On Monday, March 21, President Biden told the private sector in no uncertain terms that Russian-led cyberattacks may be coming, warning business leaders to “harden your cyber defenses immediately.”
In preparation for possible attacks, the White House issued a fact sheet advising companies on how to ramp up defenses. Suggestions include mandating multi-factor authentication, encrypting and backing up data offline, and running drills of emergency plans in case of hacks.
Should we panic? The US Cybersecurity and Infrastructure Security Agency (CISA) first alerted companies to the heightened possibility of Russian-led ransomware attacks via a February 26 announcement, which warned of “malicious cyber activity” targeting the “critical infrastructure sector” in the US. The agency implored businesses to “shore up their systems.”
As the crisis worsened and NATO allies imposed economic sanctions on Russia, Senator Mark Warner, the Virginia Democrat who leads the Senate Intelligence Committee, told The New York Times that Russia might use cyberattacks in retaliation. He believed Russia could levy “direct cyberattacks against NATO countries or, more likely, in effect [unleash] all of the Russian cybercriminals on ransomware attacks at a massive level that still allows them some deniability of responsibility.”
Rob Shavell, co-founder of Abine, an online digital-privacy service, and who has over a decade of experience in cybersecurity solutions, told HR Brew that remote work has generally made companies easier targets.
Shavell explained that remote work has “increased the surface area of [company] data” as employees communicate with each other back and forth across often-insecure personal home networks. He said the result is over “10 times as many” possible entry points for malicious attacks in remote or hybrid work arrangements compared with a traditional in-person work environment.
Shavell also warned that cybercriminals have gotten smarter—he says they’re buying or scraping executives’ personally identifiable information (PII) from the internet to craft highly personalized messages to trick employees into falling for phishing schemes.
Hyper-personalized. “The problem is that the hackers, and the Russian hackers in particular, have gotten very good at personalization at scale. They can run basically massive amounts of [phishing] attempts [where they] send very realistic messages to literally tens of thousands of people that are hyper-personalized,” Shavell explained. “And, unfortunately, because people are busy, and they’re on their phones, or they’re at home or what have you, they have a higher conversion percentage [than other attacks].”
Quick-to-read HR news & insights
From recruiting and retention to company culture and the latest in HR tech, HR Brew delivers up-to-date industry news and tips to help HR pros stay nimble in today’s fast-changing business environment.
Taken together, Shavell called March 2022 “perfect” for increased cybersecurity incidents.
“You’ve got the war, people working from home that are distracted, and the easy availability of all this information to design perfect, personalized hacks at scale, and [it] doesn’t cost [hackers] much,” Shavell said. “So unfortunately, you’ve got the worst of all three things converging at one particular point in time—and that’s March 2022.”
According to a new study from Barracuda Networks, a cybersecurity research firm, small businesses may be particularly at risk from cyberattacks. Barracuda Networks analyzed data from January–December 2021 and found that, on average, employees at small businesses with 100 employees or fewer could expect to receive 350% more “social engineering attacks” than employees at larger firms.
Bottom line. The White House’s fact sheet tells companies that when it comes to cybersecurity, it’s best to “bake it in, don’t bolt it on.” From that vantage point, they appear to be baking in security from all angles.
This month, Big Tech companies like Microsoft, as well as the federal government, joined the defensive effort. According to the New York Times, Microsoft worked with federal agencies to help Ukraine and other European nations defend themselves against newly identified Russian “wiper” malware. Last week, President Biden signed a law requiring timely reporting of certain cyber incidents and ransomware payments for businesses in critical industries.
Advocates say this law is critical to helping businesses stay abreast of risks in the cybersecurity landscape and update their own policies and procedures in response to new threats. But the Wall Street Journal reports that critics are wary of the vague language about enforcement. If officials take a hard stance, critics worry the regulation could be yet another box to check during critical early hours after a breach when businesses are often overwhelmed; if the government loosely enforces the legislation, then the law might not offer as much critical insight into cyber threats as advocates hope.—SV
Do you work in HR or have information about your HR department we should know? Email [email protected] or DM @SusannaVogel1 on Twitter. For completely confidential conversations, ask Susanna for her number on Signal.