Are businesses prepared for an extinction-level cyber event?

In an era of technological transformation and cyber everywhere, the attack surface is exponentially growing as cyber criminals attack operational systems and backup capabilities simultaneously in highly sophisticated ways leading to enterprise-wide destructive cyberattacks, a Deloitte survey reveals.

Majority of C-suite and executive poll respondents (64.6%) report that the growing threat of destructive cyberattacks is one of the top cyber risks at their organization.

It’s time for senior leadership to modernize risk management programs and solutions to keep pace with the current threats and technologies to incorporate new educational tools, technical solutions and business strategies.

A truly viable cyber resilience program can benefit an organization’s ability to recover, respond and be ready for a destructive cyberattack, where over a quarter of respondents (27.2%) believe a comprehensive approach to cyber resilience would most improve their organizations’ approach address these potential extinction-level events.

Why it matters

The well-publicized impact of the NotPetya attack, for example, spread beyond it’s intended target in seconds, and highlights how cyberattacks can compromise countless devices and spread across global networks in seconds rendering servers and endpoints inoperable.

From destructive malware to the growing threat of ransomware, attacks like these can propagate quickly and extensively impact an entire enterprise network.

Even organizations with fundamentally sound risk management programs will need to adapt to emerging and elusive cyber risks and the destructive impacts they present. Improving cyberattack readiness, response, and recovery will require a new approach to many traditional risk domains.

Why are these attacks so successful?

• Poor access management: A fundamental issue that is pervasive and is often the open door through which a destructive attack will initiate and spread.
• Weak cyber hygiene: Poor cyber hygiene has a direct impact on enterprise security and can be most commonly seen in the form of missing patches, misconfigurations of systems, partially deployed security tools, poor asset discovery and tracking.
• Poor asset management: This can happen when organizations have no knowledge of specific applications, operating systems, or other device information, and the relationship between those applications.
• Flat networks: Flat networks allow an adversary to easily maneuver to any system. Minimal segmentation and zoning allow for lateral movement, expanding the adversary’s reach into the enterprise.
• Aggressive redundancy: Traditional recovery results in aggressive data redundancy for critical systems. When malware is introduced, these costly backup capabilities accelerate the spread across environments.
• Limited business awareness: Leadership may still be operating under the assumption that the time, money and effort put into traditional disaster recovery programs are going to protect them in a destructive malware scenario. They need to be aware of the gaps and refocus efforts on these emerging threats.

“Understanding your organization’s attack surface, and what implications a destructive cyberattack may have are important, but what is critical is to avoid ‘analysis paralysis’ and move quickly on deploying the proper technical solutions, like the cyber recovery vault, educational tools and business strategies.

“Senior leadership and boards need to get a grasp of what their traditional disaster recovery plan provides, what it does not provide, and how an attack might play out.

“When boards are made aware of the risk, these capabilities are often prioritized and quickly implemented,” said Pete Renneker, technical resilience leader in cyber risk services and a managing director at Deloitte & Touche LLP

“Physical and traditional outages are often measured in hours or days. Whereas destructive attacks are often measured in weeks or months, which can be very difficult to recover from.

“To be successful, you have to have strong agile capabilities and leaders on the ground who can address the risks and interact effectively in the event of a large-scale incident,” said Kieran Norton, infrastructure security leader in cyber risk services and principal at Deloitte & Touche LLP

Building a comprehensive cyber approach

A viable cyber resiliency program expands the boundaries of traditional risk domains to include new capabilities like employee support services; out-of-band communication and collaboration tools; and a cyber recovery vault.

A cyber recovery vault is isolated on the network to limit lateral movement by a threat actor, secures the environment physically and logically, prevents deletion or destruction of critical data, and can be analyzed to accelerate identification of suspicious activity.

Given its design, the data sits in a cryogenically frozen state, meaning malware may enter the vault but will be unable to deliver its payload. This makes it possible to extract and cleanse affected data, recover critical systems, and restore the business as soon as possible.

With 26.3% of respondents reporting that their organization’s biggest challenge in implementing a cyber recovery vault is budget restrictions, organizations should consider focusing first on deploying a critical materials vault limited to protecting essential services.

This accelerates protection against these threats, reduces the initial spend, and enables the organization to analyze additional protection requirements in parallel.