A soldier takes part in anti-terrorist operations in Eastern Ukraine in this April 2015 photo by Noah Brooks via flickr.
Written by Gabriel Dillard
Amid the growing struggles between the Ukraine and Russia, new concerns about cybersecurity have emerged. The fast-moving conflict has left corporate security teams thousands of miles away studying their network logs and sifting through a flood of threat intelligence from Ukrainian authorities, U.S. officials, experts and cybersecurity researchers. Some businesses have responded by more aggressively monitoring their computer systems whether they have business in the region or not.
U.S. Federal agencies have been engaged this week with companies in the U.S. to help them prepare for the possibility of targeted cyberattacks.
But what does this mean for individual businesses? Mostly, businesses should continue with their usual cybersecurity measures and initiatives — patching and updating systems, conducting regular security scans and so on.
There are, however, some special circumstances that businesses should consider, as follows:
Companies with technology or data in Ukraine or the surrounding region
Companies should audit their exposure to heightened cyber threats in the region by ensuring they are aware of the endpoints (personal computers), servers and networking devices in the region. Where possible, data should be moved to other regional servers. During periods of cyberwarfare, even entities that are not targeted may experience collateral issues because of the heightened activity.
Companies considered critical to the infrastructure of the United States or suppliers to those companies
The Department of Homeland Security has 16 industries it designates as “critical to the infrastructure of the U.S. Those industries include critical manufacturing, commercial facilities and health care: https://www.cisa.gov/critical-infrastructure-sectors
We take part in the DHS coordinating committee for critical manufacturing. Since the Ukraine crisis begin, DHS has been both sharing and asking companies for information about any significant anomalous network activity. If your company falls into one of these 16 categories, you also can engage with DHS for ongoing updates.
Companies with little to no cybersecurity protection
If you are a very small business or have not yet taken any steps on cybersecurity, this can put you at a higher risk of being targeted under any set of circumstances, but especially in a more threatening environment. The Cybersecurity and Infrastructure Security Agency has also launched an initiative called Shields Up, which provides practical, free resources for enhancing your cybersecurity posture: https://www.cisa.gov/shields-up
All companies with outdated devices containing proprietary data
Regardless of your company’s situation, it is more important than ever to protect data stored on end-of-life devices. Not enough businesses pay attention to the data-storing technologies they use and what happens to that tech at the end of its life. For environmental, regulatory and sustainability purposes, these devices must be responsibly recycled. When that happens, part of the process should always include complete, physical data destruction. Guaranteed data destruction is key. Some companies believe their data is being wiped when they drop devices off for recycling and that is not always the case. Also, unethical and illegal shipping of e-waste abroad has become an additional layer to the hardware security issue because it leads to the wholesale liquidation of our national security and the privacy of the corporations and individuals of the United States. Recycling these devices is important, but it must be done the right way. Make sure your e-waste recycler is NAID certified.
Kate Fazzini is CEO of Flore Albo LLC, an adjunct professor of cybersecurity at Georgetown University, author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.
John Shegerian is co-founder and Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit eridirect.com/insecurity-of-everything-book/ to receive a free copy of John’s new book, The Insecurity of Everything.