ISACA Survey: IT security and risk experts share ransomware insights in the aftermath of the Colonial Pipeline attack

The Colonial Pipeline attack caused massive disruptions to gasoline distribution in parts of the US this month, resurfacing preparedness for ransomware attacks as a front-burner topic for enterprises around the world.

Colonial reportedly authorised a ransom payment of US$4.4 million. In the ISACA survey, four out of five survey respondents say they do not think their organisation would pay the ransom if a ransomware attack hit their organisation. Only 22% say a critical infrastructure organisation should pay the ransom if attacked.

“In a vacuum, the guidance not to pay makes total sense. We don’t want to negotiate with criminals,” said Dustin Brewer, senior director of emerging technology and innovation at ISACA. “But when you need to get your business back online, a cost/benefit analysis is going to come into play, and a company is going to do what it needs to do to have continuity. Good cyber-hygiene has to be a focus to avoid getting to this point.”

Among the survey’s other findings:

• 85% of respondents say they think their organisation is at least somewhat prepared for a ransomware attack, but just 32% say their organisation is highly prepared.
• Four in five respondents say their organisation is more prepared for ransomware incidents now than four years ago, when the WannaCry, Petya and NotPetya attacks inflicted major damage. And two-thirds of respondents expect their organisation to take new precautions in the aftermath of the Colonial Pipeline incident.
• Nearly half of respondents (46%) consider ransomware to be the cyberthreat most likely to impact their organisation in the next 12 months.

Despite the clear risks from ransomware attacks, 38% of respondents say their company has not conducted any ransomware training for their staff. “The fact that more than 80% of organisations are more prepared for ransomware incidents now than they were during the 2017 attacks — and that so many will be taking new precautions after Colonial Pipeline — is wonderful news,” said Brewer. “Open reporting of cyberattacks appears to be working, and in this transparency, we can expect to see newer threats mitigated earlier with faster response times.”

ISACA recommends 10 steps companies can take to be better prepared for, and help prevent, ransomware attacks:

1. Understand risk profiles — Organisations should have their risk assessed to accurately prepare for potential attacks. To do this, cybersecurity teams must take inventory of responsibilities, products and services, and the technical requirements affiliated with each. By defining these risk areas, cyberteams can better assess areas that require the most attention when allocating cybersecurity resources.

2. Realise data responsibilities — Each employee on a cybersecurity team should realise the types of data that they are responsible for storing, transmitting and protecting.

3. Test for incoming phishing attacks — Most attacks start with a phishing campaign, and they continue to be effective. Try testing filters by sending yourself de-weaponised phishing emails identified by others from an external test email account. How often will they make it through? Test it. It is possible that email filters need to be strengthened.

4. Assess all cybersecurity roles on a regular, event-controlled basis — Regularly assess and audit cybersecurity controls to ensure that they are applied and maintained appropriately. A truly mature organisation will test these controls on both a time-based schedule and in response to incidents.

5. Evaluate patches on a timely basis — Ensure that patches are applied in an organised and methodical fashion. For vulnerable legacy systems that cannot be patched or updated, isolate them in the network and ensure that those systems do not have access to the Internet.

6. Perform regular policy reviews — Make sure that all pertinent cybersecurity policies not only exist, but are also regularly evaluated and updated based on the ever-changing cybersecurity landscape. Specifically, update these policies based on both time-based schedules and event-based instances.

7. Leverage threat intelligence appropriately — Reading and disseminating threat intelligence throughout a cybersecurity team can be overwhelming. Hacks and cyberattacks occur on a 24/7 basis, with different branches of similar attacks emerging overnight in many instances. Understanding which type of intelligence applies to your organisation and parsing it out correctly increases understanding of what threats may pose the greatest danger.

8. Protect end-user devices — We often forget to ensure 100% protection of end-user devices — not only for devices within the network, but for all devices used by remote users to access systems. Exclusion lists should be minimal.

9. Communicate clearly with executive leadership and employees — To gain executive support, ensure that reporting and communication to the leadership level is clear and accurate. Once leadership understands the threat, the risk and its potential impacts, cybersecurity teams are more likely to receive the funding and support required to protect the organisation.

10. Comprehend organisational cybermaturity — All points listed here are a part of comprehending an organization’s cybermaturity, or its developed defensive readiness against potential cyberattacks and exploitations. Tools like the CMMI Cybermaturity Platform can help organisations understand and improve their cybermaturity.

For more information, see cybersecurity expert and ISACA Emerging Trends Working Group member Chris Cooper’s analysis of the survey results and today’s ransomware landscape here.

Read the latest issue of World Pipelines magazine for pipeline news, project stories, industry insight and technical articles.

World Pipelines’ May 2021 issue

The May issue of World Pipelines includes a regional report on Canada’s oil and gas sector, as well as technical articles on integrity management software, leak detection, NDT, and project case studies. Don’t miss our feature on young pipeliners, in which World Pipelines’ Senior Editor Elizabeth Corner interviews the winners of the John Tiratsoo Award for Young Achievement, awarded by Young Pipeliners International, in partnership with PPIM.

Read the article online at: https://www.worldpipelines.com/business-news/25052021/isaca-survey-it-security-and-risk-experts-share-ransomware-insights-in-the-aftermath-of-the-colonial-pipeline-attack/