David Dufour, David Finz, Timothy J. Toohey and Chant Vartanian Give Insights on What You Need to Know About Cybersecurity
The Cybersecurity panel is produced by the L.A. Times B2B Publishing team in conjunction with Alliant Insurance Services; Carbonite + Webroot, OpenText Companies; Greenberg Glusker LLP; and M-Theory.
Corporate cybersecurity breaches have become more and more commonplace, and the threats (and fines) are growing as we become increasingly reliant on cloud-based computing and other online innovations. With hundreds of thousands more employees working from home, with devices containing sensitive data leaving offices and entering homes at an exponential rate, those concerns have only increased.
While tools to prevent breach incidents have become more sophisticated, so have the methods of the hackers and cybercriminals. What actions can business owners take to protect their private data and that of their customers and employees? How can C-suiters and IT teams sleep better at night when there are so many mounting threats to our digital security?
The Los Angeles Times B2B team turned to four uniquely knowledgeable cybersecurity experts for their thoughts and insights about the threats businesses face in today’s digital world and what executives can do to safeguard the privacy of their organizations, employees, customers and other stakeholders.
Q: As a trusted advisor to businesses, what are some of the key pieces of advice you share with clients in terms of protecting themselves against cyber threats?
David Finz, Vice President, Cyber Risk, Alliant Insurance Services: We urge our clients to keep two guiding principles in mind. First, while companies may be able to outsource specific functions to IT service providers, they can never outsource their ultimate responsibility for cybersecurity. Vendor management is essential, both in terms of the provider’s technical capabilities as well as the contractual rights and obligations of the parties. Second, cyber insurance is not intended as a substitute for maintaining strong security and privacy controls; it is designed to help companies manage the financial impact of an event should those controls fail.
Chant Vartanian, Founder and Chief Executive Officer, M-Theory: Awareness of risks is one of the biggest challenges in most organizations. When staff members are appropriately informed regarding the vulnerable nature of key aspects of their firm’s business, they naturally seek to build defensive mechanisms into their workflows. As part of the risk awareness campaign, it is necessary to have a current inventory of valuable information assets. Unfortunately, this starting point is where many entities historically fall short. With modern tools, capturing and maintaining a current understanding of the information assets are more attainable than ever before, although the landscape is complicated by not just hardware, software and data stores, but by the Internet of Things (IOT) as well. In many cases, this takes overlapping inventory and vulnerability management tools. And here is a fundamental issue: It is important to have the leadership team sponsor the efforts to raise awareness continuously so that every knowledge worker in the organization is empowered to make incremental, positive shifts in procedures and behavior.
Q: What are the biggest cybersecurity-related challenges in 2022?
Timothy J. Toohey, Partner, Cybersecurity & Privacy, Greenberg Glusker LLP: The biggest challenges this year will be those stemming from the fact that a large portion of the workforce continues to operate from home because of COVID-19, which increases the vectors for remotely launched security attacks, including ransomware attacks. In addition, given the ongoing global tensions with foreign countries, including Russia and China, businesses in critical sectors, such as energy, technology and national security, will continue to experience attacks from hostile nation-states seeking disruption or theft of intellectual property. With ransomware attacks growing in scope and severity, we are likely to see the continued increase of this type of attack.
David Dufour, VP of Engineering & Cybersecurity, Carbonite + Webroot, OpenText Companies: The past couple of years have seen a shift of remote-to-hybrid work. Hackers gladly welcomed that change by taking advantage of the many security vulnerabilities and gaps by organizations, businesses, and consumers alike. There remain three key challenges ahead for 2022 around building a strong, cyber-resilient organization: 1) Ransomware attacks: Cyber perils still loom and the threat of ransomware attacks, data breaches, or major IT outages have companies worrying even more than they do about their supply chain disruption, natural disasters, or the pandemic; 2) Increased ease-of-entrance for external attackers: The ability for attackers to breach an organization’s network perimeter and gain access to local network resources grew more in 2021 than any other year; and 3) SMB attacks: While many large businesses suffered breaches, small and medium businesses will continue to be easy targets for hackers because of their lack of resources and security expertise.
Vartanian: Ransomware has every Information Technology department on high alert. Numerous tools need to be effectively employed to protect an environment including high-fidelity network segmentation, multi-factor authentication, file integrity monitoring (FIM), intrusion detection systems, and so on. From a strategy standpoint, any organization needs to have a solid Major Incident Response program. This includes training sessions to develop the playbooks necessary for the practice sessions that run across the various departments within a group. The drills recommended include tabletop exercises up to deep “Red Teaming” exercises that emulate precisely how an adversary would reconnoiter and establish a stealthy beachhead and have their way within an organization. Having the right tools implemented well is necessary, but only with practice, will the defenders in a group develop the institutional muscle memory that is sufficient to effectively deal with major incidents.
The new face of cybersecurity training isn’t about making users afraid of everything they access, but rather, empowering them to know how to recognize and avoid security threats when they arise.
— David Dufour
Q: How have regulatory issues changed the way businesses view cybersecurity?
Finz: The enactment of regulations designed to protect consumers and shore up our nation’s critical infrastructure has acted as a double-edged sword. Regulators do have a role to play in establishing baselines for reporting cyber incidents, safeguarding confidential data, and implementing security controls. On the other hand, businesses should not allow compliance with these regulations to lull them into a false sense of security. The threat environment is constantly evolving, and just doing what is legally required may not be sufficient to manage risk. The recently publicized vulnerability in a commonly used logging tool known as “log4j” offers a prime example of how the cybersecurity community is able to come together and quickly respond to an emerging threat independent of any enforcement mechanism. Insurers can also incentivize cyber preparedness and resilience by updating their underwriting criteria to reflect the changing risk landscape.
Q: What are some of the top cybersecurity trends that you are seeing?
Vartanian: The Secure Access Service Edge, or SASE, is quite valuable as an emerging technology to face the threat landscape. SASE will allow for the fine-grained segmentation of digital assets that is necessary to defend against serious adversaries using Secure Web Gateways. Additionally, the Zero Trust aspect of SASE is very effective in providing safe environments to remote workers, which has become so very mainstream in recent years. SASE works within a network to prevent Denial of Service, protect Domain Name Services, Software-Defined Wide Area Networking (SDWAN) and help assure that other key aspects of an environment are secured.
Q: Are some industries hit harder than others by data breaches? If so, which industries?
Dufour: Healthcare, financial, and higher education industries were, and are still, among the top hit because of the massive amounts of data they keep, which has also led to ‘double ransomware’ opportunities as we start off 2022. If the cyber-attacks in 2021 taught us anything, it’s that attackers aren’t just encrypting data--they are actively looking to exfiltrate critical information before any encryption. As ransomware protection improves in 2022, especially removal and recovery strategies, hackers are getting smarter and are using stolen data as new leverage in extortion so they can still threaten victims if they do not pay the ransom. These double ransomware threats are where attackers encrypt the target’s data and not only demand a ransom for its return but leverage additional payment incentives to add pressure on the victim to pay the ransom. GDPR and other data privacy regulators’ fines only reinforce this pressure if the breach is publicized.
Vartanian: The American bank robber Willie Sutton was quoted as saying that he robbed banks because “That’s where the money is.” This is truly no longer the case in modern times. Due to heavy regulations in the financial industry, as well as health care, and many other enterprise industries, the defenses are so good that bad actors are seeking to monetize their efforts from many creative approaches. We are seeing unprecedented attacks on supply chains. When the main business environment of the corporation is locked down, it becomes interesting to attempt to sneak in the back door by embedding stealthy code in one of the solutions that a corporation relies on to be provided by a third party. As a consequence, there is no industry that is immune to the impacts from a wider attack surface. Breaches that have been occurring over the past 18 months bear this point out quite clearly.
Q: How has the COVID-19 pandemic changed the cybersecurity landscape?
Toohey: The increase in the number of personnel working remotely who are connected to their employer’s networked systems has dramatically increased the vector for potential cyberattacks, including ransomware attacks. With remote working, it has become much more challenging for businesses to ensure compliance with security protocols meant to prevent phishing attacks and other threats that can lead to ransomware or personnel being fooled to send money to hackers. Moreover, many personnel who are not working remotely, including service personnel for large enterprises, are unaccustomed to such work and may blend the use of work and personnel devices, which further increases the risks. Finally, COVID-19 has given rise to scams based upon testing, preventative measures, and other related products.
Dufour: Remote work, once necessitated by the pandemic, is now a form of our lives that is here to stay. Because the majority of organizations now have hybrid models, a businesses’ cyber security best practices, too, must evolve. There must be a shift in overall cyber resilience behavior to include an increased adoption of cybersecurity strategies, a better understanding of the comprehensive and remote workforce security challenges (and the gaps), and how to fully embrace a zero trust approach that must include an effective Managed Detection and Response strategy to help maintain a strong security architecture and to best safeguard operational technology, on-premises systems, cloud-based applications, and SaaS solutions.
The biggest challenges this year will be those stemming from the fact that a large portion of the workforce continues to operate from home because of COVID-19, which increases the vectors for remotely launched security attacks, including ransomware attacks.
— Timothy J. Toohey
Q: What tools can companies use to protect their data?
Vartanian: As the cybersecurity industry has matured over the past 25 years, tooling has become quite granular, specifically focusing on areas of ingress and exploitation. There are no gaps in security that are not being addressed vigorously on a tooling level. The issues shift to how the tools are implemented and how the team members are trained to use them. Most IT organizations will readily admit that some of the more sophisticated tools, such as Web Application Firewalls and Zero Trust networks, are not fully deployed and utilized properly. Therefore, it is convenient to consider Managed Security Services to be an important tool in the arsenal. When organizations do not have the bandwidth, resources, or skill to work with advanced security technologies, finding the optimal Managed Services Provider becomes the essential tool of choice.
Q: What are some of the biggest trends today in cybersecurity?
Toohey: One of the biggest trends today is the proliferation of new laws relating to the protection of personal information and the growth of the scope of information protected by these laws. Starting with California’s Consumer Protection Act (CCPA) and the expansion of that law with the California Privacy Rights Act of 2020 (CPRA), which will come into effect on January 1, 2023, California has led the way with enactment of privacy laws to protect its residents. This year, we are likely to see other states join California, Colorado and Virginia in passing their own privacy laws. In contrast, the continued impasse in Washington D.C. is likely to inhibit much needed federal protections, including protections against growing cyber threats. 2022 is also likely to see the growth of privacy laws outside of the United States which, in some cases, are modeled on the groundbreaking General Data Protection Regulation of the European Union. Accompanied by restrictions on data transfer outside of the “home” jurisdiction, the privacy landscape is likely to become increasingly complex and difficult to navigate.
Q: Big brand breaches make the news, but are smaller companies also at risk?
Finz: Cyber risk isn’t just an issue for Fortune 500 companies. A study by the Ponemon Institute revealed that three out of four small and midsized businesses in the U.S. have experienced a cyberattack, and another report from Verizon noted that the majority of such attacks have entailed the disclosure of credentials or other data. The cost to these firms can be staggering; the National Cyber Security Alliance found that approximately 60% of small and midsized businesses enduring a cyberattack end up going out of business within six months. Still, many do not buy insurance.
Dufour: Smaller businesses are one of the primary targets for cybercriminals. Smaller companies are typically easier to breach due to the lack of staff, tools and knowledge - usually stemming from budget constraints. While some of the big brand breaches have made headlines for eight-figure ransoms, the bread and butter for cybercriminals is in the $50k average ransom payment that a small or medium-sized business will end up paying. What may take teams of malicious actors weeks or months of dedication to research and breach a big company, they may be thwarted within hours and unable to gain the foothold needed to facilitate a successful ransomware attack. By targeting smaller businesses, the effort to breach and return a five-figure ransom payment has a much better cost/benefit analysis.
Vartanian: Smaller companies are at greater risk more than ever. SMBs lack security provisions that may be common in larger enterprises, such as Incident Response Plans and retained incident response services. Additionally, larger enterprises mitigate risks by having formal budget plans. This includes redundant infrastructure, security operations, disaster recovery and other resilience measures. While the target value may be significantly lower at a small business versus a larger corporation, it doesn’t minimize bad actor desirability. Finally, smaller companies are not regulated like larger companies. As a result, you may not hear their horror stories.
38% of cyber incidents are precipitated by “phishing” of employee email, making it the leading method of attack upon an organization’s network.
— David Finz
Q: Is cybersecurity awareness training a good idea for businesses?
Dufour: The new face of cybersecurity training isn’t about making users afraid of everything they access, but rather, empowering them to know how to recognize and avoid security threats when they arise. Users are the first line of defense and often also the weakest link in an attack. As security awareness becomes more commonplace at organizations, is there a new wave of fear clicking occurring, where employees are so afraid to click on emails that they refuse to click on legitimate content for fear of infecting their networks? Ongoing, relevant, and engaging cybersecurity awareness training – such as phishing simulations, when combined with courses on IT and security best practices, data protection, and compliance training – significantly reduces the risks businesses face due to user error and can also help navigate fear clicking.
Toohey: Whether or not remote working is here to stay, cybersecurity awareness training is vital for businesses to educate their workforce regarding the myriad of bad actors that are seeking to exploit the vulnerability of electronic communications. The days are gone (if in fact they ever did exist) when a business could rely on its information technology department to fend off threats from hackers. Today cybersecurity threats come from within the workforce when employees click on links in a phishing e-mail that can lead to malicious programs launching a destructive ransomware attack on businesses or sending a wire transfer to an unintended party. Training of personnel (which should include monitoring and testing through spoof destructive e-mails) is vital to prevent what could be a ruinous security breach that could cost hundreds or even millions of dollars in harm.
Finz: Security awareness training is a key component of an organization’s cyber readiness. A 2020 report by Baker Hostetler, a leading law firm in the area of data privacy, indicated that 38% of cyber incidents are precipitated by “phishing” of employee email, making it the leading method of attack upon an organization’s network. These attacks are becoming increasingly sophisticated, so it’s important to educate staff about how to identify phishing attempts and report them to those persons within the company who are responsible for information security.
Q: What is an example of an affordable and/or essential cybersecurity solution that businesses of all sizes need to implement?
Dufour: Organizations must devote attention and resources to backup technologies. This is the number one, affordable solution that will help protect against today’s most common threats. Backups are a two-part process -- the actual backup and ensuring data that can be restored from the backup. Unfortunately, companies often overlook verifying this second part until they need the data, at which point, it could be too late. Another essential - that’s free - is to always patch systems as soon as patches are available. This ensures your systems are protected against known exploits.
Ultimately, a company should engage in advanced preparation to identify, contain, eradicate, recover and learn -- NOT figuring it out in real-time as the disaster unfolds.
— Chant Vartanian
Q: What is cybersecurity insurance and do we need it?
Toohey: If a business has valuable data (both personal information and proprietary data), it should seriously consider cybersecurity insurance. A cyberattack may be financially ruinous or even fatal to a business. Cybersecurity insurance protects a business against both first-party and third-party losses caused by a cybersecurity event (as defined in the policy). First-party losses are the costs a business itself must pay to remediate an event, such as restoring its systems. Third-party losses are costs a business must pay to a third party, such as a regulatory agency or customers for losses caused by a cyber event. Many newer cybersecurity policies protect against a wide variety of cyber events, including data breaches, ransomware attacks, fraudulent attacks designed to trick a business into sending payments to a hacker, and other emerging threats. Policies vary considerably so it is important to consult an experienced broker who can find a policy tailored to a company’s needs and exposure.
Dufour: Cybersecurity insurance is aimed at mitigating the impact of a ransomware attack. These insurance companies will assess the damage and loss to the environment, attempt to find decrypters that have been leaked, and in a worst-case scenario, will negotiate with malicious actors to lower the ransom in order to get the files back. Ransomware on the whole has caused losses in the cyber insurance industry because unlike the majority of risks cyber insurers cover, ransomware attacks are both a high-impact and a high-probability risk. Cyber insurance companies are already aiming to reduce claims by mandating a cyber resilience posture as a condition of being insured, and at the very least, insurers should insist on two core elements of cybersecurity strategy before underwriting to include: an endpoint and network-level security to guard against attacks and mandate ongoing security awareness training for employee’s data backup and security protocols.
Q: What is the best course of action for a company that is victimized by ransomware?
Vartanian: It is said, “An ounce of prevention is worth a pound of cure.” That plays here too, of course. It’s not just a matter of having the phone numbers of great teams who are geared to respond to major incidents, or even having an Incident Response Team on retainer, just in case. Preparing for a major incident, which ransomware can easily be, requires thoughtful activities including table-top exercises, diligent knowledge transfer, documentation of playbooks as well as developing adversary emulation drills. There are frameworks to choose from, such as Mitre’s RE&CT tool, for visualizing and observing the big picture. Ultimately, a company should engage in advanced preparation to identify, contain, eradicate, recover and learn -- NOT figuring it out in real-time as the disaster unfolds.
Finz: The hours and days following a ransomware event are fraught with uncertainty, and companies should engage a professional known as a “threat consultant” to help them navigate the process. Think of the threat consultant as performing a role similar to that of a hostage negotiator, in the sense that they will first assess whether the threat can be terminated without resorting to the payment of ransom, and then, after other means have been exhausted, attempt to negotiate the lowest possible ransom payment. The threat consultant also maintains a digital currency wallet to facilitate such payments to the threat actor if necessary. A cyber insurer can refer policyholders to these and other professionals with experience advising companies around incident response.