By James Winebrenner, CEO, Elisity
Thanks to the Biden Administration, the U.S. government is allocating $1.9 billion to cybersecurity as part of the $1 trillion Infrastructure Bill, which passed in late 2021. While this is a huge milestone and an important first step in bolstering the country’s cybersecurity posture, quite simply, it’s a drop in the bucket compared to the investment that’s needed.
Despite the U.S. government taking a more active role in the battle against cybercrime, more needs to be done defensively to protect the private companies that make up much of the critical infrastructure in our nation. Here’s why: Total global losses from cybercrime in 2021 are estimated to top $6 trillion, with the U.S. being the biggest target. IDC reports that about 37% of organizations were the victim of a ransomware attack in 2021, and the average ransom fee requested has skyrocketed from just $5,000 in 2018 to $200,000 today.
But it’s not just ransomware that’s posing a threat; social engineering attacks climbed 270% in 2021, driven by the widespread adoption of cloud-based apps and browsers, and 86% of organizations had had at least one employee connect unwittingly to a phishing site in 2021. These are astronomical numbers – and they continue to climb as cybercriminals adopt increasingly sophisticated techniques for infiltrating corporate networks.
Recent Attacks Underscore Critical Need for Funding
The financial losses and impact of a single attack dwarf the proposed $1.9 million earmarked for cybersecurity. Take Merck, for instance, the global drug manufacturer that suffered a massive attack. NotPetya – a state-sponsored Russian cyberattack masquerading as ransomware – locked up 30,000 of Merck’s laptop and desktop computers, as well 7,500 servers, crippling the company’s production facilities and impacting its ability to meet the demand for vaccines such as Gardasil 9. By the time the situation was under control, Merck had suffered over $870 million in damages – and it wasn’t the only company impacted by the attack. NotPetya spread quickly, jumping from computer to computer and infiltrating networks at some of the world’s largest corporations, including FedEx, Maersk, advertising firm WPP and others. To this day, the group that launched the NotPetya attack is still active, and it’s not unreasonable to believe they’ll strike again.
A second example is the SolarWinds breach in 2020. SolarWinds – who develops network management software – was the victim of a massive cyberattack initiated by Russian hackers, who spied on SolarWinds’ clients, including cybersecurity firm FireEye, as well as Microsoft and some top government agencies. The attack was undetected for months, and highly sensitive data was exposed. More than 80% of the companies targeted were non-governmental organizations, and the average cost per company was $12 million.
In other words, collateral damage from these state-sponsored attacks requires private companies to foot the bill, and there’s no real investment in helping them mitigate the risk and impacts of future attacks.
So, Where Is the Money Going?
Of the $1.9 billion in government funding, 1 billion will be allocated to helping State, Local and Tribal governments modernize their infrastructure, while 100 million is set aside for the Department of Homeland Security. Another 21 million will fund a newly created National Cyber Director office, 500 million will go to the Cybersecurity Infrastructure Security Agency (CISA), and 100 million will be invested in federal civilian systems not deemed national security systems. The remaining funds will be distributed amongst cloud security initiatives, industrial control systems security, and the migration of local and tribal governments to the dot-gov domain.
It’s a great start, but when you consider how much money is needed to bolster the defenses of the Fortune 500, hospitals and pharmaceutical companies, and oil and gas companies, you’re looking at trillions of dollars in infrastructure, software and manpower investments to prepare the nation’s infrastructure to fend off inevitable attacks in the coming years.
To bridge the gap, organizations must take a proactive approach. Instead of waiting for additional funds to throw at the problem, they must evaluate how to allocate the funds they receive in a highly strategic manner, and focus on building a strong foundation by adopting best practices and proven technologies for combating cybercrime.
Here are four critical areas of focus as you plan where to use the funds you receive in your organizations:
- Prescriptive frameworks: The first step is to adopt a strong cyber risk management framework and integrate it with your risk management program. For example, the Department of Defense (DoD) recently launched version 2.0 of the CMMC, a framework for protecting the defense industrial base from complex cyber attacks. Other frameworks such as the U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF), the Center for Internet Security Critical Security Controls (CIS) and the International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002 are all designed to help organizations put sound cybersecurity practices in place. These frameworks can help you evaluate and update your current practices, assess your maturity level and create a plan for up-leveling the protections and safeguards you have in place.
- Skilled labor. IT security teams in many organizations are short-staffed and lack the resources necessary to handle a cyber-attack. According to the 2021 (ISC)2 Cybersecurity Workforce Study, there’s still a global workforce shortage for cybersecurity professionals. Although 700,000 new entrants joined the field in 2020, 2.72 million professionals are still needed to effectively defend organizations’ critical assets. As expected, the study revealed that problems arise when staff is overtaxed – everything from misconfigurations to delayed software patches. Without sufficient staffing, teams just don’t have the time to implement proper risk assessment and management programs. What’s more, many aren’t given the responsibility to be proactive in protecting corporate networks. To address this problem, focus on training existing IT staff or allocating funds to provide competitive salaries that attract experienced cyber professionals. Additionally, automating routine tasks with technology can help to alleviate the workload.
- As a result of the pandemic-era shift toward the hybrid work environment, businesses have become vulnerable to attacks on unprotected devices that are connecting to the corporate network remotely from employees’ homes. It’s an unprecedented scenario that requires a new approach to cybersecurity, and several government regulations and certifications such as the NSA and CMMC are encouraging organizations to adopt a Zero-Trust architecture. With Zero Trust, all users, both inside or outside the corporate network, must be authenticated, authorized and continuously validated before accessing applications or data. Conditional access policies of the past are insufficient – only dynamic, contextual access policies that are applied to new devices the moment they connect to the network can reduce the risk of a successful attack and its ability to spread from device to device. As you decide where best to invest your new funds, work toward deploying a Zero-Trust network and Zero-Trust policies to enhance visibility and security, particularly in the hybrid workplace, and make it more difficult for bad actors to infiltrate your distributed IT infrastructure.
- Leadership education. Executive buy-in is essential for any cyber security program, but many CEOs are not as involved as they should be. PwC’s 2022 Global Digital Trust Insights survey found that non-CEO respondents say CEOs tend to be more reactive than proactive when it comes to cybersecurity, and 63% say their organization doesn’t get the support they need from their CEO. But executive buy-in is critical when it comes to cybersecurity, because protecting the organization isn’t just about having the right frameworks and technologies in place – cultivating a culture of security across the organization is equally important. Security is every employee’s responsibility, and building awareness comes from the top. Training everyone in the organization how to prevent a breach, recognize a potential attack, and report on suspicious activity are all essential to building a robust cybersecurity posture.
A Down Payment on the Nation’s Future
The new government funding for bolstering the nation’s cybersecurity is an important step forward toward helping the U.S. achieve a state of cybersecurity readiness to combat state-sponsored attacks like NotPetya. However, more must be done. While organizations can have an immediate impact by implementing cybersecurity frameworks, training staff, raising awareness among the C-suite, and implementing the right technologies, additional funding will eventually be necessary to not only remediate attacks, but continue to evolve and strengthen cybersecurity systems, and keep pace with the changing cyber landscape. In other words, it’s a great down payment for funding our nation’s journey to cybersecurity – and we’d better invest the money wisely.