by Doug Kreitzberg | Aug 11, 2021 | Compliance, Cybersecurity
While cyber attacks such as ransomware have steadily increased in frequency over the past few years, more recent, widely publicized attacks like the Colonial Pipeline attack have finally caused government agencies to sit up and start taking action. The White House’s unprecedented executive order, for example, aims to help modernize the federal government’s cybersecurity practices, and the FBI recently requested an additional $40 million for cybersecurity defenses. While these important steps are aimed at strengthening the government’s response to cyber threats, other government agencies are now starting to issue updated guidelines for regulated industries. Much of these new guidelines cover a lot of the basics of cybersecurity practices, like creating a cybersecurity policy and encrypting sensitive data. However, what becomes clear is that for regulated industries to fully adopt these guidelines there must be a focus on managing and mitigate the human risks involved in cybersecurity.
Of the various government agencies issuing new cybersecurity guidelines, the U.S. Department of Labor’s Employee Benefits Security Administration guidelines is notable for being the first time the department has issued any sort of cybersecurity guidance. The guidelines are aimed at entities covered under the Employee Retirement Income Security Act, including “benefit plan sponsors, plan fiduciaries, record keepers and plan participants” and are designed to protect the estimated $9.3 trillion in assets the department oversees. Included in the guidelines are practices widely considered essential for defending against cyber threats, including a formal cybersecurity policy, annual risk assessments, and conducting security reviews of 3rd party vendors.
Many of the guidelines issued by the Department of Labor are aligned with the New York Department of Financial Service’s 2017 cybersecurity regulation, which itself is starting to ramp up its own guidelines. In June, the NYDFS released updated FAQ’s that offer further guidance on complying with the state regulation while also releasing new ransomware guidelines. The updated FAQ shows the department is not messing around. While the NYDFS outline which covered entities can file for an exemption, they also emphasize that even exempt entities must comply with certain aspects of the regulation, such as maintaining a cybersecurity policy, conducting risk assessments, and notifying the department of any cybersecurity events. In their ransomware guidance, the department cites the importance of practices such as cyber awareness training, MFA and password management, and strong access privilege restrictions — all of which are already required under the department’s regulation.
While many of the cybersecurity guidelines government agencies are now offering cover some of the basic cybersecurity practices, implementing and maintaining these guidelines can be pretty daunting for a business to try to put in place. What becomes clear is that even the technical aspects of cybersecurity involve managing and mitigating human risks. For example, the NYDFS urges covered entities to implement a patch management program, which requires leadership ensuring their IT team regularly apply patches to the organization’s software and systems. If their IT fails to do this, they could be slapped with millions in fines. It’s therefore essential businesses focus not only on staying compliant, but also ensuring their teams are developing habits that align with their cybersecurity needs. Managing these human risks first and foremost involve three factors: keeping tasks simple, using prompts for employees, and providing positive feedback. In combination, these three factors will help to ensure employees can develop and sustain these habits that, ultimately, can make or break an organization’s cybersecurity posture.
by Doug Kreitzberg | Jul 29, 2021 | Human Factor, ransomware
Tools such as endpoint detection, anti-malware software, and firewalls play a vital role in protecting from the diversity of cyber threats businesses face today. However, for those tools to work, they need to be properly installed, configured, and updated by people. When considering the human factors of cybersecurity, we often think of social engineering scams. But equally as important is managing human errors. In fact, this form of human risk was exactly what led to the massive Colonial Pipeline ransomware attack earlier this year.
Human risk involves not just what we do, but also what we don’t do. This was the case with the colonial pipeline attack. In June, the CEO of Colonial Pipeline, Joseph Blount, told a Senate Committee that the attack was caused by unauthorized accessed to a virtual private network (VPN) the company had once used and that did not have multi-factor authentication (MFA). MFA is a tool that requires users to verify their login through a second means, such as a text message or email that contains a unique code. Because this VPN did not use MFA, that extra layer of security was missing and the hackers got in unnoticed. The real kicker, however, is that Colonial Pipeline was already using a new VPN with more security features. However, the legacy VPN was still installed on Colonial Pipeline’s systems. According to Blount, the VPN the hackers accessed “was not intended to be in use.” The ransomware attack was therefore a result of someone within Colonial Pipeline neglecting to take the old VPN off of the company’s servers.
Risk, no matter the form, is the result of habits and behaviors. In order to address these issues, we need to create healthy, sustainable habits that limit human risks. They say old habits die hard but creating sustained change is possible if these three elements come together:
1. Keep it simple
When trying to create new behaviors for your employees, it’s vital to break things down into small pieces. Asking questions like “What behaviors do I want to do that will mitigate risk” is a good place to start, but once you have a list, choose one behavior and focus on that. The reason is that people are more likely to do something consistently if it’s simple and easy to do. By focusing on one behavior at a time, your staff is far more likely to follow through than if you give them a whole list of changes you want them to make.
2. Use a prompt
The next part of the equation is creating a prompt that alerts your employee to do the behavior you are designing for. This prompt can take any number of forms, like a scheduled email, a slack notification, or a checklist. When we have a habit, we aren’t actively thinking about having to do it, so when you want to create a new habit prompts will break that automatic thinking and make room for them to incorporate the new behavior you want to see.
3. Provide positive feedback
Lastly, once the new behavior is accomplished, it’s important to follow up with some sort of positive feedback. This helps reinforce the importance of the behavior by helping your staff associate this new habit with a positive feeling, making it more likely they will follow through again in the future.
Using Colonial Pipeline as an example, applying these behavioral principles for their IT could have helped prevent the hackers from gaining access. First, someone in the leadership could have communicated to one member of IT and asked them to take an inventory of applications installed once a month and remove anything that is out of date or no longer in use. Then, a prompt such as a scheduled email could have been created to send to the employee on the first of every month. Finally, the employee could be sent a message thanking them for taking an inventory — they could even create a point or star system that helps employees tally the completed behaviors that Colonial was designing for.
Mitigating human risk is a central aspect of a business’s overall cybersecurity posture. And the key is to create new, healthy behaviors by putting in place a system that helps your employees form new habits in a way that’s simple and leaves them feeling successful.
by Doug Kreitzberg | Jul 6, 2021 | Business Continuity, Cyber Insurance
The shifting cyber risk landscape over the past eighteen months – especially the explosion of ransomware attacks — has put a spotlight on what businesses and governments are doing about cybersecurity risk and what role does or could cyber insurance play – not only as a risk transfer vehicle, but as an enabler of improved risk management practices. As of early 2021 the total global premiums for cyber insurance have reach over $5 billion, but the truth is cyber insurance is still a very new industry, and the role it can play in mitigating cyber risk is has been an open question for a few years.
However, according to a new report by the UK-based security research institute RUSI, the role of cyber insurance as a risk mitigation tool is still pretty limited. One big challenge is that both issuers and insureds too often view cyber insurance as a replacement for actual cybersecurity policies and procedures. Cyber insurance doesn’t mean that you won’t get hacked just like having fire insurance doesn’t mean your house won’t ever burn down. This challenge has most recently been playing out with questions surrounding ransomware payments. Today, many cyber insurance policies include payments for ransom demands. However, this raises the concern that such practices are actually fueling the recent spike in ransomware attacks. In fact, some evidence suggests ransomware attackers are specifically targeting companies with cyber insurance and tailor their demands to the high-end of what those policies will cover.
That said, cyber insurance still has a role to play — but it doesn’t replace the other value chains within the broader risk mitigation process . Like with most insurance, it’s not designed to prevent or eliminate risk, but rather to transfer risk as a last line of defense. In the RUSI report, many of the experts interviewed cite post-incident services as one of the main benefits of having cyber insurance. From incident response to forensic analysis, cyber insurance can be extremely useful for maintaining business continuity following a cyber incident. This is even more important for small businesses who might not have internal teams and the expertise to carry out a post-incident response swiftly and effectively. However, there is a lot more to cyber security than how you respond to an incident. As RUSI’s report points out, right now cyber insurance is most effective as a tool for cyber resilience, but not risk mitigation.
What is important to understand is the need to properly place cyber insurance within your larger risk governance strategy. Cyber risk management is like putting together a puzzle with various shapes and sizes. From performing informed risk assessments, to maintaining strong systems controls, to creating a culture that values cybersecurity, there is a lot of factors that need to be pieced together in a way that aligns with your business context, strategy, and goals. Effective risk management includes a value change of activities and partners, including insurance, but relying on insurance along is not enough.
by Doug Kreitzberg | Jun 29, 2021 | Human Factor, ransomware, Risk Culture, small business
By now, you’ve almost certainly heard about ransomware — a form of cyber-attack in which hackers encrypt systems, steal data then demand a ransom payment to end the attack. While ransomware has been around for a while now, attackers have started setting their sights on bigger and bigger targets, gaining international media attention in the process.
But the reason businesses should be paying attention to ransomware is not because big corporations are shelling out millions of dollars in ransom payments. Instead, when you look at the bigger picture, small businesses are the ones who will continue to bear the brunt of these attacks. According to the Secretary of Homeland Security Alejandro Mayorkas, there has been a 300% increase in ransomware attacks in the past year and 50-70% of those attacks were directed against small and medium sized businesses. And while a cyberattack is tough for any businesses to recover from, the threat ransomware poses to small businesses is existential, with 60% of small businesses failing within 6 months of a cyber-attack.
Because the threat is so big and the stakes are so high, governing ransomware risk needs to be a top priority for small businesses. And in order to protect your organization, there are two vital areas that need to be focused on: systems controls and organizational culture.
Systems Controls
1. Endpoint detection and response
Endpoint detection and response (EDR) is a type of security software that actively monitors endpoints like phones, laptops and other devices in order to identify any activity that could be malicious or threatening. Once a potential threat is identified, EDR will automatically respond by getting rid of or containing the threat and notifying your security or IT team. EDR is vital today in order to stay on top of potential threats and put a stop to them before they can cause any damage.
2. Hardening your RDP Ports
Remote Desktop protocol is a tool that allows someone to connect to a computer remotely. This can be useful, but more and more ransomware attackers are using RDP ports to gain access to victims’ systems. Organization that do not actively use RDP should therefore consider disabling the feature or limiting to users and devices that are not connected to public internet.
3. Back-ups
Having a back-up of your systems could allow you to regain access to your data without having to pay the ransom. However, it’s essential to have an effective back up strategy in order to ensure the attackers don’t steal your backups along with everything else. At minimum, at least one backup should be stored offsite. You should also utilize different credentials for each copy of your back-up. Finally, you should regularly test your back-ups to ensure you will be able to quickly and effectively get your systems online if an attack happens.
Multi-Factor Authentication
Lastly, using multi-factor authentication (MFA) is a simple yet powerful tool for stopping the bad guys from using stolen credentials. At minimum, any user accessing your network should be using MFA. In addition, all users with administrative privileges need to use MFA, whether they are accessing your network remotely or on premise.
Don’t Forget Culture
When it comes to governing ransomware risk, the best way to prevent attacks is to focus on creating a culture that incorporates cyber-secure behaviors into every day practices. However, the biggest issue many organizations face when creating a cybersecure culture is sustaining those behaviors overtime. In order to properly govern ransomware risk, behavior change requires 4 essential elements:
1. Consistent Communication
We get it, cybersecurity can be confusing. And as the threat landscape changes, so do our cybersecurity policies. That’s why it’s so important that business leadership consistently communicate with their employees about the behaviors you want to see.
2. Make it Easy
When thinking about the behaviors you want employees to adopt, it’s vital you make these behaviors as easy as possible to do. Everyone is being pulled in a million different directions at once, so if an employee has to take 10 minutes out of their day to figure out how to report a phish, they aren’t going to follow through. If, however, you provide a simple and easy-to-use process, you’re going to have a much easier time getting employees to adopt new behaviors.
3. Help People feel Successful
People want to feel like the work they are doing is making a difference. If they feel like what they are doing just doesn’t really matter all that much, there isn’t going to be much motivation to continue doing it. That’s why it’s so important to help people feel successful when they follow through on the behaviors you want to see. Providing positive feedback, for example, can go a long way towards creating behavior change. If your employees know their work is being recognized and feel it makes a difference, they will be much more likely to keep it up.
4.Walking the Walk
The above three elements for creating sustained behavior change have one thing in common: you. A leadership team can’t simply talk the talk. Change starts at the top and requires you and your leadership team take an active role ensuring these behaviors become a part of the organizational culture and value structure.
There’s no doubt that ransomware poses a big threat to small businesses, and the best thing you can do govern the risks of attack is focusing on creating a culture in which cybersecurity is valued and acted upon every single day.
by Doug Kreitzberg | May 18, 2021 | Risk Management
Many of us check to see if our doors are locked before we go to bed. We might be pretty sure it’s already locked, but we know it’s worth double checking just in case. It’s common sense. That’s why it’s so surprising to see, according to a recent UK report, that only a third of businesses check their own cyber security locks by conducting a cyber risk assessment.
Throughout the report, there is a stark contrast between the amount of breaches companies are experiencing and the measures they are taking to prevent these breaches from happening. For example, the report found that nearly 40% of business surveyed reported at least one attack or breach within the past 12 months. What’s more, for many of these businesses, a breach is not a one and done experience. Half of the organizations that were attacked said they’ve experienced an attack once a month and a quarter of these businesses report attacks on a weekly basis.
If your home was being broken into on a weekly basis, you’d probably start double checking those locks. Yet, according to the report, businesses are not taking the necessary steps to protect themselves. In addition to the lack of cyber risk assessments, only 33% of businesses have a formal cyber security policy. And while phishing scams accounts for 83% of the attacks businesses reported, only 14% of businesses have conducted any sort of cyber awareness training within the past year.
In a blog post on the report, Phillip Virgo makes the important point that cybersecurity measures need to be considered within the context specific to a business’ size and industry. And he’s right, there is no one size fits all approach to cybersecurity. In order for any sort of protections to be useful, it’s vital those measures are not only suited to an organization’s size and industry, but also aligns with their specific business strategy.
At the same time, however, this doesn’t mean there aren’t steps every business should be taking to protect themselves and a risk assessment is a good way to start. Anything less isn’t just leaving your door unlocked, it’s leaving the door wide open with a welcome mat out front.
