Issue Thirteen
April 2022
Over the past six weeks we’ve heard quite a bit from The White House and our top security agencies. Sanctions imposed on Russia have sparked concerns around potential retaliation, and recent intelligence seems to be validating those concerns.
Advice from The White House is aimed at prioritizing preparedness and resilience across our critical infrastructure – a tall order considering the entities span across 16 sectors of the economy. Adding to the complexity is the ever-fragile trust exchange between the private and public sector.
Collaboration and intelligence sharing between the two is a delicate dance and a sticking point for both sides. Finding the sweet spot will be a challenge for industries that aren’t used to regulation and oversight, but it’s an essential journey if we’re ever going to leverage the collective power required to improve the resilience of our critical infrastructure.
Pushing out from the center of those efforts is the interconnected supply chain that supports our critical industries across the board - small to medium-sized businesses that provide not only the lifeblood to the industries but to our economy as a whole.
Ensuring those businesses have the proper guidance and protections in place is critical to the overarching mission. It will take a cultural shift that moves all the way from our top government agencies down to the staff members within our critical, small business support systems.
The single, largest vulnerability that exists today is the human element that powers these organizations.
As a first course of action, we must work to dispel the myths that cybersecurity is an IT or technology problem. It’s a cultural problem that requires the fabric of security be woven in and throughout every organization – to secure the human perimeter.
“Amateurs hacks systems, professionals hack people.” – Bruce Schneier
ZEROING IN
The hard truth behind Biden’s cyber warnings
Over the past several weeks, President Biden has warned of significant concerns regarding threats to our critical infrastructure. Intelligence agencies witnessing active scanning of the networks of some of those sectors prove outright, at least at some level, that our critical infrastructure is being sized up.
The challenge is twofold:
Our critical infrastructure spans across 16 economic sectors, in which some are regulated, and some are not. Fostering an environment in which the private-sector-managed industries cooperate with public sector intelligence agencies has been the struggle thus far.
Getting both sides on the same page will likely require the moderation and oversight of a new, intermediary agency that can listen to both sides and devise a plan that comes as close to satisfying both parties as possible. This is critical in getting off high center to begin leveraging the power of the collective to harden these environments.We must understand that not all critical infrastructure is created equal. Prioritization of these efforts should start with the most critical to our national safety and work out from there. We can not realistically tackle these problems as a singular effort. It’s far too broad and complex.
We’ll need to evaluate the criticality of each sector and the impacts a disaster would have on our economy and national safety should one be crippled. From there we can organize and prioritize our efforts in earnest.
One thing is certain, the electric grid should live at the very top of this priority list for the foreseeable future.
“The reality is if you take away power, none of the other 15 officially designated critical infrastructure are going to work.”
The Cyber Butterfly Effect: Don’t Let A Weak Link In Your Supply Chain Damage Your Business
The interconnectivity of our supply chain continues to grow in complexity, stretching from coast to coast and weaving throughout every critical industry. Every business, regardless of size, plays a significant role in protecting the whole.
“A weak link in a supply chain can have disastrous consequences—and as we’ve seen throughout the pandemic, the impact of supply chain issues can be further reaching than anyone could have imagined.”
This is largely due to the fact that the single, largest supply chain that exists today is the digital supply chain. The pandemic and remote workforce have introduced an accelerated adoption of digital platforms and software to innovate and adapt to a more agile business model. While that has proven to be advantageous for most, it also means we’re all connected more than ever before.
For the past two years, the focus has been on how we do business, and it’s time to now focus on who we do business with.
There is no business too small to evade the responsibility of supply chain security. In fact, businesses with less than 100 employees will see 350% more social engineering attacks than larger organizations.
The future success of protecting an organization will be dependent upon the security maturity of it’s closest in partner organizations. This is especially true for those partners that are critical to business operations.
“Therefore, organizations should always first check the business background of the partner they are planning to work with, much like a “credit check.” If the company’s cybersecurity “credit” rating is low, you know you’re at a higher risk of loss or damage if you work with them.”
How to build a culture of cybersecurity
MIT Sloan School of Management
Scaling the challenge down even further, we must look at the single largest vulnerability that exists today – accounting for over 90% of all successful breaches – the human element.
Considering nearly every business is made up almost entirely of humans, the solution to reducing this risk is establishing a security-first culture. A successful effort will not be a top-down cascade of commands that eventually trickles down to the team on the front lines. The responsibility will not be relegated to the effectiveness of cybersecurity awareness training.
It must be a thoughtful approach that fosters a feedback loop that circulates the entire organization.
A mature culture embodies these qualities:
In all organizational meetings, leaders prioritize cybersecurity, making it clear to everyone that it’s an intrinsic part of corporate values. Not only do the executives communicate these values, but they are also visibly aligned by putting them on display.
Cybersecurity issues begin to permeate discussions among employees and seep into how teams work together. Slack and Zoom meetings include cybersecurity-related topics, and non-technical business groups begin to seek out guidance on how they can be more secure.
Employees gain a general awareness of the kinds of threats possible and feel empowered to take action if they encounter something suspicious. Moreover, they know exactly what to do in the event of an incident.
“We put so many resources into ’locking up’ using technology that we forget about the back doors in the organization, and that’s usually people. We need a culture of cybersecurity because you can’t tell everyone everything they need to do. You need them to understand that organizational safety is part of what they need to do in today’s world.” - Keri Pearlson, executive director of Cybersecurity at MIT Sloan.
