Businesses and end users are being targeted to download COVID-19 ransomware malware disguised as legitimate applications. We are witnessing an increase in phishing attacks that then lead to ransomware events by using COVID-19 as bait to mislead employees and customers. These attacks are resulting in more infected computers and mobile phones.
A single system or application today may have hundreds of thousands of vulnerabilities. The threat actor has to find a single vulnerability to exploit, while cyberdefenses have to “reasonably and appropriately” implement credible capabilities to secure vital assets across the enterprise. Asymmetric attacks mandate that organizations must look to implement a cyberdefense based on a credible, mature and robust framework.
A key executive decision is to identify the security framework that will provide the foundation for an enterprise cybersecurity program. One option for a credible framework is the HITRUST CSF.1 Another option is the US National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF).2 The key difference is that the HITRUST CSF integrates the NIST cybersecurity framework, and is a certifiable, global standard.
The HITRUST CSF framework provides a credible option upon which organizations can base their cyberdefense strategy. The HITRUST CSF provides organizations with a comprehensive, flexible and efficient approach to address the dual challenges of regulatory compliance and risk management. It is a standard that can be applied to organizations across industries and across countries, globally.
The HITRUST CSF provides organizations with a comprehensive, flexible and efficient approach to address the dual challenges of regulatory compliance and risk management.
It integrates a cross section of global, US federal and state regulatory mandates including the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR),3 the New York State Department of Financial Service (DFS) Cyber security Regulation (23 NYCRR 500),4 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard ISO/IEC 27001,5 the US Health Insurance Portability and Accountability Act (HIPAA),6 as well as NIST and the Cybersecurity Maturity Model Certification (CMMC).7 No other global standard is as rich in directly addressing dozens of authoritative sources. The HITRUST CSF standard is continuously updated, with at least 1 major update annually.
HITRUST CSF is a prescriptive framework. What that means is that it establishes minimal, specific requirements for various aspects of an enterprise cybersecurity program. For example, in the area of access control, an organization must automatically remove or disable accounts that have been inactive for a period of 60 days or more.
2021 Bottom Line: Establish a Cyberdefense Strategy
2021 will witness more, not less, of the types of massive cyberattacks we have seen in recent years. These attacks are highly disruptive to business operations and finance. Given the increasing frequency and sophistication of cyberattacks, how does an organization improve its cyberdefense? Every organization must establish its cybersecurity strategy.
My recommendation is that organization take the first step and establish a deeper understanding of the HITRUST CSF standard. Business processes will be impacted for the better and will be hardened to ensure that certification requirements are appropriately implemented. As a direct result of the efforts toward HITRUST CSF Certification, a cyberresilient information risk management and compliance program will be established. That must be a priority in these times of COVID-19 cyberattacks disrupting business.
Uday Ali Pabrai, CCSFP, CISSP, ISSAP, ISSMP, Security+
Is the chief executive of ecfirst, an Inc. 500 business. His career was launched with the US Department of Energy’s nuclear research facility, Fermi National Accelerator Laboratory, in Chicago, Illinois, USA. He has served as vice chairman and in several senior officer positions with NASDAQ-based firms. Pabrai is also a member of InfraGard, a partnership between the US Federal Bureau of Investigation (FBI) and members of the private sector. Pabrai can be reached at Pabrai@ecfirst.com.
Endnotes
1 HITRUST, HITRUST CSF, USA, 2020
2 National Institute for Standards and Technology (NIST) Cybersecurity Framework, USA, 2013
3 Intersoft Consulting, General Data Protection Regulation GDPR, Belgium, 2018
4 New York State Department of Financial Service (DFS), Cyber security Regulation (23 NYCRR 500), USA, 2017
5 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27001 Information Security Management, Switzerland
6 US Department of Health and Human Services, Health Information Privacy
7 Stokes, A.; M. Childress; “The Cybersecurity Maturity Model Certification Explained: What Defense Contractors Need to Know,” CSO, 8 April 2020