Press Release  AG Healey Urges Businesses and Organizations to Remain on Guard Against Cyberattacks This Holiday Season

BOSTON — In light of persistent and ongoing cyber threats this holiday season, AG Healey is urging Massachusetts organizations—especially critical infrastructure owners and operators—to adopt a heightened state of vigilance against cyberattacks and to proactively assess existing data security practices.

“Cybercrime is a prominent and persistent threat against both our public infrastructure and our private enterprises,” said AG Healey. “We urge all Massachusetts businesses and government organizations to take action to strengthen their cyber defenses, and we will continue to work alongside our federal law enforcement partners to address evolving security threats.”

Last week, the federal Cybersecurity and Infrastructure Security Agency (CISA) urged business leaders and operators of critical infrastructure— such as public utilities, government organizations and agencies, logistics and transportation firms, and healthcare providers— to take immediate steps to strengthen their organization’s operational resiliency against cyber threats. AG Healey joins CISA in offering the following actions to reinforce their defenses:

1. Increase organizational vigilance by ensuring there are no gaps in Information Technology (IT)/Operational Technology (OT) security personnel coverage and that staff provides continual monitoring for all types of anomalous behavior. Security coverage is particularly important during the winter holiday season when organizations typically have lower staffing. 
2. Prepare your organization for rapid response by adopting a state of heightened awareness. Create, update, or review your cyber incident response procedures and ensure your personnel are familiar with the key steps they need to take during and following an incident. Have staff check reporting processes and exercise continuity of operations plans to test your ability to operate key functions in an IT-constrained or otherwise degraded environment. Consider your organization’s cross-sector dependencies and the impact that a potential incident at your organization may have on other sectors, as well as how an incident at those sectors could affect your organization. 
3. Ensure your network defenders implement cybersecurity best practices. Enforce multi-factor authentication and strong passwords, install software updates (prioritizing known exploited vulnerabilities), and secure accounts and credentials.  
4. Stay informed about current cybersecurity threats and malicious techniques. Encourage your IT/OT security staff to subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat. CISA regularly announces emerging security threats to organizations, such as security vulnerabilities with ApacheLog4j, a commonly used open-source application.
5. Lower the threshold for threat and information sharing. Immediately report cybersecurity incidents and anomalous activity to CISA and/or the FBI.

Cyberattacks can cause substantial disruptions to businesses, government agencies and other targets. Earlier this year, a widely-reported cybersecurity breach at Colonial Pipeline led to fuel shortages across the East Coast. In April 2021, the city of Lawrence, Massachusetts faced ransomware attacks against systems at City Hall, the Lawrence Police Department and the Lawrence Fire Department. A similar ransomware attack targeted the Brockton, Massachusetts police department in July 2021.

The Massachusetts Data Security Regulations, which the AG’s Office regularly enforces, also require entities to employ many of the above safeguards with respect to personal information about Massachusetts residents that an entity maintains, stores, transmits, or processes electronically.

All organizations, regardless of sector, size, or location, must recognize that no company is safe from being targeted by ransomware and other cyber threats. Detailed guidance and resources from the U.S. Cybersecurity & Infrastructure Security Agency can be found at CISA Insights: Preparing For and Mitigating Potential Cyber Threats.  

The National Institute of Standards and Technology also provide guidelines and practices for organizations to better manage and reduce cybersecurity risk. More information can be found here.  
 

###