Three Things Board Members Can Learn From the Top Cyber Attacks of 2022 (So Far)

By Migo Kedem

10/09/2022

Cybersecurity Private Company Governance Online Article
NACD Private Company Directorship

Cyberattacks are an increasing threat to all companies, but private companies can be particularly vulnerable. Every private company board should learn about the growing risks of cybercrime to better understand how vital cybersecurity is for the present and future of the company. Lessons from cyberattacks in the last year can help private company boards ensure that they are up to date on recent practices.

There's not a week that goes by without data breaches, cyber threats, or privacy incidents keeping media outlets busy and headlines stacked. From the sheer amount of news reported, it is easy to think that the "bad guys," whoever they are, are gaining the upper hand in the ongoing cyber fight.

In the past nine months, cyber threats have permeated every layer of the global infrastructure, including governments and large-scale enterprises as well as everyday consumers and end users. In April, a ransomware attack on the Costa Rican government brought the country's ministry of finance, import and export sectors, and public health services to a standstill. Data breaches were reported by two major airlines in India and Turkey; networking giant Cisco suffered an identity-based attack through Active Directory, which is the database and set of services that connect users with the network resources they need to get their work done; and as the school year began, cyber officials issued warnings of an unprecedented increase of attacks on American schools resulting in the identity theft of minors.

From a different perspective, knowing is half the battle and nations, enterprises, and consumers alike are learning from such attacks as they make the nightly news. With each cyberattack reported, board members across all industry verticals can learn much from the findings and use that knowledge to improve their company's adaptability and responsiveness in the ever-shifting threat landscape.

Private company boards are increasingly adopting cyber-risk oversight practices on par with public company peers, according to the 2022 NACD Private Company Board Practices and Oversight Survey. Sixty-eight percent of private company board members and 72 percent of public company board members reported having reviewed their companies' current approaches to protecting their most critical data assets, for example, while 54 percent of private company respondents and 55 percent of public company respondents reported having assessed risks associated with third-party vendors or suppliers. To keep this momentum going, private company boards should learn three key lessons from the top cyberattacks that have happened in 2022 thus far.

1. Be Ready to Invest in Technology

Security that stays relevant to new cyber threats and scales with a business requires investment in the right technology. Today, many businesses are adding artificial intelligence (AI) and machine learning (ML) to their security stacks to better identify and respond to advanced cyber threats. Speed is a significant advantage and having AL and ML gives businesses the ability to combat emerging attacks by detecting new patterns in real time. Many threat campaigns, particularly ones using ransomware, only last a few hours and actors are often already within a victim's network just waiting to deploy. Major ransomware attacks from this year alone have cost organizations more than $236 million. In the case of multinational construction materials giant Knauf, a family-owned company, teams were forced to shut down all information technology systems, disrupting operations and delivery processes globally.

2. Build a Strong Security Strategy

More enterprises are making key hires at the C-suite level to bolster their cybersecurity defenses from the top down. Chief information security officers (CISOs) are being brought in to assess, plan, and maintain the safety and digital growth of businesses. In fact, in the 2022 NACD Private Company Board Practices and Oversight Survey, 48 percent of respondents said that a chief information officer reports to the board on cybersecurity, and 41 percent said that a CISO does so. Responsible for reevaluating a company's security strategy based on the fluctuations of the threat landscape, CISOs regularly adjust how their businesses monitor and respond to potential attacks.

This fall, the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation published two joint cybersecurity advisories warning of spikes in ransomware campaigns against a wide variety of critical sectors and industries. An experienced CISO stays ahead of developing cyber trends and attack patterns such as the ones reported in the advisories and builds security best practices to combat emerging threats. In addition, consider that a CISO's cybersecurity strategy does not only safeguard people and processes but can also increase operational efficiency, drive new opportunities, and build up a business's reputation in its industry.

3. Secure the Easy Ways In

Cyberattackers are opportunists. They will always look for the paths of least resistance—flaws in a company's armor in the form of unprotected servers, third-party vendors with weak security practices, or vulnerable devices.

Digital extortion gang Lapsus$, for example, often employs relatively simple SMS and phishing attacks on contractors. From a social engineering standpoint, a threat actor such as Lapsus$ posits that contractors feel less affiliated with a customer's brand and are therefore more likely to approve malicious SMS messages without extra thought.

Just this March, Lapsus$ published source code from Microsoft Corp.'s Bing and Cortana products as well as screenshots showing the group's control of a super administrator account in widely used identity management platform Okta. With threat actors abusing Active Directory to move deeply into targeted networks, implementing identity protection is critical to securing sensitive data held within the infrastructure.

Lessons Learned

So far, 2022 has been a complex year as businesses settle back into offices and hybrid workspaces but face the ramifications of geopolitical uncertainty, economic downturn, and cyberattacks that are growing ever more complex. While no business is immune from cyberattacks, board members can view the attacks that have afflicted industry peers in 2022 through an educational lens and better prepare for the following quarter and beyond.

Migo Kedem is the vice president of growth at SentinelOne, leading security and marketing teams focusing on cybersecurity.