serviceskaspersky.com

COVID-19cyberwar:HowtoprotectyourbusinessAttacksareescalatingamidthepandemic—Ourstep-by-stepsecurityguideforactionnowResearchInsightsHowcanIBMhelpIfyouareexperiencingcybersecurityissuesoranincident,contactX-ForceIRIStohelp:UShotline1-888-241-9812Globalhotline(+001)312-212-8034Additionalinformationcanbefoundhere:https://www.
ibm.
com/security/covid-19COVID-19andcybercrimeWhiletheworldstruggleswiththeimpactsofCOVID-19,cybercriminalsseeitasanopportunity.
FromMarch11untilMay8,2020,IBMX-Forcehasobservedagreaterthan6,000percentincreaseincoronavirus-themedspam.
Action:Runsimulationsthatmodelthemostlikelythreattomitigateanyvulnerabilitiesnow.
ImprovisingamidchaosOrganizationsthatwereinsufficientlypreparedinnormaltimeshavebeencaughtcompletelyoffguard.
Infact,76percentoforganizationsdon'thaveanincidentresponseplanappliedconsistentlyacrosstheorganization,accordingtoa2019report.
1Action:CreateorupdateaCybersecurityIncidentResponsePlan(CSIRP).
ManagingthroughdisruptionDuringtimesofcrisis,businesscontinuityplanningbecomesamajorstrategicasset.
Evenorganizationsthatareunpreparedcantakestepstomitigatetheimpactsandusetheexperienceforfuturecrisisplanning.
Action:Observe,orient,decide,andactinrapidcycles.
ByWendiWhitmoreandGeraldParhamKeytakeawaysLearningfromextremeeventsInrecentweeks,cybersecuritythreatshaveescalated,asbadactorstakeadvantageoftheCOVID-19pandemic.
Whileorganizationsworryaboutnewlypressingconcerns—workforcewell-being,financeavailability,andtheresiliencyofoperationsandsupplychains—cybersecurityfocusisbeingovershadowedandrisksarerising.
Thetendencytowardadhocdecisionmakingduringcrisesonlyacceleratestheopportunitytoexfiltratedataorcompromisebusinessoperations.
Thepotentialimpactsaremoredangerous,too.
Adistributeddenial-of-service(DDoS)attack,forinstance,canbefarmoredamaginginanoperationalenvironmentthatisalreadystrainedforcapacitythanonelaunchedwhenadditionalcapacityisreadilyavailable.
Inthisreport,weidentifykeystepssecurityleaderscantakenowtomanagediscrete,high-impacteventsthatmayariseinthisenvironmentandtoprepareforadditionalunforeseenscenarios.
Everycybersecuritycrisishasathree-partlifecycle:–Planninganddetection–In-the-momentresponseandremediation–Recovery.
Thefirststepisforleaderstoidentifywheretheyareinthatlifecycleandprioritizetheiractionsaccordingly.
Wehavecreatedrecommendedactionsforeachphaseasaguide.
Inparticular,thecurrentpandemicenvironmentdemandsincreasedattentiontoresponseandremediation.
Drawingonlessonslearnedfromincidentresponsedrillsinsecurityoperationscenters(SOCs)andcyberranges(virtualenvironmentsfortestingsecuritycapabilities),wehavefoundthathighlyresilientorganizationsdothreethingswell:organizeanddeployresources,communicateregularly,andcoordinateresponses.
1COVID-19'simpactonthecybersecuritylandscapeDuring2020,businesshaschangedradicallyfornearlyeveryorganizationaroundtheglobe.
AsthenumberofCOVID-19casesgrowsandtherateoftransmissionacceleratesinsomeareasandabatesinothers,theoperationslandscapeevolvesdaily–sometimeshourly.
Themagnitudeofimpactisunprecedented.
OpportunisticthreatactorsSinceFebruarywhentheoutbreakwentglobal,IBMX-Forcehasobserveda4,300percentincreaseincoronavirus-themedspam.
Cybercriminalsareusingthecoronavirusoutbreaktodrivetheirbusiness,withvirus-themedsalesofmalwareassetsonthedarkwebandevenvirus-relateddiscountcodes.
5Theyarealsorapidlycreatingdomains:COVID-19-relateddomainsare50percentmorelikelytobemaliciousthanotherdomainsregisteredduringthesametimeperiod.
6Numerousphishingscamshaveemerged.
Forexample,IBM'sX-ForceExchangeistrackingaspamemailthattakesadvantageofsmallbusinessownershopingtosecureloansfromtheUSSmallBusinessAdministration.
Insteadofprovidinghelp,anattachmentinstallsaRemoteAccessTrojan(RAT).
Anotherhigh-volumespamcampaignthreatenstoinfectrecipientsandtheirfamilieswithCOVID-19iftheydonotpayaransominbitcoin.
7Anumberofotherscamsimplyassociationwithlegitimatehealthorganizations.
OneemailphishingattackpurportsbeingfromtheWorldHealthOrganization(WHO)director-general.
AttachedtotheemailaredocumentsthatinstallanAgentTeslamalwarevariantthatactsasakeyloggerandinfo-stealer.
8AsimilarattackusestheUSCentersforDiseaseControlandPrevention(CDC)asalure.
9TheIBMX-ForceCOVID-19securitybulletins,whichconsolidateacollectionofthreatactorsandCOVID-19exploits,identifyhundredsofexamples.
10Reportssuggestnation-stateactorscouldbeusingthepandemictomakeforaysintoUSpublichealthagencies,notablytheUSDepartmentofHealthandHumanServices.
11AsBenSasse,amemberoftheUSSenateIntelligenceCommittee,observed,"Here'stherealityof21stcenturyconflict:cyberattacksaremassiveweaponstokickopponentswhenthey'redown.
"1250+uniquemalwaredistributedinvariousCOVID-19-themedcampaigns21in4organizationsdon'thaveanincidentresponseplan3#1Thecombinedeffectofanincidentresponse(IR)teamandIRplantestingproducesgreatercostsavingsthananyothersecurityremediationprocess42Insight:CybercrimedamagespublicconfidenceCybercrimeisbuiltonthreatactors'abilitiestoexploitfear,anxiety,anduncertainty,sentimentsmagnifiedduringapandemic.
Compoundingpersonalconcerns,livelihoodsofindividualsandbusinessesaredisruptedinunpredictableways.
AsaWorldEconomicForumbulletinnoted,society'sincreasedrelianceondigitalinfrastructureraisesthecostoffailure.
13Thispublichealthpandemicimposesbothsocialandeconomiccosts,affectingindividualsinuniqueandprofoundways.
High-valueassets(HVAs)areparticularlyvulnerabletoattack.
DefinedbytheUSCybersecurityandInfrastructureSecurityAgency(CISA)as"informationorsystemssocriticalthattheirlossorcorruptionwouldseriouslyaffectanorganization'sabilitytoperformitsmissionorconductbusiness,"HVAsareespeciallyenticingforcybercriminalslookingtodamagepublicconfidenceinanorganization.
14ThenewrisksofremoteworkTherapidshifttoremoteworkhasalsoopenednewloopholesforcybercriminalstoexploit.
AccordingtoTheNewYorkTimes,asofthefirstweekofApril2020,316millionpeopleintheUSwerebeingurgedtostayhome.
15Theglobalfiguresareordersofmagnitudehigher.
India'sshelter-in-placeguidelines,forexample,extendrestrictionsto1.
3billionpeople.
16Manyofthosestayinghomearealsoworkingfromhome.
Yet,manydisplacedworkerslackthesecureequipmentorprotocolsthatenabledigitalsafety.
Withnewlyremoteemployeesaccessingcorporatenetworksviapersonaldevices,hackersareprobingWi-FiconfigurationsandVPNconnectionsforsecurityvulnerabilities.
Andaspeoplecongregateoncloud-basedproductivityplatforms—bothforworkandpersonalreasons—maliciousactorsarelaunchingschemestoexploitthesituation,includinghackingintoanddisruptinglivemeetings.
17Employeesaren'ttheonlyoneswhoareunprepared—soareorganizations.
InarecentonlinepollbyThreatpost,70percentofrespondentssaidenablingremoteworkingisfairlynewfortheirorganizations.
And40percentreportedseeingincreasedcyberattacksastheyenableremoteworking.
18AsUSSenatorMarkWarnerwroteinanemail,"Asthefederalgovernmentpreparesforwhatislikelytobeanunprecedentedexperimentintelework,it'salsoexpandingopportunitiesformaliciousactorstoattackandpotentiallydisruptvitalgovernmentservices.
"19Thepotentialforcontinueddisruptionduringthispandemicishighandrequirescrisisresponseleaderstomaintainconstantvigilanceandorganizationalagility.
3TheimportanceofmakingquickdecisionsDuringacrisis,executivesandmembersofsecurityteamsneedtofilteravailableinformationtoquicklymakeoptimaldecisions.
Borrowingprinciplesoriginallydevelopedbymilitarystrategists,organizationsbenefitfromincorporatingtacticaloperationstechniquessuchas"observe,orient,decide,andact,"alsoknownastheOODAloop.
20TheOODAloopencouragesiteration(seeFigure1).
Ifyoucangothroughitfasterthanwhateveryou'reremediating,yougainanadvantage.
Byacceleratingresponse,youcanharmonizeeffortswiththebroaderteam.
Nodecisionhastobefinal.
Makingsmallmistakesisoftenbetterthantakingnoactionatall.
Highlyresilientorganizationsmarshalresources,communicateefficiently,andcoordinateresponses.
Figure1Observe,Orient,Decide,Act(OODA)LoopUnfoldingcircumstancesOutsideinformationUnfoldinginteractionwithenvironmentFeedbackObserveOrientDecideActObservationsHistory,culture,analysisandsynthesis,previousexperiences,andnewinformationDecision(hypothesis)Action(test)Source:"OODAloop.
"Wikipedia,accessedApril1,2020.
https://en.
wikipedia.
org/wiki/OODA_loop4CreatinganincidentresponseplanMostorganizationsareill-equippedtohandleamajorcybersecurityincident,muchlessamidaglobalcrisislikeCOVID-19.
ArecentstudyfromthePonemonInstitutefoundthat76percentoforganizationsdon'thaveanincidentresponseplanappliedconsistentlyacrosstheorganization.
OneinfourorganizationsreportnothavinganyCybersecurityIncidentResponsePlan(CSIRP)whatsoever.
21AneffectiveCSIRPoutlinesgovernanceandcommuni-cationspracticesacrossteams(see"Insight:AnatomyofaCSIRP").
Italsodefinesresponsemodelsanddetailscrisisresponserolesandresponsibilitiesacrosstheorganization,suchasstrategy,technology,operations,andcommunityandgovernmentrelations.
Anyorgani-zationwithoutaCSIRPinplaceshouldberacingtoimplementone.
WithbreachnotificationlawsandregulationsgettingstricteraroundtheworldevenpriortotheCOVID-19pandemic,businesscontinuityplanningisalong-termstrategiccapabilitythatcanprepareanorganizationforahostofunexpectedcontingencies.
ButevenifyourorganizationhasaCSIRPinplace,therearestepsyoucantakenowtoreinforceitforCOVID-19'sparticularrisks.
Crisismanagementplansvarybasedonthenatureandscopeofthethreat,thetypeandsizeofanorganization,andvariancesinregulatoryrequirementsrelatedtodisclosures,dataprivacy,anddatalocality.
Asorganizationslearnmore,theycanadapttheCSIRPandapplythoselessonsquickly.
Insight:AnatomyofaCSIRPACybersecurityIncidentResponsePlan(CSIRP)typicallyincludesthefollowinginformation:–Howtoqualifyandclassifyacrisisevent–Rolesandresponsibilitiesofinternalandexternalteammembers,includingahierarchicalviewthatsummarizesdecision-makingauthorityandescalations–Acrisiscommunicationsplanforcommunicatingwithinternalandexternalstakeholders–Aninventoryoftheorganization'sHVAsandmissioncriticalcapabilities,alongwiththecriticalsupportservicesthatenablethese–Regulatoryanddisclosurerequirementsrelatedtotheabove–Aninventoryofsupplementaloperationssupportcapabilitieslikethreatremediationservicesandthreatintelligencesharingwithcommunity/computeremergencyresponse/readinessteams(CERTs),federallawenforcement,orothergroups.
5Thecrisislifecycle,phase1:Steadystate/planningAstheCOVID-19crisisunfolds,organizationsthathaveyettoexperienceacyberthreatstillhavetheluxuryoftime–theyshoulduseitwisely.
(SeeFigure2.
)Makingsmallmistakesisoftenbetterthantakingnoactionatall.
Mostimportant,organizationswithoutaCSIRPshouldcreateone.
LeadersthathavealreadybeenthroughthatstageofplanningshouldtaketheopportunitynowtoevaluatetheCSIRPforanygapsbasedontheirCOVID-19securityposture.
Evenwhena"blackswan"eventtrans-formsintoalonger-termreality,suchaswithCOVID-19,thereareoptions.
22Thekeyistofindwaystoimprovethoseoptionsandbuytimetomakebetterdecisions.
Incidentresponseandcrisisops–Incidentresponse–Triage,discovery,forensics–Crisiscommunications–Collaboration–StakeholdermanagementFigure2ThecrisislifecycleSteadystateoperations–Insights–Planning–Simulation–PreventionSource:IBMInstituteforBusinessValueanalysis.
BeforeDuringAfterBusinessimpactTimeDetectionResponseperiodwithOODAmitigationloopsRecoveryperiodvariesbasedonresilienceOODAloopformitigationNOODAloopformitigationN+1OODAloopformitigationN+2RestorationRecoveryStabilizationEscalationMilestoneLeadershipdecisionAgilityGovernanceloopLearningloopRecoveryops–Lessonslearnedandafter-actionreport–Post-crisiscommunications–Leadershipreview–Improvementplan–ModelupdatesAdaptability6Phase1:ActionstotakeAlignoperations,practice,andrefinetheplaybook1.
Buildtheplanandtheteam.
CreateaCSIRPthatisregularlyupdatedtoreflectthecurrentoperatingenvironment.
Validateandtestcrisisalertrosterstocompleteyourteammembership.
Considersemi-annualorquarterlyplanupdatesandcrisisresponsedrills,especiallyinlargerorganizationswithfrequentpersonnelchanges.
2.
Transformdecisionmakingintoanagilepractice.
Previouslydevelopedandtestedprocessesandproceduresshouldallowforquickdecisionmakingbythekeystakeholdersworkingtheresponseplan.
Keyleadersshouldhavetheauthoritytomakeimportantdecisionswithouthavingtogothroughalengthyapprovalprocess.
3.
Removedependenciesandextendvisibilityinalldirections.
Theavailabilityandintegrityofthesupplychainisanoften-overlookedriskvector.
Mandatetransparencymechanismstoremovefriction,expeditedecisionmaking,andmaintainsupplierindependence.
Considerprocurementdependencies(bygeographyorsupplier)andfindalternativesourcestomaintainbusinessoperations.
Re-examineprovider/suppliercontractsforforcemajeure(includingunavoidable,majoraccident)clauses.
Examinesupplychainnetworksforfourth-partyand"n-party"risk.
4.
Maketheplanreal.
Tabletopexercisesandbreachsimulationsareaneffectivewaytovalidatetheprocessandproceduresforeachofthekeyfunctionsofyourcybercrisismanagementplan.
Onaregularbasis,conductfull-scalesimulationexercisestostress-testteams,leadership,andcommunications.
Theultimategoalistrainingtheteamto"buildthemusclememory"torespondeffectively,muchlikefirst-responderormilitaryteams.
Crisisplanningneedstoaccommodateaspectrumofoperationaldisruptionandsocialimpacts,whichrequiredifferentapproachestocrisismitigationandresponse.
5.
Learnfrommistakes.
Failureduringcrisissimulationisinfinitelymorevaluable—andlesscostly—thanfailureduringanactualcrisis.
Recognizehowfailuremodesareexacerbatedbysystemicdependencies,outdatedassumptions,ordecision-makingbias.
Maketheunexpectedapartofeverydrilltolearnhowtobalancestandardpracticeandcrisisgovernancewiththeteam'scapacityforcollaborativeproblemsolvingandingenuity.
Anorganization'sabilitytoexecuteamiddisastercanberefinedusingsimulations.
Whilethere'snosubstituteforreal-life,hands-onexperience,simulationswithdrillsandrepetitionareusefultodiscoveranygapsinriskmanagementandriskmitigationmodels.
Themoreteamspractice,themoretheyknowwhattoanticipateandhowtheywillrespondduringactualsecurityevents.
Teamscanseevariablesanddependenciesunfoldinrealtime,modeltheirresponses,andcontinuetoimprove.
DefiningriskmanagementCyberresilienceisanorganization'sabilitytoprevent,respondto,andrecoverfromacyberattackaswellassustaintheintegrityofinternalandexternaloperations.
Thethreecoreconcernsarethreats,vulnerabilities,andrisk:–Threat:Anythingthatcanexploitavulnerability,intentionallyoraccidentally,andcommandeer,damage,ordestroyaninformationoroperationalasset.
Thesearediscretetacticsorevents.
–Vulnerability:Weaknessesorgapsinasecurityprogramthatcanbeexploitedbyathreattogainunauthorizedaccesstoanasset.
–Risk:Thepotentialforloss,damage,ordestructionasaresultofathreatactinguponavulnerability.
23Thechallenge,particularlyintheageofCOVID-19,isthatrisksaredynamic,emergent,andunpredictable—yetofteninterdependent.
Riskmanagementinvolvesidentifyingthreatsandmodelingthemagnitudeofoperationalimpactinconjunctionwiththelikelihoodorprobabilityofoccur-rence.
That'swhycrisisresponserequirescollaborationamongcybersecurity,technology,andoperations—across-functional(andincreasinglycross-organizational)activity.
Whenrisksbecomereal,teamsneedtoshiftopera-tionsfromplanningandmodelingtoincidentresponse,disasterrecovery,andbusinesscontinuity.
Mostimpor-tantly,itisimperativethatplan/simulationprocessesarethesameasaction/responseprocesses.
Theabilitytomakedecisionsquicklyandcollaborativelyoftenrep-resentsthedifferencebetweensuccessandfailure.
7Thecrisislifecycle,phase2:IncidentresponseDespitethoroughplansandpreparation,acrisis,bydefinition,strikesinunanticipatedways.
Whenitaffectsorganizationsindiscriminately—aswiththeCOVID-19pandemic—systemicfailureisarealpossibility.
Intimesofsystemicrisk,anorganiza-tion'sroutineoperationalcapabilitiesmaybeidentifiedasessentialtocriticalinfrastructure,requiringsignificantadjust-mentstosteadystateoperations.
Whenanactualcrisisarises,teamsthathaveusedsimulationdrillstoupdateresponseplansandrefineabilitiestypicallyfarebetter.
Becauseteamsknowwhattodo,leaderscanobservehowasituationisevolving.
Theycanthenmakedecisionsandredirectwhenneededtoprotectthesafetyofemployees,customers,andotherstakeholders;protectdataintegrity;andrespondtoeventsinwaysthathelpalleviatetheparticularcrisis.
Ifcrisisstrikesindiscriminatelyandcausessignificantsocialdisruption,organizationsneedtouseoperationalresourcesinnewwaystoprovideaidandrestoreconfidence.
Withproperplanning,responseplanscanfactorinabroadrangeofvari-ablesandhelpleaderschooseresponsesthatbolstergoodwill,integrity,andtrust.
CrisisoperationsStrikingtherightbalancebetweengovernanceandingenuityiscrucialtocrisisresolution.
Establishinggovernanceguidelinesforcriticalcommunicationscanpavethewayformorecreativeproblemsolvingandcollaborationformoreintractablecrisismitigationefforts.
Whileproblemsmightseemtechnical,almostinvariablythesolutionsinvolvehumansensibilitiesandteamwork.
Whenasecuritybreachorcyberattackoccurs,executivesmustquicklyinstillconfidenceintheircustomersandotherstakeholdersthatthey'redoingeverythingpossibletosolvetheproblem.
FormanyleadersintheC-suite,thistypeoffast,intuitiveresponsedoesn'tcomenaturally.
Althoughtheymightknowwhattodotechnicallytomanageabreach,theyoftenaren'tpreparedtocopewiththehumansideoftheequation.
Inmid-crisis,theplaybookandsimulationswillenableeveryone—fromthesecurityteamtocommunicationsandPRprofessionalstotheCEO—tounderstandtheirroleandtakeappropriateactionwiththerightmixofhardandsoftskillsthatenabletheteamtogetaheadoftheproblem.
Phase2:ActionstotakeRuntheplaybook,adapt,andcollaborate1.
Acceptthatperfectiondoesn'texist—stayinthemoment.
Recognizethattriageisnecessaryandinitialoutcomesmaybesub-optimal.
"Observe,orient,decide,andact"inrapidcyclestogetaheadofthesituation.
Breakcomplexproblemsdownintotheirconstituentparts.
2.
Minimizecognitiveloads.
Keepteammembersinsynchusingstandardizedterminologyandcommunicationprotocolsthatexpeditediscoveryandassessment.
Filterinformationandrepresentvariablesassimplyanddirectlyaspossible.
Usevisualstoillustratekeyrelationshipsanddependencies.
3.
Leadbyexample.
Leaderscombinesoftandhardskills.
Demonstrateconsiderationandempathy,aswellastechnicalacumen.
Ascircumstanceschange,modeltherightmixofactionandanalysis.
Encourageteammemberstobevigilantaboutthedistinctionbetweenfactandopinion.
4.
Prioritizeteamwork—notheroismorself-sacrifice.
Takeaninventoryoftheteam'sstrengthsandleveragethediversityoftheteam.
Assignresponsibilitiesbasedoncuriosityandability.
Makepartnersasenfranchisedandaccountableascoreteammembers.
Usethebigpicturetoinspire,notoverwhelm.
5.
Communicatehonestlyandtransparently,especiallywithseniorleadersandstakeholders.
Bedisciplinedindefiningthethreattothebusinessinconcreteterms.
WhichmeasuressuggestprogressWouldmorespecializedresources,morebudget,ormoretimemakeadifferenceHowisthiscrisissimilarto(anddifferentfrom)othersWhatvariablesaremakingthesituationworse(orbetter)Knowwhenadecisionshouldbeescalatedandprepareasetofoptionsandexpectedoutcomes.
8Thecrisislifecycle,Phase3:RecoveryandimprovementSomesecurityexpertssuggesttheCOVID-19pandemicmightbeinstructiveforfuturecyberattacksthatcouldcausesocialdisruptiononsimilarlymassivescales.
24AsBrianFinchwritesinanop-edforTheHill,"CyberthinkersinWashingtonwoulddowellthentocarefullystudyanysuccessfulmeasuresusedtomitigatethefinancialimpactcausedbyCOVID-19.
Doingsowillhelppreventunnecessaryscramblingandjury-riggedsolutionswhentheinevitablecyberpandemicarrives.
"25COVID-19hascertainlyputtheworldonnotice.
Aswithanygreatupheaval,someofthelessonslearnedcanbeusedtoimprovefutureresponses.
Onethingseemscertain:theabilitytocommunicate,coordinate,andcollaborate—asmuchastheabilitytocommandandcontrol—willwintheday.
Withsomecombinationofavoidanceandprevention,incidentresponsedrills,andsimulations,securityleaderscangainbothgreaterconfidenceintheirabilitytowithstandmomentsofcrisisandtheconvictionthatcomesfromoperatingwithintegrity.
AccordingtoChrisPierson,CEOofcybersecurityfirmBlackCloak,"Cybercriminalsarenottakingabreakduringthisglobalpandemicandneitherwillthedefendersortheirsuppliers,soIthinktheoutlookisextremelypositive.
"26Phase3:ActionstotakeInvestinnewcapabilitiestomakethebusinessmoreresilientandadaptable1.
Implementsecuritytelemetryandanalytics.
Earlydetectionandresponsestartwithautomateddatacollectioncapabilities.
Withmoderntelemetryandlogfilecapturesolutions,attackvectorscanbemodeled,signaturescreated,andbreachesre-created—evenafterthefact.
2.
Developsecurityautomationcapabilities.
Byenablingsecurityautomation,specialistscanfocusonthreatsthatrequiredeeperanalysis.
AccordingtoPonemon,investmentsinautomationcanpayforthemselves:organizationsthathadnotdeployedsecurityautomationexperiencedbreachcoststhatwere95percenthigherthanbreachesatorganizationswithfullydeployedautomation(USD5.
16millionwithoutautomationversusUSD2.
65millionforfullydeployedautomation).
273.
Consumeandcontributetothreatintelligence.
Cloud-basedsecurityservicesmonitortrafficoveranoperationalfootprintfarlargerthananysingleorganization.
Contributingthreatintelligencedataenhancescyber-resilienceforallorganizations,whileconsumingthreatintelligenceinsightsexpeditesthreatdetectionandresponse.
284.
Prioritizecollaborationandcontinuouslearning.
Cyberresilientorganizationsoperateinacontinuouscycleofdiscovery,learning,adaptation,anditeration.
Intimesofcrisis,effectivethreatremediationcomesdowntotheabilityofindividualstoworktogetheroncomplex,oftenintractable,problems.
295.
Raisesecurityawareness.
Cyberresilientorganizationsprioritizesecurityasastrategiccapabilityacrosstheenterprise.
Thisprioritizationislackingformanyorganizations:Our2019cyberresiliencystudywithPonemonrevealedthatonly25percentofrespondentsratetheirorganizations'cyberresilienceashigh—andonly31percentratetheirabilitytorecoverfromacyberattackashigh.
309AbouttheauthorsWendiWhitmoreVicePresident,X-ForceThreatIntelligence,IBMSecuritywwhitmor@us.
ibm.
comlinkedin.
com/in/wendiwhitmore2@wendiwhitmoreGeraldParhamSecurityandCIOResearchLeader,IBMInstituteforBusinessValuegparham@us.
ibm.
comlinkedin.
com/in/gerryparham/WendiWhitmoreistheVicePresidentofIBMX-ForceThreatIntelligenceandarecognizedvoiceofexpertiseinthecybersecurityrealm.
Shehasoveradecadeandahalfofdiverseexperienceinincidentresponse,proactiveandstrategicinformationsecurityservices,intelligence,anddatabreachinvestigationswithclientsfromvirtuallyeverysectorandgeography.
GeraldParhamistheGlobalResearchLeaderforSecurity&CIOfortheIBMInstituteforBusinessValue.
Gerald'sresearchfocusesonthecyberlifecycleandcybervaluechains,inparticulartherelationshipbetweenstrategy,risk,securityoperations,identity,privacy,andtrust.
Hehasmorethan20yearsofexperienceinexecutiveleadership,innovation,andintellectualpropertydevelopment.
10TherightpartnerforachangingworldAtIBM,wecollaboratewithourclients,bringingtogetherbusinessinsight,advancedresearch,andtechnologytogivethemadistinctadvantageintoday'srapidlychangingenvironment.
IBMInstituteforBusinessValueTheIBMInstituteforBusinessValue,partofIBMServices,developsfact-based,strategicinsightsforseniorbusinessexecutivesoncriticalpublicandprivatesectorissues.
FormoreinformationTolearnmoreaboutthisstudyortheIBMInstituteforBusinessValue,pleasecontactusatiibv@us.
ibm.
com.
Follow@IBMIBVonTwitter,and,forafullcatalogofourresearchortosubscribetoourmonthlynewsletter,visit:ibm.
com/ibv.
Relatedreports"COVID-19ActionGuide"ibm.
co/covid-19-action-guide"ACIO'sguidetoextremechallenges"ibm.
co/cio-guide-challenges"HowCISOscansecureastrategicpartnership"ibm.
com/thought-leadership/institute-business-value/report/ciso-strategic-partnership11Notesandsources1"The2019CyberResilientOrganization.
"PonemonInstituteandIBM.
2019.
https://www.
ibm.
com/downloads/cas/GAVGOVNV2XF-IRISinternaldataanalysis.
AdditionalCOVID-19datainsightsareavailableathttps://exchange.
xforce.
ibmcloud.
com/collection/Threat-Actors-Capitalizing-on-COVID-19-f812020e3eddbd09a0294969721643fe3"The2019CyberResilientOrganization.
"PonemonInstituteandIBM.
2019.
https://www.
ibm.
com/downloads/cas/GAVGOVNV4"2019CostofDataBreachStudy:GlobalAnalysis.
"PonemonInstitute.
BenchmarkresearchsponsoredbyIBMindependentlyconductedbyPonemonInstituteLLC.
2019.
https://www.
ibm.
com/downloads/cas/ZBZLY7KL5Whitney,Lance.
"Cybercriminalsexploitingcoronavirusoutbreakwithvirus-themedsalesonthedarkweb.
"TechRepublic.
March19,2020.
https://www.
techrepublic.
com/article/cybercriminals-exploiting-coronavirus-outbreak-with-virus-themed-sales-on-the-dark-web/6"Update:Coronavirus-themeddomains50%morelikelytobemaliciousthanotherdomains.
"CheckPointblogpost,accessedMarch27,2020.
https://blog.
checkpoint.
com/2020/03/05/update-coronavirus-themed-domains-50-more-likely-to-be-malicious-than-other-domains/7"U.
SSmallBusinessAdministrationSpoofedInRemcosRATCampaign.
"IBMX-ForceThreatIntelligence.
IBMX-ForceExchange.
https://exchange.
xforce.
ibmcloud.
com/collection/Small-Businesses-Seeking-Disaster-Assistance-Targeted-By-Remcos-Infostealer-e8b9f4f5e9d8c98f51e2ee09ac632ef8;"HoldingYourHealthForRansom:ExtortionsOnTheRise.
"IBMX-ForceThreatIntelligence.
IBMX-ForceExchange.
https://exchange.
xforce.
ibmcloud.
com/collection/Holding-Your-Health-For-Ransom-Extortions-On-The-Rise-1fc43fac1cf1b72a4245f0107da283e38"Covid-19DrugAdviceFromTheWHOSpoofedtoDistributeAgentTeslaInfo-Stealer.
"IBMX-ForceThreatIntelligence.
IBMX-ForceExchange.
https://exchange.
xforce.
ibmcloud.
com/collection/Covid-19-Drug-Advice-From-The-WHO-Disguised-As-HawkEye-Info-Stealer-2f9a23ad901ad94a8668731932ab58269Vergelis,Maria.
"Coronavirusphishing.
"KasperskyDaily.
February7,2020.
https://www.
kaspersky.
com/blog/coronavirus-phishing/32395/10Whitmore,Wendi.
"IBMX-ForceThreatIntelligenceCybersecurityBrief:NovelCoronavirus(COVID-19).
"March17,2020.
https://securityintelligence.
com/posts/ibm-x-force-threat-intelligence-cybersecurity-brief-novel-coronavirus-covid-19/11Stein,Shira,andJenniferJacobs.
"Cyber-AttackHitsU.
S.
HealthAgencyAmidCovid-19Outbreak.
"Bloomberg.
March16,2020.
https://www.
bloomberg.
com/news/articles/2020-03-16/u-s-health-agency-suffers-cyber-attack-during-covid-19-response1212Miller,Maggie.
"TopUShealthagencysufferscyberattack.
"TheHill.
March16,2020.
https://thehill.
com/policy/cybersecurity/487756-top-us-health-agency-suffers-cyberattack-report13Pipikaite,Algirde,andNicholasDavis.
"Whycybersecuritymattersmorethaneverduringthecoronaviruspandemic.
"WorldEconomicForum.
March17,2020.
https://www.
weforum.
org/agenda/2020/03/coronavirus-pandemiccybersecurity/14"CISAInsights.
"USCybersecurityandInfrastructureSecurityAgencywebsite,accessedMarch29,2020.
https://www.
cisa.
gov/insights15Mervosh,Sarah,DeniseLu,andVanessaSwales.
"SeeWhichStatesandCitiesHaveToldResidentstoStayatHome.
"TheNewYorkTimes.
March29,2020.
https://www.
nytimes.
com/interactive/2020/us/coronavirus-stay-at-home-order.
html16Gettleman,Jeffrey,andKaiSchultz.
"ModiOrders3-WeekTotalLockdownforAll1.
3BillionIndians.
"TheNewYorkTimes.
March24,2020.
https://www.
nytimes.
com/2020/03/24/world/asia/india-coronavirus-lockdown.
html17Miller,Maggie.
"Zoomvulnerabilitiesdrawnewscrutinyamidcoronavirusfallout.
"TheHill.
April2,2020.
https://thehill.
com/policy/cybersecurity/490685-zoom-vulnerabilities-exposed-as-meetings-move-online18Seals,Tara.
"CoronavirusPollResults:CyberattacksRampUp,WFHPrepUneven.
"Threatpost.
March19,2020.
https://threatpost.
com/coronavirus-poll-cyberattacks-work-from-home/153958/19"Federalemployeesmaysoonbeorderedtoworkfromhome.
"TheWashingtonPost.
March13,2020.
20"OODAloop.
"Wikipedia,accessedApril1,2020.
https://en.
wikipedia.
org/wiki/OODA_loop21"The2019CyberResilientOrganization.
"PonemonInstituteandIBM.
2019.
https://www.
ibm.
com/downloads/cas/GAVGOVNV22Blackswaneventsdescribeentirelyunexpectedsituationsoutsidetherealmofnormalexpectationthathaveextremeconsequences.
Taleb,NassimNicholas.
"TheBlackSwan:Theimpactofthehighlyimprobable.
"2007.
23"Threat,vulnerability,risk—commonlymixedupterms.
"ThreatanalysisGroupwebsite,accessedApril1,2020.
https://www.
threatanalysis.
com/2010/05/03/threat-vulnerability-risk-commonly-mixed-up-terms/24Kallberg,Jan,andCol.
StephenHamilton.
"WhatCOVID-19canteachusaboutcyberresilience.
"FifthDomain.
March2020.
https://www.
fifthdomain.
com/opinion/2020/03/23/what-covid-19-can-teach-us-about-cyber-resilience/25Finch,Brian.
"Cyberplannersshouldbecarefullywatchingthecoronavirus.
"TheHill.
March2,2020.
https://thehill.
com/opinion/cybersecurity/485391-cyber-planners-should-be-carefully-watching-the-coronavirus26Ferguson,Scott.
"CybersecuritySectorFacesReckoningAfterCoronavirusHits.
"BankInfoSecurity.
March10,2020.
https://www.
bankinfosecurity.
com/coronavirus-hits-wall-street-cyber-survive-slide-a-139131327"2019CostofDataBreachStudy:GlobalAnalysis.
"PonemonInstitute.
BenchmarkresearchsponsoredbyIBMindependentlyconductedbyPonemonInstituteLLC.
2019.
https://www.
ibm.
com/downloads/cas/ZBZLY7KL28Forexample,theannualIBMX-ForceThreatIntelligenceIndex.
https://www.
ibm.
com/security/data-breach/threat-intelligence29"High-StakesHiring:SelectingtheRightCybersecurityTalenttoKeepYourOrganizationSafe.
"IBMSmarterWorkforceInstitute.
2018.
https://www.
ibm.
com/downloads/cas/X47BR75930"The2019CyberResilientOrganization.
"PonemonInstituteandIBM.
2019.
https://www.
ibm.
com/downloads/cas/GAVGOVNV14CopyrightIBMCorporation2020IBMCorporationNewOrchardRoadArmonk,NY10504ProducedintheUnitedStatesofAmericaJune2020IBM,theIBMlogo,ibm.
comaretrademarksofInternationalBusinessMachinesCorp.
,registeredinmanyjurisdictionsworldwide.
OtherproductandservicenamesmightbetrademarksofIBMorothercompanies.
AcurrentlistofIBMtrademarksisavailableonthewebat"Copyrightandtrademarkinformation"at:ibm.
com/legal/copytrade.
shtml.
ThisdocumentiscurrentasoftheinitialdateofpublicationandmaybechangedbyIBMatanytime.
NotallofferingsareavailableineverycountryinwhichIBMoperates.
THEINFORMATIONINTHISDOCUMENTISPROVIDED"ASIS"WITHOUTANYWARRANTY,EXPRESSORIMPLIED,INCLUDINGWITHOUTANYWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDANYWARRANTYORCONDITIONOFNON-INFRINGEMENT.
IBMproductsarewarrantedaccordingtothetermsandconditionsoftheagreementsunderwhichtheyareprovided.
Thisreportisintendedforgeneralguidanceonly.
Itisnotintendedtobeasubstitutefordetailedresearchortheexerciseofprofessionaljudgment.
IBMshallnotberesponsibleforanylosswhatsoeversustainedbyanyorganizationorpersonwhoreliesonthispublication.
Thedatausedinthisreportmaybederivedfromthird-partysourcesandIBMdoesnotindependentlyverify,validateorauditsuchdata.
Theresultsfromtheuseofsuchdataareprovidedonan"asis"basisandIBMmakesnorepresentationsorwarranties,expressorimplied.
44031444USEN-02AboutResearchInsightsResearchinsightsarefact-basedstrategicinsightsforbusinessexecutivesoncriticalpublicandprivatesectorissues.
Theyarebasedonfindingsfromanalysisofourownprimaryresearchstudies.
Formoreinformation,contacttheIBMInstituteforBusinessValueatiibv@us.
ibm.
com.