There is no guarantee a company can withstand a determined nation state’s cyberattack, but good cyber hygiene will go a long way to offer basic protection and recovery, experts say.
Many suggest adopting the cybersecurity framework recommended by the Gaithersburg, Maryland-based National Institute of Standards and Technology.
“You have to do basically a risk assessment,” said Joshua Larocca, New York-based senior managing director at Stroz Friedberg, an Aon PLC unit. “Build a program that’s designed to harden and protect your business,” he said.
“Eventually, a determined attacker will find a way in,” said Josh Lospinoso, co-founder and CEO of Rosslyn, Virginia-based Shift5 Inc., a cybersecurity company that specializes in transportation. “They will find a weakness in the armor, and then your job is to identify that intrusion as quickly as possible and remediate it.”
Mr. Larocca said the No. 1 question he gets asked is how soon a business can be up and running after an attack. The answer will be influenced by the environment it operates in and decisions made leading up to the incident, he said.
Cybersecurity plans should be regularly updated, said Michael Bahar, a partner with Eversheds Sutherland LLP in Washington.
“Even if you were really buttoned up and secure two years ago, it’s time to look at it again, because people figure a way in,” he said.
The threat posed by nation states’ infiltration into the United States’ critical infrastructure is growing, and the federal government and private companies must do more to address the risk, experts say.