Written by Samir Tout, professor of Cybersecurity at Eastern Michigan University
President Joe Biden’s recent warning for U.S. companies to improve their cybersecurity underscores the significance of the emerging cyber threat landscape. Such a threat is real and it has been for quite some time. The Russia-Ukraine war may have exacerbated it, but critical infrastructure protection has been on the minds of many cybersecurity researchers, like me, for quite some time.
In the wake of major attacks, a company’s level of preparedness and how well it has established cybersecurity in its culture can benefit companies large and small. Some believe that smaller companies are at higher risk, but the spread of ransomware may potentially debilitate any company.
What can happen to a company due to a cyber attack imposed by Russia?
Although Russia is emphasized as the primary source of malicious cybersecurity attacks, all companies should prepare regardless of where the attack originates. It is likely that traditional hackers, and possibly nation-states, will take advantage of the current situation to cloak their attacks and even launch phishing campaigns targeting sympathizers on both ends. Such attacks may compromise company systems across a large swath of our industries. We can’t forget the tremendous effects the Apache Log4j vulnerability, “cyber pandemic,” SolarWinds, or the massive worldwide wave of ransomware attacks had on companies of various sizes.
What steps can companies take to minimize their risks?
It is vital that our private sector harden its cyber defenses. This is a call to action for every entity to do its part and implement cybersecurity best practices while forging cross-organizational partnerships, leveraging available resources and working together to thwart possible attacks. There are many resources and incentives for businesses of various types and sizes, such as those provided by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). I strongly recommend that companies take advantage of CISA’s “Shields Up” guidelines and the fact sheet published by the White House on how to protect against cyberattacks. Basic actions can go a long way, such as implementing multi-factor authentication, continuous patching, data backups, employee education and awareness, and hardening software development systems.
What are students learning at EMU to be better prepared for these situations?
Our curriculum teaches students defensive and offensive security techniques and methodologies. Courses related to the former equip them with the knowledge to support, among other areas, a company’s risk analysis, digital forensics, and incident response. As to the latter, students learn ethical hacking and penetration testing, which offer them the practical skills that are essential to help companies uncover vulnerabilities that are not otherwise discovered with traditional techniques. We have several labs that allow students to gain such hands-on experiences, such as the Mobility & Autonomy Cybersecurity lab, which I personally founded, where they become more proficient in protecting modern connected and autonomous vehicles. Unfortunately, the very principles that we have long professed, such as “defense-in-depth” and “strengthening the weakest links,” are not always practiced nor even considered by many companies. Therefore, we hope that our students will support their future workplaces in establishing a cybersecurity capability and will help them become more resilient in the face of emerging cyber threats; hence leading to our nation becoming safer from cyber threats.
We no longer have a choice but to take a serious move to strengthen our companies' cybersecurity posture. During these times, if we do not work together on addressing such weaknesses, then we are practically leaving our nation exposed. We need to work on multiple fronts: educate our students to fill essential cybersecurity roles in various industries, re-train our current workforce, include cybersecurity awareness as an integral component in every organization, increase our investment in cybersecurity research and development, support more hands-on hackathons that give everyone a chance to gain experiential learning in cybersecurity. We should also work closely with our legislators and the private and public sectors to create the proper legislative support system for cybersecurity.