Behavioral economics teaches us that we are more fearful of immediate losses than future gains. Conversely, we are also tend to choose immediate gains over protecting ourselves from future losses. Especially when the type of loss is too foreign to us or is ever changing.
We do have available to us a tool that doesn’t require a lot of tech to use but perhaps can do more to both enhance and protect our organization than any piece of software or hardware we might have: our imagination.
When things are changing, you can’t rely on static measures or processes designed to defend against what today’s threats. Because the use of technology as a business enabler is ever changing as is the nature of cyber threats, businesses need to take a dynamic approach to risk mitigation and transfer strategies and constantly imagine both the opportunities and the risks they may face tomorrow.
As a report from the UC Berkeley’s Center for Long-Term Cybersecurity and Booz Allen Hamilton states, “….failures of cyber defense in some cases — possibly the most important ones — [are] not necessarily a failure of operational rigor but equally or more so a failure of imagination.”
There are a number of tangible ways businesses can leverage the use of imagination in addressing the cyber risks that they may face. One is through an incidence response simulation. Get your team around a table. Imagine a ransomware event has occurred. What do you do? Do you pay the ransom? How long will your systems be down? How much business do you stand to lose? Brainstorm other scenarios, focusing on ones that could take you out. Risks that cause you to be shut down for an extended period of time or do irreparable harm to your ability to serve your customers or to your reputation.
Not only do these types of simulations help you be better prepared to respond if they occur, it also helps you better define what risks you might face and what defenses to build to mitigate those risks. This can therefore become the basis for your risk assessment (which, if you are simply focused on compliance you generally have to do anyway).
We often think of creativity when it comes to innovation and growth that are critical our long term success. In the ever-changing world of cyber threats, we need to be equally creative when it comes to imagining and addressing risks what are crucial for our long term viability.
If your business ever experiences a data breach, you don’t want to be caught without a plan. Being about to identify and put a stop to the attack quickly will not only stop more information from being stolen, but will also dramatically reduce the cost of the breach. Last year, the IBM report showed that businesses with an n incident response team and which tested their response saved an average of $1.23 million on the cost of the breach. This year, that number jumped up all the to $2 million saved on a breach. Given the increased cost reduction of responding quickly, there is no reason why business shouldn’t have an incident response team in place.
However, having an incident response team in place is only one piece of the puzzle. It’s also important that your team, alongside with business leadership test your plan by simulating different cyber attacks that your business is vulnerable to. According to the report, incident response testing is the single biggest factor in limiting cost of a breach. Just testing your response shaves off an average of nearly $300,000 from the cost of a breach.
When it comes to forming a response team and testing, it essential that your team includes more than just staff from the IT department. A data breach also requires the oversight of businesses leadership and legal to ensure the response is aligned with regulatory requirements such as disclosure. Of course, the having technical experts is also important to help limit further access, exfiltration and damage to your systems.
Of course, with everything today, COVID-19 has made the job of your response team even harder. While the report doesn’t have data on the exact impact COVID has had on response time, it does show that 76% of businesses expect that working remotely will increase the time it takes to respond to a breach, which, of course, will also increase the cost of the breach. It’s therefore essential that your team tests how your response differs when everyone is working remotely, then discuss possible changes to the response plan should a breach happen while everyone is working from home.
Earlier this week we wrote about the cost of human-factored, malicious cyber attacks. However, there are also other threats that can lead to a malicious attack and data breach. According to this year’s Cost of a Data Breach Report, the stolen or compromised credentials tied for the most frequent cause of malicious data breaches, and took the lead as the most costly form of malicious breach.
The root cause of compromised credentials varies. In some cases, stolen credentials are also related to human-factored social engineering scams such as phishing or business email compromise attacks. In other cases, your login information may have been stolen in a previous breach of online services you may use. Hackers will often sell that data on the dark web, where bad actors can then use the data to carry out new attacks.
Whatever the cause, the threat is real and costly. According to the report, compromised credentials accounted for 1 out of every 5 — or 19% of — reported malicious data breaches. That makes this form of attack tied with cloud misconfiguration as the most frequent cause of a malicious breach. However, stolen credentials tend to cost far more than any other cause of malicious breach. According to the report, the average cost of a breach caused by compromised credentials is $4.77 million — costing businesses nearly $1 million more than other forms of attack.
Given the frequency of data breaches caused by compromised credentials, individuals and businesses alike need to be paying closer attention to how they store, share, and use their login information. Luckily, there are a number of pretty simple steps anyone can take to protect their credentials. Here are just a few:
There are now a variety of password managers that can vastly improve your password strength and will help stop you from using the same or similar passwords for every account. In my cases, they can be installed as a browser extension and phone app and will automatically save your credentials when creating an account. Not only are password managers an extremely useful security tool, they are an incredible convenient tool for a time when we all have hundreds of different accounts.
Another important and easy to use tool is multi-factor authentication (MFA), in which you are sent a code after logging in to verify your account. So, even if someone stole your login credentials, they still won’t be able to access your account without a code. While best practice would be to use MFA for any account offers the feature, everyone should at the very least use it for accounts that contain personal or sensitive, such as online bank accounts, social media accounts, and email.
Check Past Compromises
In order to ensure your information is protected, it’s important to know if your credentials have ever been exposed in previous data breaches. Luckily, there is a site that can tell you exactly that. Have I Been Pwned is a free service created and run by cybersecurity expert Troy Hunt, who keeps a database of information compromised during breaches. User’s can go on and search the data to see if their email address or previously used passwords have ever been involved in those breaches. You can also sign up to receive notifications if your email is ever involved in a breach in the future.
Cyber Awareness Training
Lastly, in order to keep your credentials secure, it’s important that you don’t get tricked into give them away. Social engineering, phishing, and businesses email compromise schemes are all highly frequent — and often successful — ways bad actors will try to gain access to your information. Scammers will send emails or messages pretending to be from a company or official source, then direct you to a fake website where you are asked to fill out information or login to your account. Preventing these scams from working largely depends on your ability to accurately spot them. And, given the increased sophistication of these scams, using a training program specifically designed to teach you how to spot the fakes is very important.
Last week, IBM and The Ponemon Institute released their annual Cost of a Data Breach Report. For the past 15 years, the report has highlighted recurring and emerging factors that contribute to the cost of data data breaches, as well as the root causes of those breaches. One of the key findings in this year’s report is the fact that human factored cyber attacks not only make up a large percentage of the all malicious attacks, but also are incredibly costly to businesses that suffered breaches. This only confirms the importance of cyber awareness training for employees to limit the risk of a human factored attack.
There are many different causes of a data breach, some of which are merely accidental. However, according to this year’s report, malicious attacks now make up 52% of all breaches. This didn’t used to be the case. In fact, malicious attacks have seen a 24% growth rate in just six years. Malicious attacks are also the most expensive, costing businesses an average of $4.27 million. That’s nearly $1 million more than all other causes of a breach.
Given the frequency and cost of malicious attacks, it’s important to look closer at the different threats that account for the rise in malicious attacks — and the data is surprising. While expected threats such as system vulnerabilities and malicious insiders are certainly present, human factored cyber attacks take up a large chunk of all malicious attacks. Threats ranging from phishing attacks, to business email compromise, to social engineering and cloud misconfigurations are all rooted in human rather than technical vulnerability, and account for 41% of all malicious attacks leading to data breaches. Indeed this report correlates with what was presented in the Verizion 2020 Data Breach Investigations Report.
Human factored cyber attacks aren’t something you can protect yourself against strictly through technically safeguards. Instead protecting against these vulnerability requires working with employees, establish proper quality control protocols, ensuring your have the right expertise on your team and using cyber awareness training to help build safer online habits.
As a Fortune 100 CISO once told me, “at the end of the day, every cyber incident starts with someone making a decision.”
This month Blackbaud, a cloud computing provider primarily serving nonprofits and educational institutions, announced that the company suffered a ransomware attack back in May. The company’s response, however, has raised more than a few eyebrows from security experts, and left hundreds of nonprofits scrambling to figure out if they’ve been affected. The Blackbaud breach is just the latest reminder that third party data processors can be a liability to your business.
According to Blackbaud’s statement about the breach, the company quickly discovered the attack and was able to remove the attackers from their systems — but not before the hackers stole a copy of a data set. Blackbaud has not specified the exact nature of that data, but claims it does not include sensitive information such as credit card information, bank account information, or social security numbers. On source told the BBC, however, that the stolen data involves donor information from hundreds of nonprofits and institutions and includes details such as names, addresses, ages, and estimated wealth. Now, organizations that are customers of Blackbaud are scrambling to see if their donors’ information was included in the breach and, if so, must release data breach disclosures of their own.
The most egregious part of the Blackbaud breach, however, was the company’s response. When they discovered their data had been stolen, they agreed to pay a ransom to have the attackers delete that data. Subsequently, Blackbaud assured their customers that there is no reason to believe the stolen data “was or will be misused; or will be disseminated or otherwise made available publicly.” However, cybersecurity experts have been quick to point out that this is a dangerous assumption to make.
Firstly, they got ransom’d but sounds like the actor also had a copy of the data. They paid the ransom and somehow believe that the (criminal) actor kindly removed their copy of the @blackbaud data: https://t.co/VrR5my2S8U
Despite Blackbaud’s insistence that the data has been deleted by the hackers, the company has not stated why they are confident in that assumption, and no external investigation has been able to confirm it. As many have noted, Blackbaud’s response to the breach seems more an attempt to protect their brand’s reputation, rather than a transparent disclosure. There are also questions about the amount of time the company took to disclose the breach, and whether or not that violates GDPR requirements.
The fact that so many questions about the Blackblaud breach are still unanswered two weeks after it was announced has not been assuring to the nonprofits that use their services. Over 100 organizations have already notified their donor’s about the breach, and more will likely do so in the weeks ahead.
While this far from the only third-party provider to suffer a data breach, the attack on Blackbaud is a rather stark example of why businesses need to take the time to carefully evaluate third-party security practices, as well as insist on strong agreements that define accountability and responsibilities in the event of an incident. This is especially important for associations and non-profits because their very existence relies on the trust that their members or donors place in them. When that trust is violated, it takes a long time to repair.
On Wednesday, The New York Department of Financial Services (NYDFS) announced their first ever cybersecurity charges against title insurance company First American for a data breach that exposed hundreds of millions of records containing sensitive information over the course of nearly five years.
The First American data breach initially occurred in October 2014 after an error in an application update left 16 years worth of mortgage title insurance records available to anyone online without authentication. These documents included information such as social security numbers, tax records, bank statements, and drivers license images. The error went undetected until December 2018, when First American conducted a penetration test that discovered the venerability. According to the NYDFS, however, First American did not report the breach and left the documents exposed for another 6 months, until a cybersecurity journalist discovered and published about the breach.
Charges against First American for their role in the data breach is the first time the NYDFS is enforcing the department’s cybersecurity regulations established in 2017. The regulation requires financial organizations with a license to operate in New York to establish and follow a comprehensive cybersecurity policy, provide training for all employees, implement effective access controls, and conduct regular venerability tests in line with a cybersecurity risk assessment.
First American is facing 6 charges, including failing to follow their internal cybersecurity policy, misclassifying the exposed documents as “low” severity, as well as failing to investigate and report the breach in a timely manner.
While the fine for a violation of the regulation is only up to $1,000, the NYDFS considers each exposed document as a separate violation. So, with up to 885 million records potentially exposed, First American could be looking at millions of dollars in fines if the charges stick.
News of the charges should serve as a wake-up call to U.S. organizations unconcerned with cybersecurity regulations. While the U.S. does not have any federal regulations, and there are a number of state regulations that have gone into effect in the past 5 years. This is merely one of what is likely many companies that will face enforcement unless they take steps now to ensure compliance.