Recently, we wrote about a study showing a connection between an increase in death rates and cybersecurity policies implemented after a data breach in the healthcare industry. We talked about the importance of ensuring that cybersecurity and operational interests are aligned. However, that study raises another, equally important point: hospitals shouldn’t wait for a breach to occur before implementing appropriate cybersecurity controls. This is a lesson that every industry should learn and is one of the main principles behind cyber resiliency: instead of just trying to prevent the worst from happening, we need to create a risk culture that assumes the worse will happen, then take steps to minimize its impact on essential operations.
And when it comes to the importance of cybersecurity and resiliency for our healthcare industry, the stakes couldn’t be higher. Within a period of two months in 2017, the healthcare industry across the globe was brought to its knees by two unrelated ransomware attacks. Strangely, neither of these attacks intended to target healthcare organizations. Instead, each attack contained a self-replicating virus that accidentally spread beyond their intended targets. But no matter the intentions, these attacks caused hundreds of millions of dollars in damage and affected 40% of healthcare delivery in the U.K.
Fast forward today and the potential consequences of such an attack—intentional or otherwise—on our healthcare system are clearer than ever. In his opening remarks at the CISA National Cybersecurity Summit, Josh Corman, visiting researcher at CISA and founder of I am the Calvary, put the stakes of healthcare cybersecurity into perspective. “In areas affecting the brain, the hearth, the lungs, where time matters, where minutes or hours could be the difference between life and death, mortality rates are affected if you can’t give time-sensitive health care.”
Corman joined CISA this spring to help assure the security of Operation Warp Speed, the U.S.’s initiative to rapidly develop and distribute vaccines, therapeutics, and diagnostics for COVID-19. “Now we need healthcare delivery more than we ever have,” Corman said, “Now an attack during a peak surge in traffic would be absolutely devastating.” And such attacks aren’t just hypothetical. According to one report, U.S. officials have already notified a number of healthcare companies about targeted threats. In particular, the biotech company Moderna, now in stage 3 of COVID-19 vaccine trails, has been targeted by hackers.
These examples drive home the potentially life and death implications of cyber resiliency. We can and should try and prevent attacks from happening, but the reality is that’s not enough. In his talk, Corman lamented a culture within healthcare cybersecurity to wait for “proof of harm” before taking corrective actions. Instead of waiting for harm to occur, Corman argued, a clear, “unmitigated pathway to harm” should be enough to trigger corrective action. This is a lesson that extends far beyond the healthcare industry. All organizations need to create a risk culture that acknowledges and prepares for the harsh reality that, in some shape or form, cyber incidents are going to happen. To prepare for this, Corman outlined a number of key questions every organizations should consider:
How do you avoid failure?
How do you capture, study, and learn from failure?
How do you have a prompt and agile response to failure?
How do you contain and isolate failure?
Today, attempts to hack, steal, and disrupt systems are not hypotheticals. They are the new normal. Alongside efforts to prevent cyber attacks, organizations needs to be prepared to minimize the impact these attacks will have on essential business and operations.
According to a new report by Coalition, one of the nation’s cyber insurance providers, ransomware attacks make up 41% of all cyber insurance claims in the first half of 2020. Unfortunately, that’s the good news. That number is actually down by 18% since 2019. The bad news? While the frequency of ransomware attacks are down, the severity of attacks has risen dramatically.
In particular, cyber criminals are starting to demand more and more money from their victims. According to Coalition, ransomware claims are in general 2.5x higher than other cyber insurance claims across all industries. And demands continue to increase in dramatic fashion. Coalition’s report states that the average ransom demand increased 100% since 2019 and has already risen an additional 47% between Q1 and Q2 of this year.
What’s more, not only have ransomware demands increased, but the attacks themselves are becoming more and more sophisticated. While traditional ransomware attackers encrypt data within the target’s network, now they are actually stealing the data and threatening to leak the information if a payment isn’t made, as happened to the cloud services firm Blackbaud this summer. This tactic may in part account for the of the increases in demands, as organization’s may be more motivated to pay in order to keep the incident private. However, there is no guarantee that paying will stop the attackers from leaking the data anyway.
While the Coalition report shows that more and more businesses are turning to cyber insurance to help with ransomware attacks, relying on insurance should not be your solution. Sure, insurance may help pay the cost of the ransom, but if attacks know insurance companies will pay up, they may start to feel confident asking for larger and larger amounts of money. The FBI also discourages businesses from paying demands.
Instead, the best response is prevention. Even simple solutions like multi-factor authentication and good password management can help dramatically. In addition, the report found that 60% of claims are for attacks that originated as a phishing or other social engineering scams. Investing in effective cyber awareness training can help prevent attacks from occurring in the first place. Like with most things related to cybersecurity, it’s always better to take action now rather than wait for the worst to happen.
Like everyone today, our elections officials have to grapple with technological changes. And with those changes comes emerging security concerns. Take the 2020 democratic Iowa caucus, for example. The Iowa Democratic Party decided to use a new app to record results of the caucus that ended up causing a myriad of problems, delaying the results and sparking a controversy about the party’s use of the app. As more states begin to digitalize the election process, election security has become a topic of national concern. Of course, the stakes of an incident is probably not as high for a business as, say, protecting the democratic process. However, when looking at a case with such high stakes, incidents in our elections can clarify what we expect not only from our government but also what consumers expect from companies, and what organizations need to be taking seriously. Here are just three areas from which business can learn from the issues surrounding election security.
The first thing that business and election security officials have in common is the need to maintain public trust. One of the biggest concerns with digitalizing our elections is, if something goes wrong with the technology, it may harm the public’s trust in the voting process. This was certainly the case in Iowa this year. Despite the party’s assurance that even with the app down the results of the caucus could be accurately counted, disinformation and confusion quickly spread online.
That said, who even needs election interference to mess with a caucus if the app simply doesn’t work to begin with?
It’s not difficult to see how businesses can apply these election security concerns to their organizations. A public security issue with a produce or service could severely impact a business’s reputation and can be extremely difficult to repair. Consumers may feel like their privacy could be at risk and that your business doesn’t have their best interest in mind. To combat this, besides actively securing consumer data, businesses should be as transparent as possible with consumers about the organization’s cybersecurity efforts.
Soon after the Iowa caucus, it become abundantly clear that the app developers and the Iowa Democratic Party made a number of mistakes that lead to the problems on caucus night. For example, before the night of the caucus, the app was only tested internally, with no external review. The IDP even declined an offer from Homeland Security to review the app before roll out. Developers also didn’t have time to get the app approved through app stores, so required users to download the app through testing software, effectively by-passing the need to meet the security requirements from app stores.
The list of ways that the rollout was mismanaged goes on and on. However, this only highlights the need for business management to be involved in ensuring proper cybersecurity best practices are followed through the entire product lifecycle, from initial development, to implementation, and on going maintenance.
Businesses should also look at how election security officials respond—or, perhaps more accurately, don’t respond— to issues that arise. Without a proper response plan in place, problems could worsen and cause enough confusion to allow disinformation about the issue to spread. And that’s exactly what happened in Iowa. As the problem with the Iowa caucus came to light, instead of deploying a carefully planned incident response, the whole night turned into chaos and confusion, as caucus leaders sat on hold for hours to deliver results or even text pictures of their tallies to party headquarters.
This example shows just how necessary it is for businesses to have a proper incident response plan in place. This should involve sitting down with business leaders, IT staff, and other relevant employees to write out a detailed response for every incident that could arise. With a plan in place, businesses should also conduct regular incident response simulations, by asking the response team to test their plan for each possible incident. Responding to an incident quickly and efficiently will not only help limit the impact of the issue, but could help show regulatory bodies your proactive stance to cyber incidents, and even save your business money.
With the general election looming, election security officials are working hard to ensure no problems arise on election day. Hopefully, come November there won’t be any lessons for businesses to learn from.
Today business leaders are rightfully concerned about mitigating their organization’s cyber risks. To address this concern, many businesses have begun to hire chief security information officers to allow for security leadership from the highest levels within an organizations. But unfortunately, old habits die hard. Instead of integrating CSIO into both cybersecurity and business conversations, many of these security leaders have become siloed from broader business strategy and goals. Of course, this also leaves the executive team under informed about the nature and scope of their organization’s cyber risk profile.
One of the main tenants of a new security principle, cyber resiliency, stresses the need to integrate approaches to security and business in order for either side to succeed. In fact, organizations should even stop thinking of business and security as two opposing side of an equation and instead learn to see and promote the integration of each with the other. However, this will require both security experts and businesses leaders to put in some work.
Business-Aligned Security Leaders
A recent report by Forrester found that just four out of ten security leaders can answer the question, “How secure/at risk are we?” and less than half frequently consult business leaders before developing security strategies. This, to put it lightly, is a big problem. If security leaders are just focused on implementing and maintaining technical controls, they end up missing the bigger picture of the risk culture that surrounds those controls. It is vitally important for security teams to understand an organization’s business-critical assets and work with leadership to develop a risk mitigation plan that prioritizes those assets.
Cybersecurity teams also need to be able to communicate their needs to business leadership. According to the Forrester report, more than half of security leaders lack adequate skills in benchmarking their security programs. In order to integrate cybersecurity and business needs, security teams need to develop benchmarking and risk reports that they can properly communicate to business executives. Taking a more business-oriented approach to security can also help security leaders advocate for the funds they need to reduce risk.
Cyber-Aligned Business Leaders
Of course, in order for security leaders to effectively integrate business strategy into overall cybersecurity goals, the business executives and board members need to regularly meet and communicate with their security team. To ensure this happens, it’s important for board members to assume ultimate responsibility for oversight of the organization’s security and to integrate cybersecurity discussions into the overall business strategy, risk management, and budgeting. It may even be a good idea to require cybersecurity training for all board members to ensure everyone has a proper understanding of the current threat landscape and regulations.
With a focus on outcomes, training, and a security team able to communicate benchmarks and risk reports, board members will be in a position to properly define the organization’s cyber risk tolerance that is consistent with business strategy andcurrent cybersecurity controls. Board members and executives teams must ensure the organization’s risk appetite is communicated throughout all levels of the organization and that they create a culture that reflects the cybersecurity and business interests of the organization. Many of these recommendations are included in a white paper from the World Economic Forum that details 10 essential principles and tools for boards to better integrate cyber resiliency with overall business strategy.
Today, most organizations understand the importance of maintaining an effective cybersecurity program. However, not many businesses are recognizing the interdependence of cybersecurity and business interests. And it’s a two way street. Both cybersecurity leaders and business executive and board members need to be mindful about taking a more holistic approach to cybersecurity and business for either to be effective.
You can’t protect your network from an attack or a breach if you don’t know where you are vulnerable. Some vulnerabilities are easy to see, like application patching, but others can be very difficult to spot if you don’t know exactly what you are looking for. Luckily, a piece of automation software called vulnerability scanning can help organizations detect and manage vulnerabilities across an entire network.
The scan works by first creating an inventory of servers, applications, devices, firewalls, operating systems, and anything else you include within the perimeters. The scan may also attempt to login to the network using default credentials. After completing an inventory, the scan will then cross check every item detected against a database and give a full list of known vulnerabilities.
By conducting regular vulnerability scans and including the information from those scans in a cybersecurity risk assessment, you’ll not only keep your networks more secure, but can also help reduce the cost of a breach should one ever happen. Here is a short overview of how to properly conduct a vulnerability scan and use it as a key tool for more effective risk assessments.
What to Include in Your Vulnerability Scan
When conducting a vulnerability scan, it’s important to set a scope that is appropriate for your business needs and network configuration. While every organizations should scan their entire network — along with external systems, vendor portals, and cloud services — it might be preferable to run more focused scans frequently and conduct a more expansive scan every quarter or twice a year.
Some scans can also run automatically when changes to the network are made or a new device is added. Because these scans can be intrusive, it’s possible they may cause temporary systems errors. You should also consider conducting scans after business hours or at a time when essential business operations will not be affected.
Putting Vulnerabilities into Context
The unfortunate reality is that organizations will always have some vulnerabilities. Vulnerability scans are the first part in a larger process that allows you to pinpoint your weak points and prioritize these vulnerabilities based on risk. It’s important to remember that vulnerabilities are separate from threats. A cybersecurity threat is a method of attack that exploits vulnerabilities. And fixing every single vulnerability is sort of like trying to plug a hundred of holes in a bucket all at once.
A risk assessment is therefore essential for putting your vulnerability scans into context and understanding where you need to focus your energy. When looking at a list of known vulnerabilities within your network, consider how much damage it would cause if the vulnerability is exploiting, assess the threat landscape to understand how likely an attack is, and explore what security controls are needed to fix the vulnerability. If a known vulnerability is easy to fix but would be costly if exploited, you will want to address that immediately. On the other hand, if a vulnerability would require a lot of time and money to fix, and the risk of an attack is very low, you may not need to focus on that right away. No matter what, the key is to have enough information on hand to make an informed decision on how best to protect or network and systems.
Business email compromise threats are a form of social engineering scams that have been around for a long time. “Nigerian prince scams,” for example, are what people often think of when they think of these types of attacks. However, as technology and modes of communication have gotten more sophisticated, so too have the scammers. Agari’s new report details the firm’s research on a new gang of BEC scammers based in Russia that call themselves “Cosmic Lynx.”
Unlike most BEC scams that tend to target smaller, more vulnerable organizations, the group behind Cosmic Lynx tends to go after gigantic corporations — most of which are Fortune 500 or Global 2000 companies. While larger organizations are more likely to have more sophisticated cybersecurity protocols in place, that doesn’t mean they can’t be tricked, and the payout for successful scams is significantly larger. The average amount requested through BEC is typically $55,000. Cosmic Lynx, on the other hand, requests $1.27 million on average.
How Does it Work?
While the basic’s of Cosmic Lynx’s BEC attacks are pretty standard, the group uses more advanced technology and social engineering tactics to make their scams more successful.
Typically, Cosmic Lynx uses a “dual impersonation scheme” that mimics indidvuals both within and outside of the target of the scams. Moreover, by manipulating standard email authentication settings and registering domains that imitate common secure email domains (such as secure-mail-gateway[.]cc), the group is able to convincingly spoof their email address and display name to look almost identical to a employees within the targeted business. Acting as the CEO, the group will typically send an email to a Vice President or Managing Director notifying them of a new acquisition and referring the employee to an external legal team to finalize the deal and transfer funds.
Cosmic Lynx will then impersonate the identity of a real lawyer and send the employee an email explaining they are helping to facilitate the payment. Of course, organization receiving the funds is actually a mule account — typically Hong Kong-based — controlled by Cosmic Lynx.
For now, Cosmic Lynx seems to be the only group carrying this new BEC threat, however it is very likely other groups, seeing the amount Cosmic Lynx is raking in, will begin to follow suit. Simply put, the level of sophistication involved in these scams will require businesses to have more sophisticated protections in place to prevent this new threat. While more advanced email filters may help to detect spoofed email addresses, the most effective method to prevent BEC scams is to have strong policies in place to verify payment requests before releasing funds.