Feb 24, 2022 - Technology
Column / Signal Boost

The cybersecurity steps businesses need to take now

Illustration of a giant cursor piercing a laptop screen. 

Illustration: Aïda Amer/Axios

While it's not totally clear how Russian cyberattacks might spill over to — or even directly target — American businesses, experts say prudent businesses should take steps now to prepare.

Why it matters: It's too late to radically revamp a firm's entire security setup, but there's still time for measures that can help minimize potential damage.

The big picture: Experts told Axios that, right now, businesses' focus should be on updating and understanding the systems they have, not adding new protections to the mix.

  • "This isn't the time to go shopping for new defenses," said Paul Mee, a partner with Oliver Wyman Forum, the business and policy study arm of consulting firm Oliver Wyman.
  • It is the time, he said, to make sure existing systems are fully patched and up-to-date — as well as to understand the tactics being used by nation-state actors and how specific industries have been targeted.
  • One resource for that is Mitre Att&ck, a global database of attacks and the methods used. The "Shields Up" advisory from federal agencies also offers guidance.
  • "The most important thing is for executives to recognize that this isn’t business as usual. Take the situation seriously and prepare thoughtfully, but don’t panic," Christopher Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, told Axios. Krebs' Krebs Stamos Group has also made public its advice to organizations.

"Extra vigilance is what matters right now," said, James Cummings, a former JPMorgan Chase security chief, who also previously served as a top Air Force cybersecurity official. Cummings now serves as a senior adviser to Oliver Wyman Forum.

Yes, but: Having your shield up shouldn't mean totally hunkering down. Mee and Cummings said that now is a good time for companies to be talking not just with consultants and government agencies but also with peers to share intelligence and best practices.

Between the lines: Mee said the biggest risk at present is spillover, similar to what happened from the 2017 NotPetya attack. That incident was attributed to Russia and targeted Ukrainian software, but it cost businesses billions globally.

For now, Mee said, a direct Russian attack on U.S. critical infrastructure appears less likely.

  • "It feels remote," Mee said. "That's a massive escalation."
  • But, he said, Russia may want to show it has that capability. "They are going to [want to] demonstrate they are present rather than taking affirmative action."

Mee said he is encouraged by how much more dialogue there is now, both among companies, between companies and government agencies and between top executives and their security leaders.

Be smart: Russia isn't the only attacker out there. The fog of cyberwar also provides excellent cover for criminals or even disgruntled insiders to attack, Cummings said.

Go deeper