The number of sophisticated cyber attacks is growing. They will require more forceful and coordinated defenses.
During any 48-hour period in 2010, more data was created than had been created by all of humanity in the past 30,000 years. By the year 2020, that same amount of data will be created in a single hour. The speed at which data will be created will grow exponentially as we connect more and more smart devices to the Internet – The Internet of Things. All that data is becoming increasingly vulnerable as breach of one piece of data leads to access of countless others.In 2015, there has been a constant and growing stream of devastating cyber attacks reported against major firms and the U.S. Government. The prospects are for more cyber breaches in 2016. Home Depot, Sony, Athem, EBay and the USG’s Office of Personnel Management are just the most notable examples, and the Ashley Madison breach demonstrates that prominent people are not getting smarter about privacy protection. Despite the increasing regularity and scale of these breaches, the ‘how?’ and ‘why?’ in regards to prevention seemingly remain unanswered.
Companies are scrambling to hire cyber security experts. Hundreds of firms purporting cyber security bonafides have started their own ventures in the past year - each claiming to have the technical solutions to defend enterprises and organizations. Many offer incentives, discounted introductory rates and free surveys with the aim of up-selling costly hardware and IT upgrades. The vexing question faced by both commercial and government Chief Security Officers (CSO) and Chief Information Security Officers (CISO) is “when will our cyber security infrastructure be sufficient and where is the next attack coming from?” The answer is “basically never” and “hard to know.”
Criminal cyber attacks are seemingly endless and a very lucrative business for the cyber thief. For the lazy, cyber criminal hacking software is a click away and can be downloaded for free off of the internet. State actors openly collaborate with criminal elements (often one in the same) which leads to increasingly sophisticated cyber breaches in far greater frequency against a broader range of targets. No organization or government entity is immune. Simply put, the odds of your organization and/or your family being breached will be substantially higher in 2016.
Commercial enterprises and public agencies at every level of government have data that needs to be protected from theft, prying eyes and “Denial of Service” (DoS), the shutting down of an enterprise or interface. The ability of a country to both launch DoS attacks and prevent them from shutting down their own communications and systems will be the difference in who wins and loses cyber battles of the future. Belligerent foreign state actors constantly launch DoS attacks against U.S. Government Defense and Intelligence Agencies, as well as against major corporations in the financial sector, healthcare and the media. The numbers are staggering. The Pentagon reports 10 million attempted breaches a day. The National Nuclear Security Administration, an arm of the Energy Department, also records 10 million hacks a day. Commercially, the multinational oil and gas company BP says it suffers 50,000 attempts cyber intrusions a day.
DoS attacks are now frequently launched against small and large businesses, as well local and state agencies of all sizes. For the common criminal, DoS attacks are a means of holding the victim hostage and extorting money. DoS attacks against emergency services such as police and fire departments are increasingly common. Reports indicate that ransoms are being paid almost immediately by these emergency services before the public is aware in order to avoid potential public panic. Due to the quick pay offs to these criminals, incidents will continue to increase and hit more businesses every day.
As much as cyber security technology is advancing, investigations following the most devastating breaches show poor security practices by humans (or “insider threat”) is by far the most common cause. Examples include contractors installing upgrades being issued “universal passwords” that were blocked after the installation; systems that were not updated with new passwords after major employee layoffs or during periods when labor management confrontations were underway; compartmentalization requirements being ignored; and access shared with unauthorized personnel for the sake of convenience (Edward Snowden). Employees permitted remote access to sensitive data bases, and cell phones and computers left unattended in public locations are also common causes. Other problems include hotel and public servers being virtually all compromised and personal computers being used for business and vice versa.
To be in the best position in the coming year, enterprises and organizations need to reassess risks with the expectations that their organization will be targeted and will take some hits. There must be a willingness to invest in cutting-edge counter measures and also insure against loss. There are countless software systems that claim to secure your information, block penetrations, detect breaches and minimize exfiltration of data. However, no firewall or password - no matter how sophisticated - can protect you from the inside threat posed by employees who wittingly or unwittingly open up systems to compromise. Susceptibility to attacks can be mitigated if employees follow basic security procedures, such as protecting passwords, limiting remote access and closely monitoring and strictly limiting the access to outsiders. In the case of protection, perfect never gets in the way of “good enough.”
Firewalls and passwords are 20th century technologies fighting a 21st century battle. A perfect example of this is a cyber startup company that claims it can penetrate any company’s IT systems. The CEO of that startup confided privately that they do not need to employ hacking technologies, but instead use the old fashioned method of engaging employees who then give them access. Using any number of cover stories, employees share their password(s) and the intruders simply logs in. Ironically the intrusion is then used to convince the client to purchase updated firewall software with improved firewalls. The Department of Defense and the Department of State have both been compromised via unwitting employees being cajoled to willingly reveal passwords or insert thumb drives containing malware despite extensive education efforts to prevent insider threat. The other common tactic is enticing employees to download email attachments containing malware. It is overwhelmingly the case that employees will open emails from unknown persons while at work but would never do it on their home computer.
Standard operating procedures and a disciplined work force will find itself far more secure. The tough part is effectively implementing it for everyone through a combination of positive and negative incentives. For that to work CEOs need to have close working relationships with both their CSO and CISO who work as a seamless team with the Chief Information Officer (CIO). By working together they can establish protocols and procedures that are practical, while ensuring the company remains efficient with employee buy-in and cooperation. It is also essential that the security team closely monitors the inside threat beyond routine compliance to security procedures. Rogue employees exist or can emerge within an instant. Systems are routinely at risk when an employee resigns or is terminated. In addition, contractors or vendors inside the firm pose a potential threat and need to be closely monitored; no external device or software should ever be permitted into your network unless authorized.
The first step to building an organization’s cyber security is to retain the services of a dedicated cyber security firm or advisor. The key is to engage a firm that best fits the size and need of your organization. For instance, a law practice with 200 employees will differ from a Fortune 500 company, not only with respect to available resources, but also the requirement. Smaller firms may want direct access to local technicians and key staff of your provider. To that end, a smaller practice with operational experience is ideal. Conversely, multinational enterprises benefit from engaging large consulting practices that include legal and lobbying components.
The next step is to implement best practices, no matter the size of your firm. Very good analytics and intelligence must be in place. You need to have probes available to get you information either as the data breach is occurring or afterwards to be able to understand the damage.
Next, you must have an incident response team that is trained and ready for the scenario of a breach. This team can be in-house or external, depending on requirement. If you opt for an outside capability, a boutique, cyber - and privacy specific - form may be your best option as opposed to a branded multinational. Recent studies show that companies with a trained response team had an average $12 or $13 less expensive cost of a breach per capita than companies that did not; That is a very significant difference and a lot of money saved.
Third is the use of encryption. We are talking layered encryption for your enterprise and data. So when the bad guys get by your five-year- old, non-updated firewall and your abc123 password, they get a user name and maybe the password, perhaps even a social security number or date of birth. The data they really want, the financial accounts or health records are actually encrypted. So they get the keys to the castle but can’t get to the crown jewels. Finally, of course, to mitigate insider threat employee training and Board-level involvement is necessary.
The Right Insurance
Since no solution can ensure total data security, your cyber risks need to be mitigated through insurance. Over the last few years many firms wrongly assumed they already have it, think they do not need it, or do not believe it is even an option or available at a reasonable cost. These assumptions are dangerous. The insurance industry has made great advances in this area over the last year. By shopping for cyber insurance, your organization should obtain valuable assessments of your company’s cyber security posture, give an objective rating of whatever cyber security expertise you have employed and determine how much insurance you need or the ceiling that makes sense. The right insurance companies will also outline what needs to be done to improve and mitigate risks sufficient to make you insurable at the lowest possible premium. By taking advantage of this basic gap analysis a company can significantly improve its awareness without committing to a finite policy.
A common mistake is assuming a comprehensive or blended policy that includes cyber will be sufficient. While one may assume insurance carriers would be eager to find gaps and sell you more insurance, the cyber world is changing so rapidly and incidents and losses are increasingly significant that it is difficult for insurance professionals to correctly calculate premiums and risk. One only needs to look at the staggering loses by Sony, Target and Home Depot to see how risky a major cyber policy could be for the insurer.
Major insurers often opt to limit coverages and attempt to sell comprehensive or blended Errors and Omissions insurance policies hoping the client will think it sufficient. Before accepting this option, firms should reassess exactly how much cyber risk they are willing to bear and approach their insurance firms and insist on a separate policy and seek out competing quotes. It is very likely that this time of uncertainty could prove to be a real opportunity to buy the most extensive coverage at costs far lower than a year from now. Once a devastating breach occurs, the Board or Directors and shareholders will expect that company is prepared for the worst case. A CEO’s future will depend on having an adequate insurance policy when the disastrous breach occurs.
In general, the following are the coverages and benefits that should be included in a cyber insurance policy:
- An option for increased ceilings in coverage as your company grows and changes.
- Security and privacy liability that responds to both 1st and 3rd party claims stemming from a security failure.
- Data breach expense coverage for notification, credit monitoring and engagement of public relations firms, crisis management firms, forensic investigators and outside security experts.
- Business interruption coverages for lost income during or as a result of a security brief.
- Cyber extortion coverage that will reimburse for costs to quickly respond to extortion threats.
- Coverage for regulatory proceeding claims made against you related to violation of Privacy Law.
- Date recovery coverage for the cost of restoring data and intangible assets that are destroyed by a cyber-attack. Media content coverage that addresses claims related to the creations and distribution of material insuring against anything on your firm’s websites and media that could damage or injure others.
- Coverage for fines and penalties levied for non-compliance of PCI Data Security Standards.
In addition to these coverages, insurance firms should provide assessments of your cyber security posture, and the services of cyber and legal experts to provide on-going consultations and step in following a security breach. They should be able to quickly assess incidents and damage to keep the company moving and public confidence in place. On a full-time basis, free access should be provided to websites with daily news on cyber security incidents, developments in cyber defenses, best practices, and cyber security blogs. The right insurance policy arrangement should be a partnership that truly enhances the company’s IT systems and its cyber posture.
Every firm should also take advantage of government programs that provide assistance in improving your defensive posture against cyber threats. A positive development in 2015 are new regional cyber security centers that have been created to serve the public and private enterprise. These are resources available at no cost that can greatly assist any business or organization improve its defensive cyber posture. One particularly outstanding resource stood up in May is the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). This consolidated the state’s cyber security efforts within New Jersey’s Office of Homeland Security and Preparedness. Through its website www.cyber.nj.gov, the NJCCIC promotes shared and real-time awareness of dynamic cyber threats for any business small, medium, or large—in New Jersey. The NJCCIC is one of the first Information Sharing and Analysis Organizations—a federal designation indicating an advanced cyber capability—representing a vital step in scaling cyber defense to the local and state level. Firms at all levels need access to cyber threat intelligence that can be automatically integrated into their security architecture to block attacks before they spread.
A number of states have been following New Jersey’s lead. California, Delaware, Virginia, Rhode Island, Idaho, Washington State, Kansas, Vermont and New York have stood up commissions and centers to deal with cyber threats at local levels. Louisiana’s fusion center has an innovative cyber security program as do centers in Northern California, Kansas City, and elsewhere. Many states and localities are engaged with both federal partners, as well as with each other through mechanisms like the Multi-State Information Sharing and Analysis Center (MS-ISAC), the National Fusion Center Association (NFCA), and the National Governors Association (NGA). In the coming year these developments will undoubtedly boost the pace and scale of cyber threat information sharing to the private sector.
New Jersey has put forward several useful strategies to improve cyber security for citizens and businesses that others need to follow this year to make a real difference nationwide. This includes extensive information sharing between the public and private sector. New Jersey has prioritized working with the private sector and even individuals, and included sectors outside of law enforcement, all of which vastly expanded effective cyber security coordination. Firms can vastly improve defense postures by publicly sharing information on various cyber threat actors, and by providing background on high profile data breaches, as well as attack vectors and exposing tactics from the most basic to the most sophisticated. It is developing into an information clearing house going beyond the state and is leading to a nationwide coordinated effort.
With New Jersey’s large financial sector, their cyber security has made it a priority to reach out to key industries such as the Financial Services Information Sharing and Analysis Center. This has resulted in partnership in which cyber threat information is not only shared but also jointly analyzed and correlated with various global financial institutions to identify trends, adversary tactics and vulnerabilities.
Staying on Top
Cyber security is a combination of multiple issues and problems. IT issues, crime and privacy issues, national security issues, and industrial and international espionage. All need to be taken into account. Any defensive approach has to utilize a broad range of expertise and disciplines. It is therefore essential to take advantage of all resources available, stay on top of innovations and closely monitor what is being developed in the field in order to mitigate risk. But keep in mind the basics of encouraging and training your work force to support these efforts and not undermined technology through poor human tradecraft. We all leave our doors unlocked and security systems off more times than we would like to admit.