Message to the Private Sector: Harden Your Cyber Defenses Immediately

Now that the rapid response dust has settled, I wanted to comment on the Statement by President Biden on our Nation’s Cybersecurity.

In a statement from the White House at the beginning of this week, President Biden of the United States echoed a message from the US federal government to the private sector that has been growing in volume and urgency for years - critical infrastructure must “harden your cyber defenses immediately.” You can read it here, and – no, there are no surprises.

We heard a similar message from AXA XL and Munich Re two weeks ago. The reality is that the private sector, especially organizations, and companies affiliated with critical infrastructure, are over-exposed to cyber risk. This clearly leaves insurance underwriters, economies, and nations exposed risk in general. I believe the financial losses suffered from by cyber insurers and (re)insurers of the last two years are an unfortunate, but much less severe indicator of what could be, when compared to cyber-attacks because of geo-political conflicts such as the Russian-Ukrainian conflict (which was the obvious impetus behind the Whitehouse statement this Monday.) See our conversation on this topic at the DeNexus and ForeScout webinar on day 1 of this event.

So, what do we do with this information?

Well, nothing or everything. In the end, this statement was another plea, and a loud one. A plea to do what the United States has been warning the industrialized world to do for a long time, beginning with the Obama Administration, then under the Trump administration and again under the Biden Administration. Recent advancements on cybersecurity guidance with NIST and the MITRE ATT&CK Framework are thankfully providing much needed guidance for cybersecurity leaders managing critical infrastructure and IT enterprise networks. The recent tensions between Russia and the much of the world due to their invasion of Ukraine have only placed an explanation mark behind the following:

• Patch Often: Seek maximum device visibility and policy management capability so that you can patch carefully in the OT environment. Perimeter quickly and inside carefully.
• Calculate your cyber risk exposure: If you cannot calculate your cyber risk, focus on doing so immediately based on FAIR™ (Factor Analysis of Information Risk). Doing so will guide cybersecurity investments when CISO’s are fighting for budget and align with the insurance strategy to transfer risk.
• Use Frameworks: Adhere to the NIST CSF and MITRE ATT&CK frameworks as guidance in threat protection, detection and response actions.