In this webinar, Rebecca Christiansen, Windes Director of Information Technology, conducted an insightful webinar about common cybersecurity misconceptions that can leave organizations vulnerable to attack.
Rebecca was joined by Jon Murphy of Alliant Cybersecurity as they uncovered some of the myths and assumptions that clients have had about their cybersecurity posture, potentially exposing their organizations to risk. Also discussed were the various steps organizations should take to minimize their exposure and better protect themselves from the ever-changing cybersecurity threat landscape.
The webinar was recorded on January 27, 2021.
Click HERE to view the presentation slides.
Presenters
Rebecca Christiansen, CPA, MST was the Director of Operations and Information Technology (IT) at Windes. She headed the Windes Cybersecurity practice, which offers a full suite of cybersecurity services. Rebecca conducts numerous trainings on a variety of technical and professional topics and writes a regular cybersecurity blog for the firm’s website.
Jon Murphy is the Vice President of Alliant Cybersecurity Services. He has 25+ years as a Business Technology Leader and IT Risk Management Consultant. Jon has created and led Technology Risk Management programs for federal and state governmental entities, eCommerce organizations, and many other verticals.
Windes offers a comprehensive menu of cybersecurity services to ensure your business is prepared and protected from cyber threats.
Rebecca Christiansen:
On behalf of Windes and Alliant Cybersecurity, I would like to thank you all for joining us today for what we hope will be a helpful and informative webcast. I am Rebecca Christiansen and I am the director of operations NIT at Windes, and we are a accounting firm in Southern California that provides full service and has been in business for 95 years. I am joined today by Jon Murphy, who is the vice president of cybersecurity services for Alliant Cybersecurity. Windes and Alliant have had a decade-long relationship that allows us to provide a range of consultative services to our clients, so that no matter what the issue is, you can turn to us for help. We have provided our contact information here.
If you have questions or concerns that pop up after this webcast, or if you’re interested in more information, we encourage you to reach out to one or both of us. John and I are both always happy to talk about cybersecurity and do whatever we can to help organizations be better protected, so please don’t hesitate to reach out. Then we have provided a little more information to establish our bona fides. We will be posting this webinar on the Windes website and sending you all a copy of these slides in the next few days, so that you can refer back to the material or share it with others in your organization, so you’ll be able to read through this stuff in a little more detail and a little bit of housekeeping.
At the bottom of your screen, you should have a Q and A button. We will be answering all questions at the end. If you have a question during the webinar, please just type it into the Q and A box and we will try to get through as many questions as we can at the end of the presentation. With that, we will jump in. We are doing this presentation now in a very… it was unique, but it’s now been going on for a year, and cybersecurity is a topic that’s been all over the news with the FireEye, followed by the SolarWinds hack.
While these are really high profile incidents that may seem remote for small and medium-sized organizations and it may seem like non-issues for you, those attacks are receiving all the media coverage, but the sheer number of attacks across all industries, organizations, sizes, sophistication levels is just going through the roof and has been increasing drastically since COVID. You can see a number of statistics here related to the increasing number of attacks, phishing attacks, actual ransomware attacks. One of the scary things that last bullet point, a significant number of companies weren’t prepared when they moved remote as a result of COVID.
Small and medium-sized businesses and organizations are just as reliant on technology as big organizations, but they don’t have the same budget, they don’t have the same personnel to throw at this as a problem and the barriers for cybercrime is extremely low. The Twitter hack was orchestrated by a 17-year-old who had just graduated high school. People can get into this and create an entire industry, multi-billion dollar industry just attacking people and putting out ransomware attacks, and getting your credentials and selling into other people. Even though you might be small and you may not be a Twitter, you may not be a SolarWinds, you may not be one of those big organizations, your data only has to have value to you for them to make money off of you.
Also, with COVID, the stakes are significantly higher for a number of small and medium-sized organizations because they’re struggling so much under the economic challenges of COVID. A cyber-attack might just be the straw that breaks the camel’s back. Because of COVID and because we are all so separate and again, a number of organizations just weren’t prepared from a cybersecurity standpoint, we’re all much more vulnerable to these attacks, and cyber criminals are benefiting from the heightened emotions that people are experiencing the stress, the concern about COVID, and that makes people do things that they wouldn’t necessarily do in a normal environment. That’s where we find ourselves. I’ll pass it off to John.
Jon Murphy:
Rebecca, this slide talks about the major different areas of threat actors or threat vectors. A lot of folks seem to think that they’re safe because they’re not a target of nation states, and we’ll talk about that one last, but really you’ve got to think about the cyber criminals. The cybercriminal as you mentioned can be the 17-year-old who just graduated in high school that is smart enough to get onto the dark web and hire a hacker as a service. You’ve heard of software as a service, or platform as a service, or structure as a service. There’s hacking as a service over on the dark web, and it doesn’t cost that much, and they’ll be happy to take your credit card and give you a receipt.
Then there’s always insider threats and you say, “Well, we hire the very best people in our organization, we shouldn’t have any insider threats.” Yes, you shouldn’t, but sometimes out of negligence or unpreparedness or unawareness, they cause an incident and then occasionally, some of our folks get disenfranchised and they do go out there and hire hacker as a service, or leak information to the competition or what have you. Then there’s hacktivists. No matter where you stand in the political spectrum, you’re probably perturbing somebody in your organization. There is a hacktivist group, or a group that will hire hacktivists to come after you for one thing or another.
It seems like everybody got their feelings on their sleeves these days. No matter what your cause, we have non-profits that help the homeless that are being attacked by hacktivists, so you can’t win for losing. Nation states, a lot of folks say, “Well, I’m not a Twitter, I’m not a Facebook, nobody would come after me.” That’s not necessarily true. They may not come after you directly, but in your supply chain, you certainly can be affected, and that’s the case with SolarWinds. These bad actors were smart enough to attack a major supplier of IT surveillance and operations monitoring, that’s what SolarWinds does and they had contracts with almost everybody, including people probably in your supply chain no matter what industry you’re in.
By virtue of that relationship with the supply chain, you may already be affected, or you could be affected depending on how the SolarWinds things plays out. This slide is not new, but it is very telling. Basically, it says that if you’re an SMB, you’re targeted. Fifty percent plus according to the FBI of all the attacks come at SMBs, and it’s just exactly like Rebecca said because they are aware that you don’t have the technological sophistication or the budget or the time, or any other resources to fight back, as well as say Bank of America or Twitter or Facebook. The reason that that is such a compelling thing is there’s more of us. There’s more SMBs and there are big fortune 500s or fortune 1000s.
Most of American business is classified as SMB. It’s a target rich environment, and then knowing that you’re not as well-defended don’t have that defense in depth. The sad state of affairs is that if there’s a successful compromise of your organization, a breach is the word that comes to mind, but that has a special legal definition. If that occurs and you haven’t done all the right things in advance before that breach, unfortunately as many as 60% of those companies are out of business within six months. You say, “Well, how does that happen?” There’s one statistic there in the lower right hand corner that talks volumes about that, and that’s that 75% of SMB employees probably leave their computers unsecured, or at least they used to in the office and you have no idea what they’re doing at home.
Is there cousin, is there a child, is there a brother, is there a sister, is there a spouse using that same computer to do other things? Stream music, go shopping on Amazon, or whatever and what provisions are built into that home network to protect you. The experts will tell you that the cost of a cyber-breach is going up. In spite of our technological advances, the bad actors are advancing us faster, but basically the magic number is about a $150 per record according to the Ponemon Institute and the Verizon cost of cyber breach study. You say, “What’s a record?” It’s a customer. If you’ve got information on a thousand customers, that’s a $150,000, right? That’s the simple math.
You say, “What compromise is that? What is it that makes up that $150,000?” It’s the mandatory notifications that you have to do. It’s the reporting to the state’s attorney’s general that you have clients or customers in. Remember, if you’re in California, there are additional CCPA pieces that play to that. If you have clients or customers in other states, then you have to play by their rules as well. That 150 is really the low side number, times each record that a compromise could cost you.
Rebecca Christiansen:
If you have Social Security numbers that are compromised, then you often end up paying for credit monitoring for those people for another year, so that’s an additional adds to that.
Jon Murphy:
That’s typically $10 a month per person for three years, so that number can add up very, very fast.
Rebecca Christiansen:
Right.
Jon Murphy:
On our next slide, there’s some very alarming numbers there that tells you that there’s bad news and it’s getting worse at the speed of light. By that, I mean let’s think about it in the time it took for certain things to happen with technological advances. It took 62 years before the automobile was invented, until there was 50 million users, 62 years. For TV, it was just 22 years from the time it was invented if there was 50 million users. For the internet, it only took seven years. For Twitter, it took under two years that. Exponential rate is accelerating, and there is nothing that can cause more harm quicker than a computer other than a bullet, and that’s an paraphrase from Admiral Grace Hopper, the world’s second programmer of the first computer, a wonderful lady who was ahead of our time.
Rebecca Christiansen:
While we didn’t list this as a cyber myth, hopefully we’ve convinced you that while you may not be a big organization, you are still a target which a lot of people do feel like, “Oh, I’m not one of those big ones. I’m not a target. I don’t need to worry about this.” Hopefully that beginning, even though we like I said didn’t list it as a myth convinced you that you are a target every second of every day.” With that, we’ll jump into our first cyber myth, and this is one that we hear from a lot of clients when we talk to them about cybersecurity.
We have clients that both have an internal IT team or an external MSP, or they have a combination of both and a lot of people are under the misconception that if you have your IT team that they are focused on this, that they are taking care of your cybersecurity and it’s not something that you need to have additional resources for. What we like to share with everyone is that there really is a dividing line between the people who are handling your information technology and people who focus on cybersecurity. Odds are your IT people are very busy just dealing with the day-to-day, making sure that you’re connected, making sure that your servers are up.
Yes, they probably configured a firewall, yes, they may have set giving you guidance on router settings, yes, they have done things that are related to cybersecurity, but cybersecurity is changing constantly, rapidly. Every time there’s a patch, there’s somebody trying to find a way around it. While your team is focused on just up time, there are people out there who are constantly trying to break into your company, and they also have a very different mindset and focus. We like to say that IT’s job is to keep the lights on. Cybersecurity keeps the doors and the windows locked.
It’s really important to understand that if you don’t have someone in your firm who is specifically focused on security whose job it is, that’s what they do, an information security officer or if you have a third party cybersecurity consultant, then you probably are exposed and missing a lot of vulnerabilities that you have in existence. It’s really important to understand the difference between those two.
Jon Murphy:
Another point to add to that Rebecca is that in a typical organization that experiences a change that goes through a business, the IT people that are involved with that business experience more change in a month than the rest of the organization does in a year. If that’s not enough in the cybersecurity world, they experience more change in a week than the rest of IT does in a year. That’s how volatile it is, and that’s why the specialization is absolutely so important. I’ve got my MSP or my IT company, and they’ve got me a great firewall and anti-malware, so I’m covered, right? We hear that so many times that I’ve got those two basic components and we’re done. Well, that’s not exactly right.
There’s a concept from the military called defense in depth. It’s about having layers and in some cases, redundant layers of security. The idea is that the more distance between the keys to the kingdom, the important things of your organization and the perimeter where the bad actors have to come in hopefully, the better, and that diagram shows you some of the typical defenses in depth. When I first started in this business a couple decades ago, this defense in depth model was three layers deep. You now seated eight. Some of the experts say it ought to be 12 layers deep.
The idea is more is better and yes, it does add to complexity, and it does in some cases add to expense, but the idea is there that one single process, or one single technology or layer of defense can readily be bypassed, so you need multiple layers. It’s like the burglar alarm sign out in front of your house. If you’ve got enough layers of defense in depth when the bad actors look at your yard, your external perimeter, they’ll see that it’s not just a single firewall and maybe perhaps Lord willing in the creek doesn’t rise as we say here in Texas, they’ll move on to an easier less hardened target. That’s the point of having multiple layers ideally defense in depth redundantly.
Rebecca Christiansen:
One of the other things that we hear a lot from our clients is we’ve got cyber liability insurance, so we’re good, we know we’re okay. If something happens, insurance will cover us. That’s actually a very dangerous philosophy to have. There’s been a number of instances where we’re seeing insurance companies withholding funds because the insured is not following best practices. A lot of the time when you get the application for your cyber insurance policy, there’s a number of questions that you answer, and a lot of times people just go in and check yes, yes, I’m doing this, I’m doing this.
Well, did you really, and you won’t know that that’s an issue until you have an incident and you try to file a claim, and they ask you, “Well, can we see your cybersecurity policy? Can we see the results of your last penetration test? Can we see the documentation for the steps that you’ve taken to protect your company?” In addition, there are certain things that really just can’t be covered by insurance, and you can see right there, the loss of your reputation. Imagine FireEye, their job is cybersecurity and they were breached, and just you see things like stock valued falling. A number of us aren’t publicly traded, but as a CPA firm, if we have an incident, we’re going to lose reputation, we’re going to lose that trust that we’ve been building for 95 years.
That’s something that no amount of money can replace. Also, having assisted clients with dealing with these breaches, just the amount of time that your team will be using to try and deal with notifications, cleaning up the mess and patching the holes, those kinds of things are obviously again not something that can be recovered by insurance. You also see that the treasury department is proposing levying fines on insurance companies and individuals who pay ransomware, especially if those ransoms come from foreign parties.
It’s really important for you to make sure that yes, you absolutely need cyber insurance, but you need to make sure that you’re actually answering all those questions correctly, and the number of that’s going to require you to take steps internally to do a risk review and mitigate those issues before you actually have coverage.
Jon Murphy:
The devil is in the detail on those cyber liability insurance policies. If you’re in doubt, contact Rebecca or myself and we’ll help you put some plain English around it, and give you guidance on what is covered, what isn’t covered, and what that means for your businesses bottom line.
Rebecca Christiansen:
This one, I’ve had this from a number of clients as well. “Oh, my people are really good at spotting phishing emails. They always either forward them to us in IT, or they delete them. They know what they’re looking for,” and the reason this one is significant is because significant number of breaches occur because of human error. No matter what kinds of hardware, software you put into place to try and prevent a breach, the vast majority occur because someone clicked on a link or someone entered their credentials where they shouldn’t have. Phishing scams are it’s still really popular because it is so effective, and they are becoming incredibly sophisticated.
Deep fakes are this new evolution of social engineering, and they create incredibly detailed spoofs to get victims to do something that they wouldn’t ordinarily do. There was one I had to send an email out to my firm a few weeks ago because Microsoft even said, “This new phishing is coming out. It looks just like your normal Team’s notification that tells you someone’s trying to reach you on Teams. It has a link in there for you to click on it to take you to Teams and then you enter your windows credentials, your Microsoft credentials and they’ve got them.” It’s really important to train your people. Even the best people will occasionally fall for it.
It’s better to have them fall for one of your training sessions, than it is for them to fall for a legitimate phishing scam. You can see that phishing scams are just they’ve been up 50% since the COVID lockdowns, and they know because people are remote and they can’t look over at someone and say, “Hey, did you get this email. Is this legit?” They click on links.
If you don’t have a training program already deployed and there are a number of them out there, it should include at least an annual training for your employees that shows them all of the red flags that they can see in phishing emails, gives them instructions like you don’t click on the link, you go directly to your browser and type in the website, you type in Zoom and join the meeting by entering the Zoom meeting, unless you’re expecting the email, you know the person who’s sending it to you, you never open an attachment. Always confirm the identity of the sender using contact information that’s not in the email. Don’t use the email address that’s in there, don’t use the phone number that’s in there. Use historical communication methods so that you know that you’re confirming their identity from a third party.
Jon Murphy:
Those are all excellent points Rebecca, and one other thing that we’ve noticed is that if you undertake a programmatic approach to that security education training and awareness, in other words, not just ad hoc and once a year is better than nothing, but if you do it more on a recurring basis, including maybe some phishing schemes of your own, we see organizations are three to five times less likely to be compromised than those that do not have a programmatic approach to SETA, security education training and awareness.
Rebecca Christiansen:
I have one more thing on top of that. If you do the training, even if you don’t, you should also exercise best practices in your own internal communications. Don’t make it a habit to send unexpected emails to your team that includes hyperlinks that you want them to click on. You want them to be suspicious of every email they get that has an attachment, or link that they aren’t expecting. If you do need to do that which we do internally, we preface it either with an announcement through Teams or with a separate email that’s clearly legitimate that says, “We’re going to be sending you an email it looks like this. The links in this one are secure. You may click on them,” that kind of thing.
Thinking of this from experience of my husband’s company, he tells me all the time, “They sent an email to him saying he was enrolled in cybersecurity training. It was an unsolicited email and it had a hyperlink in it.” He said, “This is the worst thing you could possibly do because you’re trying to teach me not to click on these links by clicking on this link.” Think about those things too when you’re communicating with your team, train them, but then also follow best practices, so that they don’t have to think quite hard, they just know I shouldn’t click on any links.
Jon Murphy:
This particular myth is also very prevalent, because we have data backups, whether that’s the tape or the cloud or disk to disk, or whatever method they’re doing. If we get infected ransomware, we’re okay, we’ll just restore from backups. Well, are you sure, because the reason why we asked that is because backups now are not as good as they used to be. In fact, if you go old school, you’re going to be better off than if the latest and greatest just to this. You say, “Why?” There are ransomware variants that can jump from your production environment to your backup environment if there’s not extra protections. We recommend something called the three, two, one strategy which is three different copies of your data.
Typically, one in production and two different copies of those backups. The two stands that we wanted on two different storage media, so perhaps disk and then an off-site version that’s on tape. Ideally, that tape should be air gap that is not immediately online, and the reason why you want that is because that makes it that much more difficult for the ransomware to jump from the disk to the tape. Always encrypt those backups, especially if it’s the keys to the kingdom, your financials or as Rebecca said early on, if it’s important to you, the bad actors are going to make sure it’s important to them. The backups should be routine, not when you think about it every now and then.
You should be doing it daily, weekly, many times a day, depending on your system. Backups don’t cost nearly as much as they used to. We talk about the encryption, and we also suggest that this is a little bit technical. When you’re talking to your vendor that does your backups, ask them if there are breadcrumbs that go to the backups, and breadcrumbs are just exactly what they sound like. They are technological hints at where the data came from and where it went to. You don’t want to give that additional information to the bad actors. You can do backups without those breadcrumbs. It’s a feature in most backup systems you can turn off, and then the most important thing is are you testing those backups, restoring them on a regular basis?
We’ve talked to organizations that have been very confident. They’ve had the best backups forever and we’ll say, “Okay, when was the last time you tested it?” They said, “Well, we recorded these backups every day for the last three years and everything’s fine.” I said, “Let me ask you again. When’s the last time that you actually brought one of those tapes back into the production environment and repopulated, re-hydrated the database or an exchange email box, or whatever the case was?” Most of the time, the answer is “Ah, we’ve never done that.” It’s important that you do that because bad actors may have already gotten into your environment and already corrupted those backups, and that’s a good way to find out, and they’re just waiting the time is right to spring it on you.
That’s called dwell time and bad actor dwell time now is somewhere almost close to half a year on average. Testing the backups is a good way to find out if you’ve been compromised. Next, I’m a smart person and I know right away if something was wrong in my computer or network. Well, I have been in this business for close to three decades, and I don’t know everything about the way bad actors work and never will. They invent and take features and functionality that our OEMs, our original equipment manufacturers are rolling out to us to make our lives better and spend all day, all night drinking Red Bulls and eating raw meat to figure out how to turn those features into flaws, and they do it very successfully.
I can assure you that they will get in there and look around for months before they spring something on you. Why do they do that? They find out where the keys the kingdom are. They figure out how you approve invoices, how you move money around, who’s going on vacation, what M and A activity you’re about to do. All that intelligence that they collect, they will use against you not in the court of law, but in their extortion of you in the ransomware, or there’s even something called double extortion now, and that’s even more problematic. That’s basically where they ransom your data and then you say, “Well, that’s okay, I’ve got backups, I’ll take care of it and bring it back.”
Then they say, “Well, we’ve exfiltrated, we’ve taken your data out of your environment,” and that means you have to tell the state’s attorney’s generals, the FBI, whoever it is in your jurisdiction. They’ll tell you because that’s how smart they are and if you don’t do that, we will tell on you and you’ll be fined, arrested, jailed, whatever. That double extortion is even more of a problem out there, and knowing that they will work that hard shows that it’s a business to them. It absolutely is a business. The worst part about this is that in spite of your best intentions, having a good IT team, having an MSP, managed service provider or some MSPs say they also do security, when that compromise actually occurs, about 80% to 90% of the time, you’re not the one that discovers it.
You get a knock on the door from the FBI, or probably the worst one is when your client calls you up and say, “Why don’t you send me this weird email with click here? I need to press hard three copies and my next invoice has to go somewhere else. Why did you send that?” That’s when you learn oh my, I have been compromised and now I’ve got lots of what the old I Love Lucy’s thing used to say, “Lucy you got some ‘splaning to do.” That’s what happens when you have to notify all those clients that you’ve been compromised. One of the things that helps avoid all that is having something called managed detection and response service or MDR. It’s where there’s 24/7 people that are trained and expert watching systems that look out for your health and well-being around security specifically.
Now if you want to know more about that, please contact Rebecca or myself.
Rebecca Christiansen:
Yeah, it’s definitely a cost-effective way to essentially bring in cybersecurity… have a team essentially that’s dedicated to your cybersecurity monitoring your system, which keeps your IT team able to focus on the things that they’re focused on, but the as John said, you’ve got a team of human beings who are watching the system and if anything looks out of the ordinary or is concerning, they’ll immediately reach out to your IT team, and they’ll put on a coordinated attempt to determine if it really is a concern, but as you can see there, if you can decrease that dwell time dramatically, then you can limit the impact to your business overall and shut them down early, and that can save you hundreds of thousands of dollars in the long run.
This is another one that we hear as people are starting to transition their infrastructure into the cloud, a lot of people particularly that we work with deal with Microsoft and Azure. They say, “Well, my network, everything’s in the cloud. Microsoft takes care of my security, or my cloud provider takes care of my security,” and this is one that we shake our heads at quite a bit.
Jon Murphy:
The reason why is if you think about it and the headlines are our best friend in the cybersecurity world, every one of the major cloud providers has been compromised probably within the last two years, AWS, Azure, IBM, ad nauseam. They don’t have it dialed in perfectly ye. Also, there’s something called the shared security model, and what that basically means is security of the cloud, the physical data center, the operating system of the physical devices, the way you get into their environment and so forth and so on is all covered by those CSPs, cloud services provider. That’s their job and generally, they do a pretty good job, but of what you have up in the cloud, that’s all you.
When I say you, the individual businesses, and the users. You say, “Well, what does that entail?” Configuration management, how you have your firewall set up, how you have your server set up, who is allowed to access certain elements of your server, who can add new users remove new users, who can add new files, remove new files? Then you have the software that you’ve got hosted or running up there in the cloud, and that’s everything from your tax and accounting and financials to your ERP system, to if you’re a software as a service developer, you develop it up there. All of that has to be patched and maintained, not the cloud provider’s job, yours. Then there’s backups.
They offer the service of backups, but if you don’t set them up, encrypt them, and do the actual backups in a timely manner in that three, two, one mode that we talked about, it’s no good. You don’t have the protection you need and lastly, a lot of companies will say, “Well, encryption threat slows things down.” In the bad old days, it sure did. Now with what they call edge computing and a few other factors and content delivery networks, that’s not true. Encryption does add a little overhead, but it’s hardly noticeable to the end user. There’s really no excuse whatsoever for not using it, especially on your most sensitive vital information, whatever that is to you, your recipes for the famous cookies that you make or the financials or your customers, whatever it is you think it is.
If it’s important to, you really ought to be encrypting it.
Rebecca Christiansen:
Tangentially related there, you probably have a number of vendors and people that you work with and talked about with the SolarWinds. If there’s an upstream breach, you will still be affected. Just because you have your information in the cloud, if you have a vendor or a third party who somehow is connecting with your information, they could be a point of weakness in your system. If you’re not considering that, your cloud provider has nothing to do with them, that’s an entirely separate vector for attack.
Jon Murphy:
Well said.
Rebecca Christiansen:
Now, we have told you all the things that you’re not doing right, or that you’re assuming are taken care of that or not. What can you actually do to protect yourself and your organization? The area that we always recommend as a starting point is the risk assessments. If you don’t know where you stand now and no idea where you need to be, any road will get you nowhere.
Jon Murphy:
That’s it.
Rebecca Christiansen:
Risk assessments are an opportunity to… it’s not just a technology assessment. It examines people, process, and technology. We recommend that it be repeated every year annually, and the results of that will be an actionable plan that you can use to continuously improve, and all of these processes with the cyber program are insurance against future breaches that are going to be exponentially costlier to you than the expenses that you put in now. We know that again under COVID, a lot of organizations are having struggles financially, and that it’s hard to think of doing another thing that’s going to just add to your budget particularly if it wasn’t already included in your budget.
The very first thing I want to say, and I know that most of you did your budgets before the beginning of the calendar year, but to seriously think about looking at your IT budget and cybersecurity should not be a part of that, that’s what they need to keep your organization going. You need to seriously consider allocating funds to cybersecurity either to a risk assessment, to MDR, to your annual penetration test. It’s something that you should be doing every year, and it’s something that you should consider and build it into your plan in addition to having a security mindset with every change you do in your organization.
This risk assessment will look at again everything that you do, all of your processes, your change management, whether you have employees who have administrative control over their own device, whether you have third parties that are accessing your system in some way and looks over all of that, and then gives you a roadmap and steps that you can take that you can budget out over the next 12, 24, 36 months to get progressively more effective in securing your organization. As you can see, the next step would be building that road map. When you perform the risk assessment, you want to make sure that it follows a recognized framework. There are a number out there.
John is involved in a lot of them, and he was part of the team that developed the NIST framework that is used all over the country. You want to build this roadmap based on the results of your assessment using that framework. You want to look at your company’s risk appetite. Obviously, if you have less of a risk appetite, it’s going to be more important for you to put in stronger controls, and it’s also important for you to have a statement that is the basis for the approach that your company is going to take, your organization’s going to take towards cyber issues. You need to look at your industry and the rates of attack and breach in that industry and see how high of a target you are.
It’s also important to talk to obviously your IT team and/or your MSP to find out what your current state is, that would be part of the risk assessment. You should ask your IT department three questions. How do we know nothing got in last night that should not have? How do we know if everything security wise is working as it should be, and how do we know that nothing got out last night that should not have? Those are conversations that you should have, and it’s the kind of thing that Windes and Alliant are able to assist in those conversations and would be part of again a cyber risk review.
Once you’ve determined what your current state of cybersecurity is, you want to determine what the next steps are in a risk rank prioritize approach, so that you can figure out where you need to make those adjustments. Obviously, we want to make sure that you have continuing education in some way with your team, make sure you’re training your people regularly with some kind of phishing tests and with an annual cybersecurity training for your people. We also like to share with everybody and explain that cybersecurity is not a destination. You will never be protected fully. It’s always going to be an evolving thing that you’re going to again need to have someone in your organization who is focused on this and sees every change every day as how is security affected in this.
All these services are things that Windes and Alliant can assist with. Hopefully, you all get to start at the assess point and do some a risk assessment, and then build out your infrastructure in the design, manage it using all of your education options, creating your policy, doing your regular annual penetration tests, dealing with a vCISO if you don’t have an internal CISO and again, managed security services would be the MDR that John and I spoke about earlier. If you have other organizations that you report to. like you do government work or if you do work under GDPR in Europe. or a number of other organizations that require specific compliance, then you would need assessments and assistance preparing for those.
I know CMMC has been changing the last few months if you do government work and you’re not looking into your CMMC compliance, that’s something that you should reach out to us for to assist with. Hopefully, you never have to get to the response bubble, but if you do, then it’s important that you have an incident response plan, so that if it happens, you’re prepared, your team knows what to do immediately, and you can minimize the impact to your organization. If you don’t have an incident response plan and something happens, please again reach out to us so that we can assist you with that recovery process. John, we talked a little bit about MDR.
Jon Murphy:
Managed detection and response is that service that gives you an extra set of trained expert eyes on glass, looking at your environment. They’re dedicated to you. They are looking to see what may look out of the ordinary, or if something’s gone awry. In the best services, they are able to immediately remotely take control of that situation and alleviate it, or ameliorate it to some degree and then reach out to you for continued guidance on what exactly should be done next. The idea here is it’s not just another piece of technology. They’re trained experts with an escalation path of other experts they call on, and it is a complete system.
It’s people, process, and technology that all gets worked out with you pre-need so to speak and as Rebecca said, it’s very economical. It is a force multiplier that gives you the same kind of controls on monitoring your environment and as Rebecca said in things like CMMC, CCPA, GDPR, that’s one of the requirements is that your environment is constantly monitored, and that takes a lot of people and a lot of technology and a lot of money. This is an alternative to keeping those costs under control and getting all of those check marks done. It’s a service that we offer and very proud of, and we use a follow the sun model. Whether you’re East Coast, West Coast, in Europe, we can make sure that you’ve got real time professionals helping you. We wanted to make sure that you’ve got some resources here.
The first link and yes, it’s safe to click on it is a way to check about the strength of your password. It is from a company called LastPass.com. LastPass is a well-known provider of what they call password management software. This is a free service that they offer and yes, they will send advertisements to you once you click on it about how secure your current password is, whether it’s your home password or your corporate password. If you go and acquire LastPass as software or talk to Rebecca, and we can help you with that, it gives you an enterprise ability to make sure everybody’s using complex, strong passwords that are changed frequency, but here’s the good part.
Once you use LastPass, you only have to keep up with one, one password. It knows when you’re going to those other systems, whether it be your payroll, your [inaudible 00:41:57], your ERP, your client relationship management, whatever it is, it knows all those. It creates very complex passwords that are very strong and you only have to remember the one because when you go to erpss.com, it knows erps.com, it knows who we are. It supplies the user ID and password and you don’t have to remember it. Just the one password to get you there, and there’s other software out there like that password management systems, but LastPass has the free ability to check your password.
Another is from our own Alliant Cybersecurity blog on what business email compromise is and, in a nutshell, that’s where the bad actors have been studying you using social media, social engineering, maybe doing some phishing. They’ve learned enough about you on who to spoof, like maybe the CFOs on a 3-week cruise or maybe before COVID, and they look like they send an email to the controller to cut a new check to some supplier or a different bank account. There’s all kinds of variants of it, but the FBI says this is one of the number one ways that bad actors are siphoning off billions of money from the US economy.
The third bullet there is again from a reputable outfit that will tell you if your email address, whatever you put in, your personal or your corporate has ever been part of a publicly known breach. You say, “Well, what’s that got to do with the price of tea in China?” Well, it’s a lot because there have been different breaches all across the world over the years. There was a LinkedIn breach, there was an Anthem breach, there was a Blue Cross, Blue Shield breach, there was a SolarWinds breach. If your organization signed up for one of those services using your corporate email, God forbid, they use the same password they use on the systems, this will tell you and you can certainly go in and go, “Oh wow, we had 50 people that were part of the Sheraton breach a few years back.
We sure hope they’ve changed their passwords.” Well you know who to go ask about that. That’s one of the services that we run, but this is something you can do on a one-off situation. Then lastly is a great article out of the California. I can’t remember what district it is, but it’s one of the district courts in California about what a judge thinks is reasonable cybersecurity, what’s enough because everybody says, “How much is enough security?” This is a judge that is in your jurisdiction if you’re in California that defines that it should be something around the NIST cybersecurity framework, or I think he actually cites the center for internet security, CIS top 20. It’s a great article on getting a litigator’s mind around what is enough cybersecurity.
Rebecca Christiansen:
Obviously, we wanted to provide you with resources, and this webinar is free and important to us that you all be educated and aware of this issue and what you can do to protect yourselves, but we do want to remind you that while these resources are free do, remember that top quality is seldom free. Case in point, I’m sure many of you prepare your own taxes via TurboTax or know someone who has. Well, they have a free web-based software to do that. Well, that’s been hacked in 2015, 2019, and 2020. Just remember that there is value here, and it’s something that we take very seriously and want to assist you with. With Windes and Alliant, we offer a free cyber health check for our clients.
You can email me on the contact information here, or you can click on the link on our website. It’s 15 minutes. We’ll talk to you and your IT team, or just you and find out what you currently have in place and make recommendations on where you can go. With that, we will see if anyone has any questions.
Jon Murphy:
Rebecca, I see one from Morgan and he or she is asking, “How much money should I budget on cybersecurity?” It goes to the last point we were talking about. There’s all kinds of recommendations and measures out there, but the easiest one rule of thumb is whatever your revenue is for your organization, that’s EBITDA, 10% of that should be on IT. Not saying I agree with that and it’s based on an average company, whatever the world that is. That’s one that’s not heavily regulated, it’s not one that’s been compromised, it’s not one that’s just standing up cybersecurity or IT. It’s company has been around. That’s 10% on your IT, that’s keeping the lights on. The security aspect of that needs to be at least 10% of that amount and you say, “Well, where does that come from?”
It’s the same thing, it’s a rule of thumb. If you’ve been compromised, if you’re heavily regulated, if you’re in health care, financial sector, working for the government, I have government contracts, that 10% number is off the table. It’s higher than that, but that’s a rule of thumb to get you started, and it’s something you can do pretty quickly with your financial experts to see if you’re in that ballpark. If you’re low, I’m telling you right now, you’re asking for trouble. If you’re high, maybe there’s a way we can help you save some money, and we can we can help you with that, but at the same time, it’s amazing how this cybersecurity stuff is way too much. It costs way too much.
We hear that all the time, until they’re compromised. Then all of a sudden, the blank check is written if they’re still in business, and it could have been a fraction of that cost if they had done it in a timely proactive manner.
Rebecca Christiansen:
Our next question is, what guidelines can you provide for a non-profit addressing cybersecurity issues for themselves and for partner organizations? Also actually a similar one, how can nonprofits protect themselves in a way that they can afford? The general guidelines is pretty much the same. Take assessments, remediate when you can and do defense in depth, and work with service providers who specialize in assisting non-profits. John mentioned previously that he worked with a non-profit that helped the homeless and was attacked. As we mentioned before, MDR, managed detection response is actually relatively affordable and it’s based on a per user count.
That adds that layer of defense where you have an organization that has a team of people who are actively monitoring your system and then obviously, there are lots of service providers who do specialize in assisting non-profits who can assist in developing some of these policies. We at Windes and Alliant will always work with whatever IT providers you have, whether it’s your in-house or your managed service provider to help develop those policies and make sure that all of your settings are correct, and that they are able to respond in the event of an attack. We have another question. We did talk about does having your important data in the cloud help and we talked about that a little bit.
This shared security model results in a certain amount of the infrastructure being protected by the cloud provider, but again the cloud is only as good as you make it. It’s still important to do a risk assessment that determines what kinds of configurations that you can improve and how your processes are set up to prevent your employees from making you exposed by clicking on links again same way, or any of your third-party providers, vendors making you exposed. Then we have pros and cons of a cybersecurity insurance policy and related to that, what specific coverage or language should we have in our insurance policies? John, do you want to jump in on that one?
Jon Murphy:
Yes, thank you Rebecca. Cybersecurity liability insurance is a must-have these days. We talked about the back of the napkin math of the costs. That’s a bare minimum number of $150 per record. It can go up pretty quickly from there. You want cyber liability insurance that covers what is to be a likely loss. Back of the napkin can start at 150 times the number of customers that you have online in your systems, not that you’re necessarily currently dealing with. Then you want to make sure the policy has provisions in it to cover things like denial of service, distributed denial of service that’s a little bit of a geeky concept, but if that verbiage is in there, you’re good. You want to make sure it covers ransomware. You want to make sure it covers insider threat, and there are some providers out there.
Again, I’m not selling the insurance. Rebecca and I don’t do that, but there are some providers out there that offer a great deal of add-ins to their policy. They give you a breach coach. They give you a recommended team of lawyers and crisis counselors and forensics, and those are all built into the policy costs. Those are a good thing to have, but still you need to reach out to those people pre-need and pragmatically to build a relationship and see what they advise before a situation arises, but the answer is you definitely need it. How much depends on how large, how many records, how many jurisdictions are you in. Do you have EU clients, UK clients? Are you only in California?
Have you tripped the level in the California Consumer Protection Ac, where you need to have additional protections and provisions. All of that goes into it, and your broker should be able to help you and advise on what kind of coverage.
Rebecca Christiansen:
Okay. Next question we have is, can you provide info on ransomware solutions? I’ll let you take this one too John.
Jon Murphy:
There are a number of shiny, new toys out there that says we’ve got it all, buy our stuff and you’re good, no more ransomware. I don’t think that’s true yet. There are some that are better than others. There may be one of these days a solution that takes care of 60%, 80% of all ransomware types, but realize that the bad actors are out there reinventing that wheel every day, so that they can have a smarter mousetrap to get your money that much faster. Ransomware is the biggest worst problem that you have to worry about. It is a full-blown business. Once you get hit with ransomware, you may find the gang behind it. Literally, it has a website, has customer service, 1-800 numbers, multi-language support on helping you pay them their ransom.
Some of them have some honor among thieves, where they will actually return your data. Some don’t, but the bottom line is there’s no silver bullet yet, and what you need to do is defense in depth like we talked about, security education, training and awareness to keep your workforce aware and a little more cautious. Then those securely made, regularly restored and tested backups just in case.
Rebecca Christiansen:
John asks, “How can you determine if your systems have been compromised?” We talked a little bit about this. This is exactly what the MDR is intended to do. You have that regular monitoring. You get human beings watching in addition to software that is making sure that nothing is out of the ordinary. It uses algorithms and machine learning, it gets to know your system. When it sees someone accessing from location, they shouldn’t be Russia, Africa. If you don’t have anybody there, nobody’s regularly accessing your systems from there, it’ll flag it and then they’ll reach out to your IT team and say, “Okay, this is out of the ordinary. Are we expecting this person to be logging in from the UK or not?”
The other thing is the vulnerability assessment and penetration tests. This is something we do recommend that every organization do once a year, and this is essentially you have an outside organization who tries to essentially hack your systems. They’ll do things that includes social engineering. We’ll actually try to trick your employees into clicking on links and giving us access, so you’ll be able to see where those areas are that you have vulnerabilities and then we design an executive report that shows you here are all the things that you can do to patch these holes and gives you again a road map of things that you can do over the next year to protect your organization and close some of those vulnerabilities.
We have another one. Should we be concerned about cookies when we visit websites? Go ahead John.
Jon Murphy:
If you have clients in the EU, the answer is yes, you have to have a formal cookie policy on the bottom of your website. If you’re in California, that’s not yet a provision, but we understand the new versions of CCPA if you’re encumbered by it, we’ll require a cookie policy too in the coming year or so, but the cookie worry is that they collect a snippet of information about the individuals visiting your website. All the best websites have got them.
Sometimes hundreds of cookies are collected when you visit a website, but some of them are just housekeeping, like where did this person come from, what was the last page they were on, what is their geolocation of their IP address, but in certain jurisdictions like the European union, that is all considered personally identifiable information. You have to advise a visitor of what you’re doing with that information, how they can opt out of the cookies and so forth and so on if you’ve got those EU clients. We see a lot of clients, a lot of organizations proactively putting a cookie manager system in place. That’s not a bad idea. We also advocate that everybody put a privacy policy on the bottom of their website.
Again in the California jurisdiction, if you’ve got 25,000 or more customers, you almost have to do that anyway. It’s a good practice, and we’re just going to see more and more of this until someday when the United States is smart enough to do something like its own GDPR, where it adopts the California Consumer Protection Act for all 50 states. You say, “Well, I only work in California. I don’t care about somebody in the EU,” doesn’t matter. If an EU citizen interacts with your intellectual property and provides you their PII, personally identifiable information, you just got encumbered with a GDPR.
We even see some organizations that will use what they call geolocation and if they see that someone is coming from the European union, it takes them to a separate page that says basically, “Thank you for visiting. This content is USA based only. Please check out these other links, or please use Google to find a supplier in your area.” The idea is that way there is no way they’re encumbered by GDPR, that person can’t even interact with their website. Not saying that’s the only solution, but that is definitely out there. Rebecca, I saw a follow-up on the 10% question that was about the money.
Rebecca Christiansen:
Yeah.
Jon Murphy:
That’s a floor, all right and it’s a fairly old floor, but the real answer is it depends. That floor came from the SANS Institute many, many years ago and they were largely criticized for doing that because there’s many variables. When we tell clients it depends, they say, “Well, I need a number, I need to do something.” We toss out that number as a bare minimum. Again, you said, “What is it pinned on?” Well, as we talked about, how long you’ve been in business? What kind of information you collect? What services you provide? What jurisdictions you’re in, et cetera? All those things can drive that number way on up, but it’s a start. It’s a fairly simple number.
You can figure out what that number is and go, “Oh wow, I’m spending 15 times this, or I have 1/15th of this amount of money set aside for security.” It gives you an idea as a rough guide.
Rebecca Christiansen:
Yeah and well, you’ll generally find that if you haven’t done some kind of a vulnerability assessment or a risk assessment before, that first foray into cybersecurity is obviously going to be at the higher end because it’s going to take more time. You probably don’t have a lot of the policies drafted already. You probably have a lot of vulnerabilities that you’re not aware of it, and so takes more man hours and that kind of thing, but the ongoing expense, doing your annual penetration test, the proactive monitoring tools like the MDR, those obviously could be significantly less.
They’re again going to be ongoing expenses that you should expect every year, and you will want to review the policies that are drafted, particularly your incident response and make sure that that’s still applicable every year. Again, this is why you need someone in your organization whose responsibility is security, who says every time you say, “Well, we want to do this new application, or we want to open a new location,” they are the person who says, “Okay, how does this impact security?” Having someone like a vCISO, who you interact with regularly also helps with that because they are security minded. I’m going to answer really quickly, who sells cyber insurance?
Pretty much anyone that you get your professional liability insurance from. We use an insurance broker for various insurance here, and you can generally find cyber insurance through a professional liability. I know Chubb offers it. John, you have some other providers you know?
Jon Murphy:
Beazley, AIG, Travelers. Like you said, most of your brokers that sell your professional commercial liability insurance can do that as well.
Rebecca Christiansen:
It is now 11:00. I appreciate everyone joining us today. Again, if we did not answer your question, or if you have others that you think of, please don’t hesitate to reach out to myself or John. We will be sending a link to the recording of this session, and the slides to you. If you want to share with others in your organization, you are welcome to do and again, we are happy to chat with you for 15 minutes, do a free cyber health check, give you an idea of where you stand. Thank you all, have a great day.
Jon Murphy:
Thank you all.
For questions about Windes Cybersecurity services, please call 844.4WINDES (844.494.6337) or email us at advisory@windes.com.
DISCLAIMER: The information presented in this webinar is intended as general information and does not constitute cybersecurity, IT, or legal advice. You should always consult your IT, legal, insurance, or financial advisor for direction regarding your specific situation.