Continuing with my interview with Carolyn Heinze:
CH- What are the key ingredients of a sound security preparedness strategy?
- BW- They are:
- Keep anti-malware software updated
- Watch for and report suspected email exploits
- Good password policy coupled with two-factor authentication when possible
- Create an environment of cybersecurity awareness through training and fun employee events.
CH- When we think of cyber security, the tendency is to consider breaches that come from the outside. What can organizations do to protect themselves from breaches that can potentially come from the inside––such as a disgruntled employee who takes revenge by launching a cyber-attack?
- BW – Nearly all breached start inside if you include phishing exploits. Hardly anyone can make it through the perimeter. But insider (employee) attacks are on the increase. Good hiring practices should include a criminal background check in additional to the usual credit report and drug testing. Policy won’t prevent people from doing the wrong thing, but you need to have a computer use policy anyway, so they at least know there are rules. Some computers can be set up in the BIOS to prevent the used of USB devices, so if your business warrants it, you can lock out flash drives to prevent data exfiltration. When employees quit or are terminated, their network access needs to be suspended or revoked, and their user account suspended or deleted. You might not want to delete a user account until you have had a chance to check for usual recent activity.
CH – A word on the legal aspects/ramifications of a security breach: how can organizations protect themselves against lawsuits in the event of a breach? What needs to be considered before the fact so that they are covered?
- BW – Well, you can try cyber insurance, although the policies I’ve seen have so many out clauses and exceptions that they may be nearly worthless. Underwriters need more history with this product before it will become useful. If you are breached and a significant amount of client information was extracted, you can count on a class action suit. You need to be able to show that you were prepared and properly secured and not willfully or even casually negligent. You need to be able to show that you took reasonable care and made an effort to be secure.
CH – Where do businesses most commonly fall down when it comes to cyber security?
- BW – We are too small, too boring, too whatever, to be a target. If you have money in a bank account, any sort of personal identity information including employees, or intellectual property, you are a target. If you are a small vendor with network access to a large customer company, you may be targeted as an entry point to the customer company. “who would be interested in us?” You might just be surprised with the answer.
CH – What steps should companies take once they’ve discovered that they’ve been the victims of a security breach?
- BW – Here’s a short list:
- Hope there is a recovery plan in place, but if not, the first item is to discover what happened. This means digging into logs. It probably means hiring outside cybersecurity professionals, especially if you are small and your IT department can’t handle it. For a legal perspective, showing that you cared enough to get the very best assistance will help you in the long run.
- Report it to the police, and the FBI Internet Crime Complaint Center.
- Resist the urge to erase the hard drive and reinstall – you need to protect the forensic evidence that exists in your server or computer. Buy a new box and hopefully you can do a bare metal restore from a recent backup.
- Contact your insurance company and attorney, but understand that this may not be their area of expertise. They should offer suggestions and guidance, but don’t let them control your response.
CH – On revealing to customers/suppliers/the public that you’ve been breached: when should this happen? How should organizations go about this? What are they legally bound to reveal?
- BW – Let’s answer the legal question first – laws vary by country and in the US by state. Here again a cybersecurity professional can guide you in this area. Your attorney will want you to reveal as little as possible and to accept no responsibility, but this is undoubtedly a bad strategy in the long run. Tell the truth, be open and forthright. If you are still figuring things out say so. Release new information as it becomes available. Be straight with your customers and other stakeholders
CH – On the Cybersecurity Information Sharing Act: what are your thoughts?
- BW – I’m not a fan of government regulation, they tend to stifle innovation and creative response under a pile of regulations. Anyway, the federal government’s skirts are not all that clean in this area, look at the Office of Personnel Management breach. I do think it would be a good idea to develop some sort of reporting clearinghouse for companies to share information about breaches and what they have done that has worked, and what hasn’t worked. Just not sure the government is the best place to centralize this information.
CH – What are the most common mistakes that companies make in reacting to security breaches?
- BW – Here are the worst.
- Trying to keep it a secret.
- Destroying evidence by being too quick to wipe the hard drive and restore from backup. The entire affected device needs to be saved.
- Not contacting the police – most have cybercrime personnel or even entire departments now. Anyway, you need to have a police report to protect your legal standing in the inevitable event of a law suit
A word about tED: tED Magazine is the voice for distributors of electrical products in North America. From national chains to successful independents, tED is read by the top distribution companies in the industry. While targeted to the distributor salesperson, tED is also read by key executives and branch managers. The publication is known for addressing the tough issues within the channel.Share
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com