Countering Cyber Threats in a time of Conflict

This article was first published by Oliver Wyman here.


As the war in Ukraine enters another punishing week, companies and societies across the world face a heightened threat of cyberattacks. Russian state-sponsored actors have so far made no apparent attacks on institutions outside Ukraine but have in the past demonstrated the capability and willingness to target public and private infrastructure in neighboring states and beyond. And countless cyber criminals and other opportunists will seek to exploit the fog of war to launch malicious attacks for their own monetary gain.

Governments and companies need to be vigilant in tightening their cybersecurity protocols and heightening defenses to counter these threats. Fortunately, organizations aren’t starting from scratch. They have invested heavily in cyber in recent years and, in adjusting to remote working during the pandemic, overhauled security controls. Those efforts have been reinforced by closer regulatory scrutiny in the wake of recent attacks and new requirements from insurers seeking to deter ransomware attacks. Now, firms need to build on that progress and embed secure technology and procedures more widely, starting with four essential steps:

• Collaborate. Financial institutions and corporates need to work closely with peers, their most significant suppliers, and law enforcement to share threat intelligence, vulnerabilities, and potentially details about actual attacks.

• Use the capabilities you have. Plenty of tools have been developed and purchased in recent years but in many cases, they have not been fully or effectively deployed. That needs to change.

• Check suppliers. Drive your heightened level of vigilance deep into the supply chain.

• Look inside as well as out. Pandemic-driven changes in the workforce are affecting IT and cyber teams too, raising the threat from the potentially disenfranchised to disgruntled workers and new hires.

The risk of cyberattack is likely to grow as Western sanctions – which President Vladimir Putin has described as “akin to a declaration of war” – hit the Russian economy hard. The potential for harm is substantial. The NotPetya malware that Russia unleashed in Ukraine in 2017 spread to major companies around the world, causing an estimated $10 billion in damage. Corporations that have elected to cut or suspend operations in Russia in response to the invasion need to think hard about whether their cyber risk has increased.

Regardless of their sector or geographic location, companies can draw on a common playbook for enhancing cybersecurity.


Be a Collaborator

In today’s hyper-connected world, no organization can hope to find security by hunkering down alone behind its own walls. There is safety in numbers. Organizations also face increasingly common threats, as shown by the hack of network management software vendor SolarWinds. That attack, which the US government attributed to Russia’s intelligence services, compromised the computer networks of numerous government agencies in the United States and Europe and scores of companies. That’s why companies need to cooperate with peers, suppliers, and competitors. And the private sector needs to maintain a rich, relevant, and active dialog with the public sector to share information about threats, vulnerabilities, and suspicious behaviors, and formulate decisive practical plans for dealing with any attack.

The financial services sector has established a culture of collaboration through the Financial Services Information Sharing and Analysis Center, or FS-ISAC. This cooperation has intensified since the United States, the European Union, and other governments announced sweeping economic and financial sanctions on Russia, including a freeze on a significant chunk of the country’s foreign reserves and the removal of major Russian banks from the SWIFT payments network. Banks recognize that in the current environment, cyber defenses are essential to maintaining the stability of the financial system. Other industries, many of which have their own ISACs, need to follow this example.


Use Every Tool in the Cyber Defense Armory

In recent years, organizations have invested substantially in cybersecurity, and again financial institutions have been in the vanguard. Spending on information security across the US banking sector has increased at a compound annual rate of more than 15% in the last five years. During the pandemic, companies overhauled and upgraded security controls to account for different network access patterns using virtual desktop infrastructure (VDI), advanced multifactor authentication, and data loss prevention (DLP) capabilities. Asset management firms have spearheaded the adoption of biometric-based access methods, significantly reducing the risk of breaches through compromised passwords.

Companies need to focus their efforts on maximizing the use of these tools, ensuring they are integrated effectively and configured for optimal defense. The insurance industry is serving as a catalyst here. In response to the surge in ransomware attacks in recent years, insurers have been pushing companies to adopt tools like multifactor authentication, endpoint detection and response tools, email filtering, and enhanced cybersecurity awareness training and incident response testing. Increasingly, these are table stakes for even obtaining cyber insurance coverage.

Notably, organizations cannot ignore basic cybersecurity blocking and tackling. This involves fundamentals such as ensuring that the configuration management database (CMDB), the inventory of all IT services, software, and hardware assets, are up to date and that your teams have installed the latest software patches to address vulnerabilities. While tackling end-of-life systems is by no means a short- term fix, current circumstances reemphasize the need to continue to replace technology that’s not sufficiently cyber resilient against today’s increasingly malicious threats.


Look Down the Chain and Inside the House

Recent attacks like SolarWinds have shown how vulnerabilities can exist deep in digital supply chains. Organizations need to engage proactively with suppliers to make sure they are taking the cyber threat seriously and adopting the same types of controls on authentication, access, controls, patch management, and other sources of risk.

Reliance on third-party tech, data, and digital solutions is increasing as organizations call upon leading-edge capabilities they don’t have the talent, time, or appetite to build themselves. Given this increased dependency, the rules of engagement are changing. This means having more exacting requirements of third parties so that a given enterprise can be sufficiently comfortable in using its vendors. The typical body of requirements is increasingly stringent and demanding, encompassing areas ranging from malware and data protection policies to information classifications and incident management procedures.

Companies also need to be vigilant about insider risk. The Great Resignation has affected cybersecurity and IT staffs as well as other areas of the workforce. Turnover is up, and many employees may be new and largely unknown to their colleagues. This can create key-person risk, where plans assume the presence of capable individuals or teams that may no longer be there. Therefore, it’s essential to verify that playbooks and associated procedures are sufficient based on current threats and that the right people are in place and prepared.

The labor force flux also provides an opportunity for disgruntled employees or bad actors. To guard against this risk, companies should review and as necessary tighten their policy on background checks, require password resets, make sure that employees’ access and privileges are consistent with their roles, and be prepared to actively monitor for suspicious behavior.

No single step can guarantee protection against cyberattacks, but in recent years companies have learned a great deal about the threat, acquired many tools, and built expert teams to strengthen their defenses. With geopolitical tensions running high, organizations need to be fully prepared to mobilize and ensure they are using those tools effectively and collaborating with across peers, suppliers, and the authorities. 

At critical times like this, historical investments in cyber risk management and security show their real value. As one CFO at a Fortune 500 enterprise recently remarked, “the business case for cyber investment is that we get to stay in business when the worst happens.”