2024 Cybersecurity Insights from Kim Klinsport, Kamran Salour and Gene Yoo for Los Angeles SoCal Business

Kim Klinsport of Foley & Lardner LLP; Kamran Salour of Lewis Brisbois Bisgaard & Smith LLP; and Gene Yoo of Resecurity

This business advisory panel is produced by the L.A. Times B2B Publishing team in conjunction with Foley & Lardner LLP; Lewis Brisbois Bisgaard & Smith LLP; and Resecurity.

Corporate cybersecurity breaches continue to escalate, and the threats (and fines) are growing as we become increasingly reliant on cloud-based computing and other online innovations. With hundreds of thousands more employees working from home and with devices containing sensitive data leaving offices and entering homes at an exponential rate, those concerns have exponentially increased.

While tools to prevent breach incidents have become more sophisticated, so have the methods of hackers and cybercriminals. What actions can business owners take to protect their private data and that of their customers and employees? How can C-suiters and IT teams sleep better at night when there are so many mounting threats to our digital security?

The Los Angeles Times B2B Publishing team turned to three uniquely knowledgeable cybersecurity experts for their thoughts and insights about the threats businesses face in today’s digital world and what executives can do to safeguard the privacy of their organizations, employees, customers and other stakeholders.

Q: Are cybersecurity threats increasing in 2024? Why or why not?

Gene Yoo, CEO, Resecurity: Cybercrime will increase in 2024 since the existing mature and well-known threats will remain effective, and threat actors will leverage and target new technologies such as AI in 2024. AI is a technology with great potential value for companies and individuals. However, it also introduces a unique set of risks that must be evaluated and appropriately mitigated. As AI will provide value to companies, it will also offer value to cybercriminals conducting attacks. For example, NextGen Phishing. Cybercriminals use their R&D time and budget to target AI platforms, models and users. There are also mature and well-known threats that will continue in 2024. For example: Threat actors targeting software developers; extortion – ransomware; breaches via the supply chain; cybercrime-as-a-service; and threat actors are targeting and using cloud infrastructure.

Q: Are some industries hit harder than others by data breaches? If so, which industries?

Kim Klinsport, Partner, Office Managing Partner Los Angeles, Foley & Lardner LLP: Certain industries are generally targeted more than others because of the kind of personal information that they process – e.g., financial services or healthcare. Or because of the type of impact a breach may have – e.g., critical infrastructure or system controls like power plants, water treatment plants or food manufacturing. The difference is the bad actor’s motive: whether it be for the sake of potential profit by selling personal information on the dark web, to conduct an attack or seek information on another country, or for the sake of disruption alone.

Q: Do you think it is important for organizations to have an incident response plan? If so, what should it include?

Kamran Salour, Co-Chair, Data Privacy & Cybersecurity Practice, Lewis Brisbois Bisgaard & Smith LLP: A plan is important. Many organizations, however, have incident response plans that are too detailed and contain too many steps, rendering them impractical. An incident response plan should be readily actionable. Substantively, an incident response plan should identify: (i) how the organization defines an incident; (ii) how it detects an incident; (iii) how to contain an incident; and (iv) when a detected incident should be escalated to the incident response team. Procedurally, the incident response plan should identify the members of the incident response team (including insurance broker, carrier, legal counsel) and their respective roles/responsibilities. And don’t forget it must also explain ways to communicate with the team and employees using non-work emails or cell numbers and to have off-network access to the details of the incident response plan in case the network is down.

Q: How has the cybersecurity landscape changed in the last few years?

Yoo: Businesses must adopt the latest cybersecurity technologies and practices to safeguard their digital assets and operations, especially given their various challenges. The cybercrime ecosystem has evolved and matured, providing attackers with easy access to various services, enabling them to conduct attacks with minimal effort and cost, and making it easier to monetize their attacks. The current economic situation has forced many industries, including IT and cybersecurity, to cut budgets and reduce staff. This financial strain has made it challenging for organizations to invest in essential security measures and technologies. Unfortunately, this challenge is further exacerbated by the increased risk of a company being impacted by a cybersecurity event during a recession.

Q: What’s your advice for companies that are analyzing their current cybersecurity measures?

Salour: I offer three pieces of advice. First, companies should utilize third-party cybersecurity experts to help identify cybersecurity gaps and identify and prioritize the company’s cybersecurity needs. Second, companies should understand that cybersecurity is not static; cybersecurity needs and decisions will change, thus cybersecurity should be evaluated periodically. Third, companies should make cybersecurity decisions collaboratively. The IT/security team should work with the business team to implement cybersecurity measures. Although a difficult balance to achieve, cybersecurity measures must advance business operations, not hinder them.

Q: Do mobile devices present security risks?

Klinsport: Yes. First, mobile devices are still IoT devices at some level without physical controls, and so they are susceptible to probing and other analysis in the hands of the threat actors. However, mostly the threat actor in that case is looking for some personal gain, like access to protected content from their streaming service or access to security tokens that provide access to credit cards or other financial data. The bigger threat from mobile devices for businesses still comes from the lack of physical control over company data accessed or stored in mobile devices. If a laptop gets stolen, the data stored on it may be accessed by the thief. And employees and other insiders could copy data accessed by mobile phones or laptops. However, most of this is mitigated through the use of mobile device management software.

Q: Are certain cyber threats unique to small businesses versus larger businesses?

Yoo: Many large companies have improved their security measures to protect themselves against cyber threats. However, small businesses are more vulnerable and frequently targeted by sophisticated attackers. Unfortunately, most small businesses lack the expertise to defend against these threats successfully. As a result, they often believe that running antivirus software is enough to protect them from cyber-attacks, which is not valid. In addition, small businesses have become a popular target for attackers because they are often linked to a larger supply chain, which is the primary target of the attacker.

Klinsport: Most smaller businesses simply don’t have the resources that bigger businesses have to adequately defend against the threats that they face. These can result in not patching systems or having end-of-life firewalls in place. In our practice, many of them don’t believe that they are processing personal information, but they are under the broader definition we are seeing in many of the new state laws, such as the California Consumer Privacy Act. And the threats are not just against personal operation – many organizations, big and small, do not take into account the value of their intellectual property or the impact that a cyberattack may have on business operations. And when they get hit, smaller businesses are much less likely to have an incident response plan or have the resources to recover from the attack.

Q: What are the main barriers and challenges businesses face when addressing cybersecurity?

Salour: The biggest challenges businesses face when addressing cybersecurity are mindset challenges and implementation challenges. From a mindset standpoint, certain businesses still view cybersecurity as an obligation independent of the businesses’ needs. This creates a disconnect between cybersecurity and business operations, making it more likely that the businesses’ cybersecurity protections are inadequate. This disconnect can also sow seeds of distrust between the business and the cybersecurity department. From an implementation perspective, let’s face it, adequate investment in cybersecurity can be expensive. Many businesses want to improve their cybersecurity infrastructure but simply cannot afford to do so. That said, inadequate investment has far more far-reaching consequences in the event of a cybersecurity incident.

Yoo: Organizations often overlook cybersecurity and fraud threats while launching a new product or service, making them vulnerable to exploitation by threat actors. To prevent this, organizations must plan for monitoring and operational mitigations during the product design and initial development phases instead of considering it an afterthought. Despite having the highest recorded level of participants in the cybersecurity workforce, there still needs to be a significant gap in the number of skilled professionals required to defend organizations effectively. The demand for cybersecurity professionals with the right skills is increasing, but hiring and retaining such qualified employees remains a significant challenge.

Q: What role do you think AI will play in terms of the cybersecurity landscape moving forward?

Klinsport: AI will play a significant role in cybersecurity threats – both on the protection side and on the attack side of the equation. There are already cybersecurity products that use AI to protect against internal and external threats. But now we are seeing the power of generative AI available for threat actors to analyze target systems for vulnerabilities and develop exploits. In addition, we are seeing the threat actors launch AI-based attacks against individuals – imagine a phone call from an AI-generated “family member” who needs money that sounds exactly like your family member because they’ve trained it on voice clips from around the internet or from an AI-generated “Sally, from account services” that now interacts with you in real-time and is indistinguishable from a real person to obtain your credit card information.

Yoo: AI is set to revolutionize the field of cybersecurity by serving as a powerful tool for defense. Its ability to automate tasks and enhance detection and prediction capabilities makes it an asset for defenders. However, threat actors are also harnessing the power of AI to automate and improve their attacks. They target AI models, platforms, users, and training and production data. New security considerations must be implemented to safeguard AI systems from this rapidly evolving threat.

Q: What are some key considerations when purchasing cyber liability and crime insurance?

Salour: Two considerations come to mind. The first consideration is cost, which is always front of mind. But it is important to evaluate cost in the context of the business impact. If a company has a policy with a $25,000 deductible, it likely means that the company will pay most or all of its incident response costs out-of-pocket. Similarly, a policy with a $10,000 limit for ransom payments is usually insufficient to cover the entire ransom demand. The second consideration is the preferred vendors chosen by the cyber carrier. If there is a specific law firm or forensic firm that the company wants to use, the company should validate that they are on the cyber carrier’s vendor panel. And if not, the company should obtain the requisite approvals that it can use off-panel vendors before an incident occurs.

Q: What are some of the biggest mistakes companies make when attempting to protect themselves from breaches?

Yoo: Many companies rely on outdated security measures and technologies, such as solely relying on anti-virus software to protect their systems from being breached. However, anti-virus software is a legacy technology, and while it does offer some level of protection, it could be more effective at defending a company from being breached. According to Resecurity’s analysis of botnet logs, over 95% of PCs infected with malware were running anti-virus software at the time of the infection. Even months after infection, over 80% of the infected PCs remained compromised despite the presence of anti-virus software.

Klinsport: Two of the biggest mistakes companies make when attempting to protect themselves from breaches are: (1) not practicing their incident response plan and (2) not adequately training employees. Companies should put their incident response plan to the test through a tabletop exercise to make sure that everyone who has a role in the incident response plan knows exactly what to do in the event of a breach or other cybersecurity incident. In addition, companies need to take the time to make sure that their employees are well-trained as to how to spot phishing attempts and avoid creating cybersecurity vulnerabilities. Companies should make sure that employees have resources to help them understand cybersecurity risks and best practices not only because it could help prevent an incident from happening in the first place but also because there are a variety of laws that require it.

Salour: In my experience, there are several mindset mistakes that companies make. For example, some companies believe they are too small to be a target of a cyber-attack and, therefore, do not invest in cybersecurity. Other companies outsource network security and blindly assume that the third-party network security company is both infallible and immune to its own cyber-attack. Still, some companies focus exclusively on preventing an attack while missing out on opportunities to minimize the impact of an attack. This sets the company up for a difficult and complex mitigation effort; a cyber-attack is inevitable, and the company is ill-prepared when an attack occurs.

Q: How serious a problem is hardware hacking?

Klinsport: Hardware hacking is the ultimate “final frontier” in hacking. Simply put, having access to the hardware allows you to monitor and probe information that is not normally accessible, and that can lead to the discovery of vulnerabilities that can be exploited remotely. But it’s mitigated with physical security – most critical hardware used by businesses is protected by physical security measures, like in locked data rooms. But with the rise of IoT devices, a lot more hardware devices are easily accessed by threat actors. Imagine a connected thermostat that communicates with a local utility company so that the utility company can adjust temperature settings on high-use days. If the threat actor can discover a vulnerability there, then they could issue commands to other similar devices to keep the temperature really warm (which could affect the health of at-risk people) or go into overdrive to overload the grid.

Q: What’s the most dangerous cyber threat that you think businesses will have to deal with in 2024?

Yoo: The most dangerous cyber threat in 2024 is predicted to be AI. Companies implementing AI need to properly plan or address how attackers will target their AI systems and related processes. Additionally, defenders and security companies must be adequately prepared for how threat actors will benefit from AI, how they will target a company’s AI system, and what parts of their supply chain will use AI that threat actors can target.

Q: What is the best course of action for a company that is victimized by ransomware?

Salour: The simple and admittedly self-serving answer is to call me. Beyond that, the company should compartmentalize its response into two distinct, yet parallel paths, business and legal. From a business perspective, it is essential to: (i) stop the spread of the ransomware by disconnecting Internet access to the servers and workstations; (ii) collect forensic evidence (images and logs) of the impacted servers and workstations; and (iii) remediate the threat (make sure it no longer exists) before reconnecting the impacted servers and workstations to the network. From a legal perspective, engage a cybersecurity attorney (I’m one – hint, hint). That attorney can help manage communications with employees and customers about the attack and determine the company’s contractual, regulatory and statutory notification obligations.

Q: As a trusted advisor to businesses, what are some of the key pieces of advice you share with clients in terms of protecting themselves against cyber threats?

Klinsport: Our best piece of advice: Be prepared. We advise and help our clients develop comprehensive incident response plans, test out those plans through tabletop exercises and train employees. When something does go wrong or a client experiences a cybersecurity incident, we work with them to make sure that they are complying with all of the applicable laws in reporting the incident, notifying affected individuals and doing what we can to help minimize any exposure or further damage. A cybersecurity incident is a complex and very scary thing to experience, and we pride ourselves on being able to move quickly to help our clients protect their customers, businesses and intellectual property.

Salour: To adequately protect a business against cyber threats, the business cannot have a singular focus on “preventing” an attack. An attack is inevitable. Of course, a business should take steps to reduce the likelihood of an attack. But an equal focus should be on minimizing the impact of an attack, so if a threat actor does access the environment, the threat actor’s impact is limited. How? Implement appropriate access controls. Limit the amount of data stored, know where data is stored and encrypt sensitive data. Establish backups off-site and take steps to make sure that the backups are actually backing up. A layered approach makes it harder for the threat actor to access the environment and move around it after access, which together means the company has a better chance of success against cyber-attacks.

What Businesses Need to Know About Cybersecurity in 2024

Lilit Davtyan, Grayson Milbourne and Chant Vartanian Share What Businesses Need to Know About Cybersecurity in 2023