Best Practices for Managing Cyber Risks in a Cyber World
1One remarkable aspect of the COVID-19 pandemic has been how quickly and completely global businesses were able to pivot to a virtual work environment. Across the world, employees fired up their laptops and got back to work from their living rooms and kitchen tables.
While this can-do spirit helped keep the global economy treading water during 2020, it also led to unprecedented threats to cybersecurity. Each work-from-home employee represents a potential entry point for cyber threats. Given how rapidly businesses had to transition during the pandemic, they also had limited (if any) time for standard diligence or testing prior to deployment.
A number of other factors working against cybersecurity efforts during the pandemic have collided to create more opportunity and ideal circumstances for attackers. Such factors include the need to engage vendors and technology developers that may be operating outside of their normal industries or offerings, limited employee familiarity (or comfort-level) with the technology, and employee job insecurity which may lead risky IT workarounds in the home environment to simply get the work done. Employers found they no longer had complete control over the work environment—a necessary adaptation, but one that brought increased risks.
Also, most companies understandably had to focus on simply maintaining their operations during the pandemic-induced economic crisis. Cybersecurity was not necessarily at the top of the priority list, and in some cases, IT and security personnel may have been among those furloughed due to the pandemic.
Needless to say, the shift to remote working has led to a dramatic increase in exposure. According to the Cost of a Data Breach Report 2020, an annual report produced by the Ponemon Institute and IBM Security, 70 percent of organizations surveyed said remote work would increase the cost of a data breach and 76 percent said it “would increase the time to identify and contain a potential data breach.” Having a remote workforce was found to increase the average total cost of a data breach of $3.86 million by nearly $137,000 for an adjusted average total cost of $4 million.
The Internet Crime Complaint Center (IC3) tracked and reported a massive spike in hackers attempting to capitalize on the COVID-19 crisis. In April 2020, online crimes reported to IC3 had roughly quadrupled since January to 4,000 incidents daily, according to Tonya Ugoretz, the deputy assistant director of the FBI’s Cyber Division. COVID-19 threat reports alone now account for five times that figure, more than the IC3 saw for all threats in 2019, including unrelated scams, phishing and fraud schemes.
Without a doubt, the pandemic created fertile ground for bad actors. For the first time in history, NETSCOUT observed more than 10 million denial of service attacks in 2020. That's 1.6 million more than the prior year and May 2020 was the single largest number of monthly attacks that NETSCOUT has ever recorded.
2020 At Its Worst—Top Cyberattacks
With all of those factors working against companies hoping to protect sensitive information, it is no surprise that 2020 saw a number of noteworthy cyberattacks (although some attacks began even prior to the pandemic). The following are some of the most prominent examples:
Marriott International: Hackers used compromised credentials from a franchised property. The attack affected personal information of approximately 5.2 million guests. Hotels are targeted not just to obtain and sell personal data but also to compile and sell intelligence related to the location of government officials with security clearances and to track business leaders for high-profile companies.
Twitter: The popular social media site was hit by a social engineering/phone spear phishing attack to obtain access to Twitter employees’ credentials to access internal support tools and tweet from the targeted accounts. High-profile victims of the attack included well-known personalities (Kanye West, Bill Gates, Elon Musk, Jeff Bezos, Warren Buffet, etc.), politicians (Barack Obama, Joe Biden, Mike Bloomberg, etc.) and companies (Uber, etc.)
MGM Resorts: Information pertaining to approximately 10.6M guests was shared on a hacking forum, again with a focus on high-profile persons, including celebrities, senior executives, employees of major companies, reporters, government leaders and FBI agents.
Zoom: 500,000 user accounts were posted for sale on the dark web as a result of a credential stuffing attack and easy-to-guess pass codes.
Magellan Health: A social engineering phishing attack resulted in an exported data and ransomware attack affecting 360,000 patients.
Finastra: As a software provider to financial institutions including 90 of the top 100 banks globally, Finastra maintains sensitive financial data and was subject to a ransomware attack that disconnected servers (by exploiting vulnerabilities associated with outdated security patches).
SolarWinds: Nation-state attackers added malware into SolarWinds’ Orion software system and the malware was then distributed across SolarWinds customers via regular software updates, impacting numerous federal agencies, Fortune 500 companies and other customers.
The Particular Dangers of Ransomware Attacks
Ransomware predates the COVID-19 pandemic. But the work-from-home environment certainly provided increased opportunities for such attacks, and ransomware attacks bring with them particular risks that should be examined independently of other cyber-attacks.
Ransomware is a type of malware—a malicious software unknowingly downloaded by the user. Often, ransomware is spread through email phishing or by visiting an infected website. Once the ransomware is downloaded, it locks the user out of the computer system until a ransom is paid, typically in Bitcoin or some other form of untraceable cryptocurrency. The (usually anonymous) hacker may even threaten to release sensitive or confidential information if the ransom is not paid.
According to one report, the United States saw a 139 percent increase in ransomware attacks in Q3 2020 alone, with the nation recording 145.2 million ransomware attacks in that three-month span.
As Stephanie Lambert of NETSCOUT notes, paying ransomware hackers could put the victim at risk of Office of Foreign Assets Control (OFAC) actions. OFAC administers and enforces U.S. trade sanctions against targeted countries and groups. Since the victim often does not know the identity of the hacker, there is no way to confirm they are not listed on the sanction list.
Paying ransomware hackers could put the victim at risk of Office of Foreign Assets Control (OFAC) actions.
What’s at Stake?
The costs of data breaches are high—and getting steeper. The average cost of a data breach in 2020 was $3.86 million, as previously mentioned. The United States had the highest average costs in the world, and by sector, breaches are most expensive in the healthcare sector and records with healthcare data hold the highest street value, even over financial or payment data.
Malicious attacks accounted for 52 percent of data breaches in 2020, according to the aforementioned Ponemon/IBM report. System glitches accounted for 25 percent of breaches, while 23 percent could be traced to human error. The report also found that nation-state actors created the most expensive breaches (as compared to financially motivated actors).
The Ponemon/IBM report identified the following breakout of root causes for data breaches:
Cloud misconfiguration—19 percent;
Compromised credentials—19 percent;
Vulnerability to third-party software—16 percent;
Physical security compromise—10 percent;
Malicious insider—7 percent;
Other misconfiguration or system error—6 percent;
Business email compromise—5 percent;
Social engineering—3 percent;
Data records containing customer personally identifiable information (PII) is the costliest record type to be exposed in a breach on a per-record basis (around $150 per record). However, other corporate data (not containing PII) falls closely behind with average costs to businesses around $149 per record and intellectual property data around $147 per record. Even anonymized customer data averaged $143 per record and employee PII averaged $141.
Data breaches also can take a heavy toll on a company’s reputation—which ultimately impacts the bottom line in the form of lost business. The Ponemon/IBM report states: “Lost business costs accounted for nearly 40 percent of the average total cost of a data breach, increasing from $1.42 million in the 2019 study to $1.52 million in the 2020 study. Lost business costs included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation.”
Finally, data breaches can result in the loss of intellectual property. Around 32 percent of data breaches resulted in the loss of IP, which can have long-term repercussions on a company’s well-being. While many think of credit card numbers as the only treasure sought by cyber attackers, many actually seek to obtain IP and other mission-critical strategic information.
As David Coher of Southern California Edison notes, even physical assets can be the target of a cyber-attack. If the device or system is connected to the internet, it has the potential to be hacked.
The Statutory Landscape
Current cybersecurity law is a patchwork of federal and state laws. On the federal level, Congress recently passed the IoT Cybersecurity Improvement Act of 2020. This new law establishes minimum security standards for the Internet of Things and connected devices owned or controlled by the Federal Government. The new law charges the National Institute of Standards and Technology with creating recommendations for secure development, identity management, patching and configuration management related to Internet of Things (IoT) devices. In addition, the act increases federal oversight for IoT security as administered by the Office of Management and Budget and the Department of Homeland Security.
At the state level, all 50 states and territories have their own data breach laws. Nearly all of them generically require organizations must maintain reasonable and appropriate security controls. However, in 2020, 38 states, plus D.C. and Puerto Rico, introduced cybersecurity-focused bills with more explicit standards for data and cyber security. Although few bills gained traction or were passed, lawmakers considered more than 280 state-level cybersecurity bills in 2020, demonstrating the heightened awareness of cyber risks and the need to legislate minimum standards.
Ideally, future cybersecurity legislation will continue to focus on flexibility, so that small businesses are not crushed by an onerous regulatory burden but organization of all sizes and sophistication are accountable for appropriate security programs, based on risk. HIPAA is a good model for this approach , demanding a high level of accountability from healthcare providers but not mandating exactly how they must implement these cybersecurity standards.
Ideally, future cybersecurity legislation will continue to focus on flexibility, so that small businesses are not crushed by an onerous regulatory burden but organization of all sizes and sophistication are accountable for appropriate security programs, based on risk. HIPAA is a good model for this approach.
Risk Mitigation—Fighting Back
So what are company leaders to do? At-home working is not going away anytime soon, even once the pandemic ends. Nor are bad actors and nation-states looking to hack their way into unsuspecting victims’ systems. Here are a few best practices:
Take an inventory of all strategic assets and where they are stored. Creating such a data inventory can be both difficult and time-consuming, but it is vital. Once security professionals know where particular assets are kept within their organization, they can build layers of protections around them.
Not every asset can be protected with the same level of diligence. The key is to focus on assets that will create the biggest problems if compromised.
Assume that your organization will be impacted by a cyberattack and create an incident response plan as well as a disaster recovery and business continuity plan to mitigate the damage.
Consider getting cyber insurance but make sure that the policy actually covers real-world cyberattacks and the damage they cause. Pay particular attention to exemptions and exclusions, as some insurers have changed how they handle such items, particularly in light of new liabilities during the pandemic.
Third-party vendors, customers and business partners can be a source of cyber vulnerability, so ensure contracts include language that addresses liability and risk allocation.
Employees are your biggest security vulnerability. Security training and education can be a relatively low-cost way to immediately improve an organization’s cyber defenses. Training should be presented as a benefit to all and not a “trap” for employees not following company policy.
Cybersecurity impacts all departments, so consider creating an organization-wide security team, with members from all departments, that meets regularly with the Chief Security Officer.
Once you have an incident response plan (including disaster recovery and business continuity components), it is equally important to test that plan and associated processes. Organizations should run “tabletop” exercises – a mock, organization-wide event for incident response purposes – and consider using an outside facilitator to give a fresh set of eyes and an independent perspective. Both Stephanie Lambert and David Coher stress that tabletops are one of the most important preventative measures and essential to ensuring your organization maintains an effective response plan.
Tabletops are one of the most important preventative measures and essential to ensuring your organization maintains an effective response plan.
A tabletop allows an organization to consider the thousand-and-one considerations that arise and decisions that must be made during a cyber event. For example, what if the organization’s systems need to be completely shut down? Who makes that decision, and what is the process for making and implementing that decision? Going through this type of mock scenario can help organizations be better prepared for a real cyberattack.
Assistant U.S. Attorney JoAnna McFadden stresses that getting the FBI involved early is important. The FBI has extensive experience with these attacks. Working with the FBI and a breach response team immediately can reduce the damage from the attack and increase the chance the attacked will be stopped or apprehended.
Working with the FBI and a breach response team immediately can reduce the damage from the attack and increase the chance the attacked will be stopped or apprehended.
Company leaders also need to ensure that they allocate sufficient and appropriately qualified resources to cybersecurity, even during the current economic downturn. Around 62 percent of IT team leaders say their organization’s cybersecurity team is understaffed, while 57 percent say they currently have unfilled cybersecurity positions on their team.
Cybersecurity has never been easy, and the challenges presented by the COVID-19 pandemic and work-from-home environment have exacerbated these difficulties. However, through a careful combination of legal compliance strategies and focused IT solutions, organizations can position themselves to guard against cyberattacks and mitigate the damage should one occur.
1 This paper is based on a Cybersecurity Panel discussion with Tara Cho; David Coher, Principal, Strategic Planning & Power Supply, Southern California Edison; Stephanie Lambert, AVP, Chief Compliance Counsel, NETSCOUT; JoAnna McFadden, Deputy Chief, Assistant US Attorney, Criminal Division; and moderated by Mark Henriques