Law 1: Everything that is connected to the Internet can be hacked.
Law 2: Everything is being connected to the Internet.
Law 3: Everything else follows from the first two laws.
Whether we like to believe it or not, our lives are now governed by these laws, according to Zurich Insurance and the Atlantic Council. Because of this, the Zurich and Atlantic Council team thinks we need now more than ever before, a plan to protect our companies and our information.
There are two broad sets of tips to address, according to the duo. The first set, the one we’ll discuss in this post, is for individual organizations, whether companies, government agencies, or even individuals.
The second set is for improving the Internet as a systemic whole, to help reduce the chances of global cyber shocks and their impact. These are for governments, organizations with a system-wide view, and select companies like major Internet service providers (check out that post here).
Local Risk: Tips for Individual Organizations
Basic: These actions are the most simple and have not changed much in the last decades. But, one of the reasons cyberspace remains so pervasively insecure is that many organizations ignore them.
- Application whitelisting: Do this, they advise. When organizations only allow computers to run a limited set of pre-approved programs, it can prevent a hacker’s software from working, stopping intrusions in their tracks.
- Use of standard secure system configurations: Computers with only a few standard configurations are far less expensive and can be simpler to defend.
- Patch application software within 48 hours: Get this, they say. A “window of vulnerability” opens once new “patches” are released to fix software. Dropping this window from weeks to days can reduce opportunities for hackers to strike.
- Patch system software within 48 hours: Get this too, they also say. This is critical for application software and for system software.
- Reduced number of users with administrative privileges: Users with “administrative privileges” have the keys to the castle. They’re able to do anything they want on the network, yet many companies allow every employee this access.
Advanced: Larger organizations should engage in more advanced cyber risk management. Some of the action items in ascending order of difficulty:
- Cyber insurance: With cyber insurance, companies can transfer cyber risks associated with data breaches or business interruption. Talk to your broker about what’s available.
- Demand more resilient and secure standards and products: Bigger organizations can push the standards for the organization to incorporate more security and resilience.
- Pushing out risk horizon: Advanced companies can extend their view of risk management to counterparties, outsourced partners, and upstream infrastructure. This helps push out risk.
- Board-level risk management: Cyber risks can bankrupt and ruin companies; companies must include a broad view of global aggregations of cyber risk, hold executives to account, and move away from a checklist/audit perspective.
Resilience: Future cyber shocks might be of such frequency and intensity the organizations might have to suffer through them as they do natural disasters. So, resilience will be critical.
- Redundancy: Provide alternatives during Internet disruptions. An example of redundancy is having ISPs connected to the same peering points. Diversify, diversify, diversify.
- Incident response and business continuity planning: Have trained teams ready to respond when the worst happens.
- Scenario planning and exercises: Build muscle memory for responding to incidents. Have drills, exercises, and seize every opportunity to create “teachable moments” for responders and executives.
Read the full report By Zurich Insurance and the Atlantic Council.