communications infrastructure. Whether the attacks come from cyber vigilantes or the state itself, the risk level is alarmingly high.
In his statement, President Biden reiterated the need for corporations to assess their cyber risks, urging companies to act quickly to implement cybersecurity best practices. He also referenced guidance from Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which in a recent alert also encouraged companies to fortify themselves against possible attack: “We are mindful of the potential for Russia’s destabilizing actions to impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our allies. Every organization—large and small—must be prepared to respond to disruptive cyber activity.”2
As part of the regular course of business, organizations need to continuously evaluate their cyber posture and reinforce their cybersecurity controls accordingly, keeping in mind that cyber defense is a marathon, not a sprint. But this is not business as usual. CISA’s cyber threat and intelligence teams have indicated it to be a matter of when, not if, cyber attacks occur. The probability for second- and third-tier effects on organizations’ operations and supply chains is similarly high. Research also indicates that a malware capable of erasing data has been found on hundreds of computers in Ukraine. It will not be long before it makes its way to the rest of the world.
In light of the current Russia-Ukraine crisis, businesses must double down on their cybersecurity and review and test their cyber posture. In the first instance, this requires raising awareness that individuals and systems may be at risk of cyber attacks and probes. Cyber hygiene should be at a premium within organizations.
Operationally, enterprises need to test their cyber controls, evaluate and immediately remediate any identified vulnerabilities, and adjust their controls as necessary. It is generally difficult to retrofit cybersecurity controls within the infrastructure and applications landscape. Cybersecurity controls should be part of the architecture and design of business applications and the underlying technology. An effective way for companies to understand their vulnerabilities and potential attack vectors is to probe them voluntarily before bad actors do. Ensuring a robust vulnerability management program—one that covers all critical assets and infrastructure—is paramount. Organizations should consider deploying a red team3 or using ransomware readiness exercises, including war games, to ensure everyone is aware of their roles and responsibilities during an incident.
To combat these heightened risks immediately, organizations, particularly those involved in critical infrastructure and other systemically important industries, need to ensure they are resilient in the event an incident occurs. Having a detailed understanding of the organization’s assets and data is key to being able to protect what’s important and to prioritize what systems need to be hardened and made redundant.
Organizations also need to assess their cyber risks with regard to people, impact on operations, and supply chain interruptions. While the world is still recovering from the impact of the pandemic on supply chains, the current conflict in Ukraine and Russia’s aggression will only add fuel to the fire. The Biden administration has warned of the supply chain vulnerabilities related to the U.S. semiconductor industry’s reliance on Ukrainian-sourced neon and the impact it will have on businesses.4 There are several critical elements that are sourced from Russia in the manufacturing of semiconductors, aviation engines, automobiles, agriculture, and pharma. Renewed due diligence of third-party vendors and the supply chain is needed. This includes identifying and assessing the organization’s dependence on or relationships to Russian- and Ukrainian-based software, tools, and technologies, including human resources such as outsourced software engineers, code writers, or hosted services. Ukraine’s Ministry of Foreign Affairs claims that more than 100 of the world’s Fortune 500 companies rely at least partially on Ukrainian IT services, with several Ukrainian IT firms being among the top 100 outsourcing options for IT services globally.5
This is also an opportune time for organizations to readdress cyber training for all of their employees, since hackers frequently bypass businesses’ firewalls through an innocent incorrect click or the opening of an inconspicuous email. Cyber attackers often use social engineering and cognitive hacking methods to break into a network or computer systems. Endpoint protection, MFA (multi-factor authentication), and phishing training and awareness may seem commonplace, but their importance cannot be overemphasized. Cognitive training methods can be used to enhance behavioral traits and help improve cybersecurity behaviors.
In light of the increased cyber risks highlighted by the Biden administration, corporations should do the following:
- Raise awareness of the heightened risk of cyber threats and vulnerabilities in the workforce, with an approach that gives a sense of control and engagement with cyber hygiene to each employee. Now is the time for effective cyber training. Individual cyber awareness and hygiene is something that can be done to help defend the company and the country against attacks.
- The organization’s CISO should be made an integral part of the conversation around how the organization is combating the sanctions against Russia, to provide insights toward a robust threat analysis and continuous monitoring processes, including operations and the company’s third-party/vendor risk management, to continually assess the probability and the impact of a breach.
- Test and evaluate cybersecurity controls, while running diagnostics to discover potential vulnerabilities or malware present in key systems. This should include looking at third-party and supply chain vulnerabilities.
- Combine scenario planning and stress testing on the worst-case scenario with organization-wide cybersecurity training programs and senior-level tabletops. Knowing who is responsible for executing your cyber response plan and how to respond is essential before an event occurs.
- Connect with peer networks and empower teams to reach out to cyber and intelligence teams at peer companies, and to federal and local government partners that are closely watching the same threats.
- Ensure resiliency across all aspects of the infrastructure and data in case an event occurs. Have a clearly articulated and well thought out incidence response.
- Take a collaborative approach and engage with service providers that have a proven track record of mitigating and minimizing cyber attacks on your business. K2 Integrity works with hundreds of organizations across industries globally, providing clients with collective industry experience and knowledge of the key tools and best practices that protect organizations from the evolving cybersecurity threat landscape.
1 The White House, “Statement by President Biden on Our Nation’s Cybersecurity” (21 March 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/.
2 U.S. Cybersecurity and Infrastructure Security Agency, “Shields Up” (14 February 2022), https://www.cisa.gov/shields-up.
3 Red Team exercises are well-orchestrated testing mechanisms combining elements of social engineering with penetration testing to gain insight into how the environment will fare in a real-world attack scenario.
4 Reuters, “White House Tells Chip Industry to Brace for Russian supply disruptions” (11 February 2022), https://www.reuters.com/article/ukraine-crisis-chips-idCAKBN2KG111.
5 Harvard Business Review, “The Cybersecurity Risks of an Escalating Russia-Ukraine Conflict” (18 February 2022), https://hbr.org/2022/02/the-cybersecurity-risks-of-an-escalating-russia-ukraine-conflict.