What cyber challenges currently exist in the industry?
Right now I’m thinking a lot about third party risk, with “cloud” being a subset of the broader third-party category. Many companies are more often choosing to leverage software-as-a-service (SaaS) or a third party as their first option. That means we are choosing to give our data to a third party and recent news has shown that not enough companies are paying close attention to the shared responsibility model of SaaS providers and infrastructure-as-a-service (IaaS) providers. These platforms only commit to security up to a certain point and then they provide a framework with tens, hundreds, or even thousands of roles and configuration options that enable you to protect your data in their environment. As customers, companies are not doing a great job following the providers’ “best practices” guidelines for implementing those configurations and securing their own data. I think one of the biggest risks that companies are facing today is that there’s no “easy button” for SaaS and there’s no easy button for IaaS – it takes time and effort to learn these platforms and skill up so you can apply fundamental security principles and perform key functions like protect, detect and respond in these new environments.
How do you advise smaller-sized firms to approach cybersecurity on the IT side?
For smaller sized firms there are a few things that are just “must do”. If you have cloud-based email or remote access into your environment, you must have two-factor identification on it. It’s not inconvenient, and it’s not expensive, and it is highly effective. You also need to be thinking about ransomware, because, eventually, phishing emails are going to get through, and they might have malicious attachments, or your employees might download something malicious from the Internet. You need a security technology that is effective at preventing ransomware from crippling your network and on the off chance that it still runs and encrypts your computers, you need to have backups. You can’t rely on, and probably don’t have, a bitcoin wallet sitting in your back pocket, and you can’t trust that paying cyber-criminals a ransom will result in the key that will decrypt your data.
You should also think about how money can leave your organization, because Business Email Compromise, based on phishing and social engineering, is a big business. This is one where process is the most effective control, so look at how money can be wired out, and make sure there’s a robust process to confirm it’s going to the right place for the right reasons. Lastly, think about mobility – if you have laptops and mobile devices, which almost everyone does, they need to be encrypted and secured. Things get lost, so you need to minimize that risk.
After all this, you have to ask, “What are my regulatory obligations, if any?” If you have any, then there’s a number of things that you’ll just have to do, or at least have a plan to do, because they going to come in and inspect you.
What do you recommend when it comes to cyber-insurance?
I think cyber-insurance can be valuable in certain scenarios, such as when your business has a consumer facing component where you can quantify the cost of a breach. For example, if you know you’ll have to replace credit cards, provide credit monitoring for customers, and reimburse for fraudulent purchases or transfers, there are enough examples to date of what that might cost that you can buy insurance for it. Another scenario would be to estimate the cost of incident response and recovery from a ransomware or destructive malware event, i.e. procuring and building new machines and restoring data to them. If you can estimate that cost, you can insure for it. What cyber insurance ultimately won’t cover is the damage to your organization’s reputation, which is difficult to quantify.
What cyber issues keep you up at night?
One thing that keeps me up at night is consistency. You can have a robust program, mature controls, and good people on your team, but cybersecurity is not an application that you can build, release version 1.0, and make incremental upgrades from time to time. It is a continuous, every-day effort to stay abreast of the latest breaches and how they happened, and which new vulnerabilities are released, and ask whether your controls are working, and whether you’ve prevented, detected, and responded to all of the day’s events without something getting lost in the shuffle. The phrase that has been used for years is “constant vigilance.” I’m always concerned that we might have missed an alert, or a change might have been implemented that altered a control that we had in place. Building and nurturing a program that is consistent every single day is critical, so even when something gets through, we’ll see it quickly.