Human Risk Caused the Colonial Pipeline Attack

Human Risk Caused the Colonial Pipeline Attack

Tools such as endpoint detection, anti-malware software, and firewalls play a vital role in protecting from the diversity of cyber threats businesses face today. However, for those tools to work, they need to be properly installed, configured, and updated by people. When considering the human factors of cybersecurity, we often think of social engineering scams. But equally as important is managing human errors. In fact, this form of human risk was exactly what led to the massive Colonial Pipeline ransomware attack earlier this year.

Human risk involves not just what we do, but also what we don’t do. This was the case with the colonial pipeline attack. In June, the CEO of Colonial Pipeline, Joseph Blount, told a Senate Committee that the attack was caused by unauthorized accessed to a virtual private network (VPN) the company had once used and that did not have multi-factor authentication (MFA). MFA is a tool that requires users to verify their login through a second means, such as a text message or email that contains a unique code. Because this VPN did not use MFA, that extra layer of security was missing and the hackers got in unnoticed. The real kicker, however, is that Colonial Pipeline was already using a new VPN with more security features. However, the legacy VPN was still installed on Colonial Pipeline’s systems. According to Blount, the VPN the hackers accessed “was not intended to be in use.” The ransomware attack was therefore a result of someone within Colonial Pipeline neglecting to take the old VPN off of the company’s servers.

Risk, no matter the form, is the result of habits and behaviors. In order to address these issues, we need to create healthy, sustainable habits that limit human risks. They say old habits die hard but creating sustained change is possible if these three elements come together:

1. Keep it simple

When trying to create new behaviors for your employees, it’s vital to break things down into small pieces. Asking questions like “What behaviors do I want to do that will mitigate risk” is a good place to start, but once you have a list, choose one behavior and focus on that. The reason is that people are more likely to do something consistently if it’s simple and easy to do. By focusing on one behavior at a time, your staff is far more likely to follow through than if you give them a whole list of changes you want them to make.

2. Use a prompt

The next part of the equation is creating a prompt that alerts your employee to do the behavior you are designing for. This prompt can take any number of forms, like a scheduled email, a slack notification, or a checklist. When we have a habit, we aren’t actively thinking about having to do it, so when you want to create a new habit prompts will break that automatic thinking and make room for them to incorporate the new behavior you want to see.

3. Provide positive feedback

Lastly, once the new behavior is accomplished, it’s important to follow up with some sort of positive feedback. This helps reinforce the importance of the behavior by helping your staff associate this new habit with a positive feeling, making it more likely they will follow through again in the future.

Using Colonial Pipeline as an example, applying these behavioral principles for their IT could have helped prevent the hackers from gaining access. First, someone in the leadership could have communicated to one member of IT and asked them to take an inventory of applications installed once a month and remove anything that is out of date or no longer in use. Then, a prompt such as a scheduled email could have been created to send to the employee on the first of every month. Finally, the employee could be sent a message thanking them for taking an inventory — they could even create a point or star system that helps employees tally the completed behaviors that Colonial was designing for.

Mitigating human risk is a central aspect of a business’s overall cybersecurity posture. And the key is to create new, healthy behaviors by putting in place a system that helps your employees form new habits in a way that’s simple and leaves them feeling successful.

 

The limits of cyber Insurance

The limits of cyber Insurance

The shifting cyber risk landscape over the past eighteen months – especially the explosion of ransomware attacks — has put a spotlight on what businesses and governments are doing about cybersecurity risk and what role does or could cyber insurance play – not only as a risk transfer vehicle, but as an enabler of improved risk management practices. As of early 2021 the total global premiums for cyber insurance have reach over $5 billion, but the truth is cyber insurance is still a very new industry, and the role it can play in mitigating cyber risk is has been an open question for a few years.

However, according to a new report by the UK-based security research institute RUSI, the role of cyber insurance as a risk mitigation tool is still pretty limited. One big challenge is that both issuers and insureds too often view cyber insurance as a replacement for actual cybersecurity policies and procedures. Cyber insurance doesn’t mean that you won’t get hacked just like having fire insurance doesn’t mean your house won’t ever burn down.  This challenge has most recently been playing out with questions surrounding ransomware payments. Today, many cyber insurance policies include payments for ransom demands. However, this raises the concern that such practices are actually fueling the recent spike in ransomware attacks. In fact, some evidence suggests ransomware attackers are specifically targeting companies with cyber insurance and tailor their demands to the high-end of what those policies will cover.

That said, cyber insurance still has a role to play  — but it doesn’t replace the other value chains within the broader risk mitigation process . Like with most insurance, it’s not designed to prevent or eliminate risk, but rather to transfer risk as a last line of defense. In the RUSI report, many of the experts interviewed cite post-incident services as one of the main benefits of having cyber insurance. From incident response to forensic analysis, cyber insurance can be extremely useful for maintaining business continuity following a cyber incident. This is even more important for small businesses who might not have internal teams and the expertise to carry out a post-incident response swiftly and effectively. However, there is a lot more to cyber security than how you respond to an incident. As RUSI’s report points out, right now cyber insurance is most effective as a tool for cyber resilience, but not risk mitigation.

What is important to understand is the need to properly place cyber insurance within your larger risk governance strategy. Cyber risk management is like putting together a puzzle with various shapes and sizes. From performing informed risk assessments, to maintaining strong systems controls, to creating a culture that values cybersecurity, there is a lot of factors that need to be pieced together in a way that aligns with your business context, strategy, and goals. Effective risk management includes a value change of activities and partners, including insurance, but relying on insurance along is not enough.