In relation to the Ukraine-Russia conflict, a major risk relates to the cyber-warfare, not only directed by Russia to Ukraine but also to those countries offering various forms of support. In the U.S., for example, while the Federal Government and White House have taken steps to protect the country, Alon Nachmany, Director of Customer Success of AppViewX, is concerned that this is not enough and countries lending support to Ukraine ae not properly protected.
With tensions continuing to ramp up, Nachmany recommends to Digital Journal that local governments and the private sector address their cybersecurity posture ahead of any repercussions that may arise from the Ukraine and Russia conflict.
As an example of what can be done in terms of cyber-readiness, Nachmany cites the example of New York Governor Kathy Hochul.
Commenting on New York boosting cyber preparedness, Nachmany says: “State governments are incredibly behind when it comes to cyber readiness. The main issue is funding. Governor Kathy Hochul’s announcement serves two purposes.”
Nachmany outlines these as: “First, she’s calming the public and ensuring that the state governments are aware and something is being done. The second, is to commit some funding so that later on, when costs are published there is a paper trail and reasoning to back it up.”
Nachmany says that these kinds of plans need to be extended further: “As we go down the chain of command from federal to state to city to smaller municipalities, we see the size of budgets drastically dwindle. Most states cannot afford the personnel with the right expertise to ensure their cyber readiness. I’ve seen some roles only pay half the salary of what someone at an enterprise would receive for an equivalent role. Further, the budgets for solutions is drastically lower as well. So many states simply cannot afford to harden their security posture.”
Nachmany is further concerned about an increase of threats in the private sector, noting: “From the perspective of a threat, we need to think of what the attacker is trying to accomplish. If it’s chaos in the target nation, then taking out critical infrastructure would be the way to go. However, if it’s financial, crashing the stock market might be a better play, or going after some of the leading banks could be a play. So what truly matters is what is the attacker trying to accomplish.”
Nachmany considers the imbalance between different economic sectors further: “The math behind cyber readiness is very different for private vs public organizations. For the public, math is all about budget. Whereas, in the private sector, the math is all about risk. CISOs in the private sector are calculated. They have a simple equation to understand how much they should be paying and what kind of a breach will cost the company how much.”
Nachmany adds: “Further, the public sector often has to take into account not just the object cost, but the cost later on. Where these waters get murky is when we talk about private organizations that provide a public service.”
As an example, Nachmany cites: “The Colonial Pipeline, for example, which is operated by Colonial Pipeline Company is a private entity. When the Colonial Pipeline Company assesses their risks, they look at ransomware shutdowns for a week, like lost profits for the week of operation. But what they don’t look at is the cost outside their organization. What happens to life when the pipeline that 17 states rely on for fuel and home heating oil? Should the private organization have to look at the downstream cost that doesn’t affect their bottom line? These are the factors that the private sector needs to consider.”