The global chaos unleashed by the WannaCry ransomware virus reinforces that cyberattacks are not just the problem of IT departments. Compliance must play an integral part of any organization’s cross-functional cybersecurity program to make sure the policies and procedures that protect organizations against these threats are designed, implemented and enforced.
The potential effects of a hack like WannaCry can be more devastating than an FCPA investigation or a Labor Department probe.
The insidious nature of WannaCry shows the urgency of this effort. A hybrid between ransomware and a worm, WannaCry reportedly migrates from computer to computer, taking hard drives hostage and demanding a $300 payment to rescue corporate data.
It’s an enterprise-wide threat that requires an enterprise-wide approach.
Compliance professionals, of course, play a key role in that approach. Whenever organizations need to do something on an ongoing, systematic way, where people are to be held accountable, compliance is front and center. And the potential effects of a hack like WannaCry can be more devastating than an FCPA investigation or a Labor Department probe. That’s because it can effectively put a freeze on an entire organization.
A fire might be the better comparison: By shutting down computer systems and cutting off access to data and systems, a major hack can stop an organization dead in the water and leave customers and other stakeholders without necessary services.
Cybersecurity is a people, process and technology issue. Fortunately, compliance officers are well versed in working across an organization to ensure effective governance and mitigate risks across a range of issues.
People: Working with the human resources group, it’s important to make sure employees understand the gravity of cybersecurity, preferably from their initial “onboarding” training. Given the evolving nature of cyberattacks, it is also vital to provide regular updates on emerging threats and monitor systems to ensure they are using the latest software and patches and not introducing improper devices onto the network. And consider what are the penalties for noncompliance, and are they being enforced?
Monitoring is the weak link in most organizations.
Process: Monitoring is the weak link in most organizations. The most rigorous cybersecurity measures are useless unless there is a process to make sure they are being enforced. Monitoring can take a variety of forms, from ongoing review of networks to additional training, refresher courses and knowledge quizzes keep employees informed. Also consider processes such as a way to determine how many devices are on the network. Is there a procedure to determine whether or not all software is up to date? Is there an integrated response plan across IT, human resources, operations and other departments? Who needs to be involved and when do you bring in outside experts?
Technology: Protecting against a cyberattack is not unlike protecting the organization against FCPA violations, but it is more complex. Not only does every employee and third-party vendor need to be assessed to gain transparency into vulnerabilities, but it is also important to identify, assess and manage the profusion of devices that connect to the organization’s network. Any party or device represents risk, and so every one of them must be included in a monitoring program.
The National Institute of Standards and Technology Cybersecurity Framework is a good starting place to determine the standards that must be in place in any enterprise. The framework directs organizations to have procedures to detect, protect, respond and recover to cyberattacks, with advice on how to implement rules and monitor compliance. For example, in regard to phishing attacks, the NIST Framework includes controls such as security awareness training, communication and exercises; a contingency recovery plan; system back-up; incident response training; and malicious code protection mechanisms.
The steps to prevent a cyberattack share many similarities with a cyberattack itself. Prevention efforts must have a sweeping effect across devices, affect each employee and have a drumbeat that keeps topics top of mind. The compliance function is equipped with the practices and tools to ensure this type of awareness and implementation effort. The trick it to ensure the prevention happens before the attack.