Ransomware & the Government: What Part Does Regulation Play?US May Soon Regulate Private Companies and Mandate Higher Standards for Cybersecurity
It’s no secret that the recent large-scale ransomware attacks are a call to action for greater federal cybersecurity regulations. As it stands, security policies are not mandated and are largely a voluntary mechanism. But it has become apparent that at-will standards are not getting the job done.
See Also: Threat Horizons Report
According to a report by Cybersecurity Ventures, a ransomware attack occurs every 11 seconds on average, and ransoms range from $350,000 to $1.4 million. Malignant actors are operating with impunity, and many private sector organizations have failed to take the necessary precautions.
As a result, the U.S. may soon begin the work of regulating private companies and mandating higher standards for cybersecurity. Congressional initiatives including the Cybersecurity Act of 2012 and the Cybersecurity Information Sharing Act of 2015 could be the path to structuring these mandatory requirements, and the executive order on cybersecurity signed by President Biden in the spring of 2021 is an indication that more stringent and explicit standards are on the horizon.
While the list of potential remedies is too long and target-specific to exhaustively regulate, there are some baseline themes: multifactor Authentication - or MFA, software patching, robust segregation of information, mandatory air-gapped system backups, and clearer identity management controls around administrative accounts.
A general posture of security hardening and investment seems prudent in the current climate and in that regard, there are several steps that can be taken that make good security sense regardless of future mandates. These include:
Ensure adequate security policies and staffing: If one does not exist already, put into place an Identity or Access Management solution. In addition to gaining visibility into your entire network, you’ll also be able to ensure employees only have the level of access to company information and systems that they need in order to do their jobs. The solution also allows IT teams to quickly cut access to systems to reduce the chance a disgruntled employee could wreak havoc. Unless you have enough team members in place to implement and enforce security policies, however, all is for naught.
Build out robust backup systems and continuity plans: To quote Benjamin Franklin’s axiom, "An ounce of prevention is worth a pound of cure." In this case, an ounce of prevention is worth a pound of regret when it comes to performing regular and robust backups of your systems and ensuring you have a business continuity plan in place. Unfortunately, you can’t plan for and prevent every possible attack scenario, but you can set up your organization so the recovery is quicker and more comprehensive by being diligent with your system backups and having a clearly defined strategy for how to proceed in the event of a cyber incident such as a ransomware or extortionware attack.
Strengthen not just the technology, but the people using the technology as well: Communication among all parties is a critical piece of third-party cyber risk management. Your protection is only as strong as your weakest link. Break down existing siloed processes to ensure business stakeholders and IT/ risk management decision-makers are in tune with each other. These units operate independently and often make decisions without consulting each other, but a robust security strategy requires consistency and collaboration among these teams. Take this one step further and make security training for all employees and stakeholders mandatory. Constant communication regarding cyber posture and third-parties' compliance, and ongoing education for all involved is key to preventing threats.
While the government determines how much and what kind of involvement with cybersecurity it should pursue, your organization should continue to strengthen its defenses so any kind of legislation that may come about in the future is just another part of keeping your systems safe from unlawful intrusion.