On January 18, 2022, the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) released a new "Insights" memo with a title that is a direct call to action: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats.
We all know the power of clickbait titles, but something this direct from a government agency would most likely grab your attention. (It did for us!) What is this new "critical threat?" Why do we need to act now? What do we need to do differently to be ready for it? If you are anything like us, we opened the document quickly to understand the implications and new expectations… only to find a list of items which looked very familiar.
If you are a financial institution subject to regulation, nearly every item on the CISA Insights checklist is something you are already doing and being examined on.
First, yay you! But also, does that mean this does not apply to you? Do you actually need to "implement these cybersecurity measures now," if you know they're already implemented? What's the big deal? (Other than the fact that cybersecurity is important, obviously.)
In short: Yes, it does still apply to you, and we'll spend the rest of the article explaining why. Read on.
While the checklist items may be familiar, it's the memo's additional commentary before and after the checklist which best answers the "why" question. To help, we will be translating each paragraph into a simplified version to provide another perspective.
CISA Insights |
Our Translation |
"Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy." |
Everyone is at risk of cyber threats which can harm you and others. No exceptions. |
"Most recently, public and private entities in Ukraine have suffered a series of malicious cyber incidents, including website defacement and private sector reports of potentially destructive malware on their systems that could result in severe harm to critical functions. The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past—e.g., NotPetya and WannaCry ransomware—to cause significant, widespread damage to critical infrastructure." |
Recent cyber-attacks in Ukraine are alarming. With the similarity to the kinds of malware which caused the U.S. to suffer in the past, you need to be concerned. |
"This CISA Insights is intended to ensure that senior leaders at every organization in the United States are aware of critical cyber risks and take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise. All organizations, regardless of sector or size, should immediately implement the steps outlined below." |
Your organization's decision-makers need to know about this and immediately implement the recommended steps. |
"By implementing the steps above, all organizations can make near-term progress toward improving cybersecurity and resilience. In addition, while recent cyber incidents have not been attributed to specific actors, CISA urges cybersecurity/IT personnel at every organization to review Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. CISA also recommends organizations visit StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts." |
CISA urges you to brush up on your knowledge of Russian state-sponsored cyber threats and ransomware. |
Did you notice all the time sensitive language? "Urgent." "Now." "Near-Term." "Immediately."
As financial institutions, it can be tempting to scan through the checklist and say, "We're good! We already do all this." While this is a legitimate first reaction, look again. There is a lot of urgency here coming from a government agency. If anyone is going to have insider information about potentially imminent state-sponsored cyber-attacks against our weakest points of security, it would be someone like CISA.
Reading between the lines, we are not at a place where CISA is sounding alarms and saying we are under widespread attack, but as geopolitical tensions grow, CISA believed it was necessary to share this specific, direct reminder.
That being the case, we decided to read the document again, and we would encourage you to do the same.
- We do need to check on these things because we are at risk.
- We do need to communicate this information with senior management because they need to know.
- We do need to review our controls and incident response plans because we can be more prepared.
It's time for a check-up. "Now."
How Tandem Can Help
At Tandem, we are always looking for ways we can help you more easily and confidently manage cybersecurity tasks. For this CISA insights memo, we have created a mapping document. This mapping takes the items from the checklist and correlates them with elements of the Tandem cybersecurity software. If there is a policy that addresses the topic, we list it. If there is a product where you perform a certain task, we call it out.
While our mapping document is specifically designed for Tandem users, it can be used to guide anyone who has an information security program. (That's you.) As you address each item in the checklist, you will be looking to your existing plans and procedures for Incident Management, Policies, Business Continuity Planning, Risk Assessment, Vendor Management, and Audit Management.
What are you waiting for? Download the mapping document and get started.