Pratum Blog

Strengthen Your Cybersecurity Defenses

Does ransomware seem like it’s your problem yet? We have the tips to help you fight ransomware—but first you have to decide you’re ready to take some action.

Ransomware Steals the Headlines

Did ransomware get your attention when you heard about East Coast gas stations running dry after an attack led the Colonial Pipeline to shut down? How about when eager lawyers filed a class action lawsuit against Colonial, alleging that its inadequate cybersecurity measures harmed consumers?

Did ransomware send a shutter through your grocery budget when an attack shut down nine beef-packing plants at JBS, the world’s largest meat processing company?

Did it grab your interest when the average ransom payment more than doubled to $312,000 in 2020?

The message seems to be sinking in that it’s time to get serious with a plan to fight ransomware. A month after the Colonial Pipeline breach, 2/3 of organizations reported that they intend to take action to harden their defenses.

The Government to the Rescue (?)

The U.S. government is also stepping up its response. President Biden issued an executive order in May aimed at, among other actions, strengthening software security in federal agencies and creating a federal board to investigate major breaches. The administration says it intends to shift the focus from incident response to incident prevention.

Dozens of states are working on new regulations to step up cybersecurity across several industries. 

Biden will surely address Russia’s hacker-friendly climate when he meets with Russian President Putin in mid-June, as the JBS attack (like the Colonial Pipeline attack and multiple others) was almost immediately attributed to a criminal organization in Russia. But if you’re pinning your organization’s safety on the hope that Russia will crack down on hackers, you may also have a tendency to think vampires make excellent stewards of blood banks.

The fact is that the government can’t keep up. Hacking operations are well-run businesses employing some of the world’s best coders. They shift tactics constantly and engage in flexes like quoting your own cybersecurity policy back to you if you claim that you can’t afford the ransom they demand.

The creaky engines of legislation and even executive action can’t pivot as fast as the bad guys. And the vast web of overlapping and disconnected entities in state and federal government leaves gaping holes in cybersecurity efforts.

Take Control of Your Own Ransomware Strategy

So, while new regulations may put a dent in the ransomware wave, protecting our organizations relies on each of us leaders taking decisive action specific to our situations. If all the ransomware headlines have provided the wake-up call you need, here’s what you can start doing.

  • Patch your systems – A lot of IT leaders focus their angst on stopping zero-day threats. But digest this fact: One recent analysis showed that almost two-thirds of system vulnerabilities involve bugs that were identified two years ago. That literally means that the majority of your vulnerabilities are already solved if you just make the effort to use available patches. Hackers love to grab low-hanging fruit. Don’t let them find it on your system. Get a vulnerability scan and then address the gaps.
  • Use proper port settings – Leaving certain port settings open unnecessarily gives hackers an easy gate into your system. CIS Controls 9 and 12 offer information on some common settings to check.
  • Actively monitor your systems – If a bad actor does get a toehold in your system, spotting it immediately lets you shut down the breach before things get out of hand. IBM reports that it takes 280 days to identify the average breach. You can do a lot better. The latest defense is a Managed Detection and Response solution that constantly monitors activity, uses artificial intelligence to recognize multiple different acts as a brewing attack and actively steps in to shut down suspicious activity.
  • Segment your systems – By effectively isolating/air-gapping various parts of your system, you limit how far hackers can get if they penetrate one part of the network.
  • Limit each user’s access – Similar to the previous point, implementing a policy of least-privileged access and Identity and Access Management means you keep hackers from getting into your entire system if they compromise one user’s credentials.
  • Have a robust backup strategy – Even if ransomware locks up your data, an effective backup of your data lets you quickly restore operations. Test the backup often to ensure it’s doing its job.
  • Plan ahead – A detailed incident response plan helps everyone know what to do to limit the damage when you come under attack. Breach costs are 38% lower for companies that have an IR plan in place before the breach.
  • Train your team—and keep training them – Malware frequently gets onto a system when a user clicks a bogus e-mail link or falls for social engineering via text messages. Engaging every member of your team in cybersecurity of how it keeps the business running—will provide one of the best defenses. Provide regular training on the latest tricks in phishing and other social engineering tactics.
  • Get an outside opinion – An IT risk assessment, vulnerability scan and penetration testing all provide essential checks on your current cybersecurity posture and point to critical remediations you need to make. Contact Pratum to find out how we can help get you ready to stop ransomware attacks before they strike.

Ransomware Poster

Ransomware Poster

8 Steps to a More Secure Organization

Get Poster
People sitting at desk having meeting with text overlay Cybersecurity for Small Businesses

The biggest cybersecurity risk for small businesses comes from within your own team, one expert told a recent cybersecurity summit. “It’s optimism bias,” says John Hoyt, deputy director of information security at Clemson University. “They think it’s going to happen to somebody else.”

To provide cybersecurity tips for small businesses who are ready to take ownership of their risks, Clemson recently hosted the South Carolina Small Business Cybersecurity Summit. Pratum attended the virtual event, which featured several panels full of experts from the Department of Homeland Security, the U.S. Small Business Administration and The New York Times’ cybersecurity beat.

The highlights reported below revolve around two key takeaways shared by these thought leaders:

  • Every business will be targeted.
  • Following basic cybersecurity hygiene policies can make small businesses vastly less susceptible to breaches without incurring crippling expenses.

It feels like the U.S. is under siege.

Nicole Perlroth Cybersecurity Reporter The New York Times

Journalist Perlroth, author of This is How They Tell Me The World Ends: The Cyberweapons Arms Race, provided insights about the headline-grabbing attacks that affected SolarWinds, Microsoft Exchange Server and the Colonial Pipeline. All of these high-profile breaches, Perlroth said, are evidence of concerted, state-sponsored (or at least state-sanctioned) efforts to compromise systems throughout the U.S.

“In the Ukraine, the security community told me that they see what’s happening there as a dry run,” she said. “When they look at the forensics, they see that Russia is running trials to see which capability works best. The U.S. is the end target, and it’s going to be a lot worse here because everything is digitized. We just keep plugging things in.”

Despite this grim warning, Perlroth remains optimistic—if organizations take the threat seriously and implement basic policies that make a big difference. Her tips for small businesses involve two first steps:

1

Identify your “crown jewels.” What is the one thing that would devastate your business if it were locked up by cyber criminals via ransomware or other breaches? Develop a plan that protects that data via tools such as segmenting networks and creating backups.

2

Create a basic cybersecurity hygiene plan. “If you implement tools like multifactor authentication and train your employees in cybersecurity,” Perlroth says, ”you’ll be in a far better position than about 80% of the other potential targets out there.”

Bolstering her argument with the latest headlines, Perlroth noted that when the Colonial Pipeline was breached in May 2021, it did not have an incident response plan in place and still hadn’t patched the Microsoft Exchange Server breach identified two months earlier. If those fundamentals had been in place, the eastern U.S. may have avoided a massive interruption in its fuel supply.

Don’t be the weakest antelope on the plain.

David Trzcinski Acting Chief Information Security Officer U.S. Small Business Administration

Trzcinski noted that hackers rarely go after a specific small business with ransomware or phishing attacks. Hackers run a numbers game in which they scan for vulnerabilities across thousands of networks. When they find an opening, they pounce.

“Lions and tigers seek out the weakest antelope on the plain,” Hoyt said. “Sometimes the answer is simply not being the slowest, weakest antelope. If you implement protections like multifactor authentication (MFA), that’s a deterrent, and the attackers usually move on to someone else.”

Thanks to recent developments in the software as a service (SaaS) sector in the last decade, most cybersecurity solutions are far more affordable today. In the past, every small business would need a software developer to help them roll out something like MFA. “You no longer have that challenge for endpoint protection and other tools,” Trzcinski says. “You don’t have to build and maintain the infrastructure like you once did.”

Trzcinski’s tip is for every organization to evaluate its anticipated reaction to its five most likely breach scenarios, commonly known as tabletop exercises. “Just buy your IT team pizza on a Friday afternoon and work through various situations,” he said.

Trzcinski says the exercise will help the team come up with specific answers such as where key data is backed up and how long it would take to access it. Working out those details could turn a breach that may have killed your company into a disruption that you can recover from quickly.

Cybersecurity begins with the users.

Ken Bible Chief Information Security Officer U.S. Department of Homeland Security

Bible said, “There’s a tendency to think the problem is so big that you can’t do anything, but good cybersecurity basics make a difference.” He offered these tips as first steps for small businesses:

1

Maintain an offline, encrypted backup of your key data and check it often.

2

Make a basic incident response plan and emergency communications plan. Write down how you will respond in various scenarios and who on your teams needs to be notified in each situation.

3

Regularly patch and update all of your software. “I can’t hammer that one enough,” Bible said. “Make it hard for the adversary.”

4

Maintain a network diagram that shows the flow of information throughout your organization. “If responders have to spend time trying to figure out where things are, that’s precious time you’re wasting,” he says.

Bible also emphasized the importance of creating a cybersecurity culture that runs from the top executives down. He pointed to “smishing,” bogus text messages with links that can be used as pivots into larger systems, as a key area to emphasize in training right now.

If you can tap into an ISAC for your sector, that’s invaluable.

John Hoyt Deputy Director of Information Security Clemson University

Hoyt recommends looking up the Information Sharing and Analysis Center (ISAC) specific to your sector. The 25 ISACs across the country are organized through the National Council of ISACs to provide sector-specific threat and mitigation information for their member organizations. “You can find out about security threats targeting your sector,” Hoyt says. “That’s so important to share the latest information with each other.” (This recent Pratum blog recommends additional sources to follow for current threat information.)

Every day, Pratum helps organizations of all sizes implement these best practices and more. Contact us to find out how these tools can help protect your organization.

Scale with text overlay How Will New Cybersecurity Laws Affect Your Organization

The government keeps making it harder for business leaders to kick the cybersecurity can any further down the road. Another round of new cybersecurity laws affecting the insurance industry, for example, continues the trend of state and federal bodies giving businesses not-so-gentle pushes to get their data policies in order.

So far in 2021, three more states have passed laws that step up cybersecurity requirements in the insurance industry, bringing the total to at least 14 states that have implemented laws based on a model drafted by the National Association of Insurance Commissioners. In the spring of 2021, Iowa passed a new cybersecurity law to go alongside new laws in Maine and North Dakota. Several other states have pending legislation based on NAIC’s model.

New Rules Will Keep Coming

Most of the recently passed laws start taking effect in early 2022, with some aspects delayed until 2023. The U.S. Treasury Department has asked all states to pass laws based on NAIC’s model by 2025. After that, it’s likely that the U.S. Congress would pursue legislation to close any remaining gaps at the state level. In 2021, 44 states introduced or considered more than 250 bills and resolutions dealing with cybersecurity.

Meanwhile, President Biden signed an executive order in May 2021 that steps up the federal government’s cybersecurity game by strengthening standards for government systems, requiring better security measures from software developers and creating an incident review board that will investigate major breaches in an effort to prevent future problems.

And the Defense Department is currently rolling out its new CMMC standard, which requires 300,000 companies at all levels of the DoD supply chain to get third-party certification that their cybersecurity policies are up to par.

Breaches Drive Action

All this government action to harden information security defenses points to a quickly dying “it won’t happen to us” mentality. The last six months have produced headline-grabbing demonstrations of America’s gaping cyber holes as seen in breaches of SolarWinds and Microsoft Exchange Server and the ransomware attack that shut down the Colonial Pipeline.

Perhaps the strongest indication that both government and businesses are getting serious about cybersecurity is the bipartisan support regularly seen for the new laws. Iowa’s new insurance law, for example, passed during its first legislative session with a total vote of 137-0 in the House and Senate before being signed into law by Republican Gov. Kim Reynolds.

Michael Daniel, President/CEO of the Cyber Threat Alliance, told the Washington Post in 2020, “Most of cybersecurity is a nonpartisan issue. It’s one of the few things that’s true of in Washington.” 

The challenge with any of these laws, of course, is that they deal with a rapidly shifting tech landscape. That means private organizations must continue to actively drive their own security policies rather than count on compliance with dated regulations to keep them safe.

A National Model for New Laws

NAIC saw the problem growing back in 2016 and decided to push for change in the wake of major insurance-industry breaches that compromised the personal information of millions of consumers. After seeking input from insurance regulators, consumer representatives and the insurance industry, NAIC released its model regulation.

These NAIC-inspired laws typically apply to any organization licensed by the state department of insurance, including insurers and insurance agents. If your state has passed legislation based on the model law, read the details. Several states have modified the template in important ways. For example, in various states the required deadline for notifying the state of a breach is 72 hours, three business days or 10 days.

What’s in the New Insurance Regulations

Note that most of these laws exempt smaller companies from the requirements. Iowa, for example, exempts companies with fewer than 20 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.

Under Iowa’s new law, all other organizations licensed by the insurance commissioner must:

  • Conduct regular risk assessments – The assessment must identify “reasonably foreseeable” threats, identify the potential damage from those threats and determine whether sufficient safeguards are in place to prevent the threats. The risk assessment must include a review of employee training and management.
  • Develop a comprehensive, written information security program – As part of this requirement, organizations must designate a specific person responsible for managing this program. (Pratum’s vCISO service can help provide the oversight your organization needs to manage your requirements under these laws.) The information security policy must use appropriate access control measures to protect data (such as multifactor authentication), use secure software development methods and regularly monitor systems to reveal intrusions.
  • Report and investigate breaches – The law is concerned with any event that results in unauthorized access to nonpublic information about a customer such as social security number, driver’s license number or account numbers. In the Iowa law, organizations must notify the commissioner of a confirmed breach within three business days of confirming the event. In some circumstances, the organization may be required to notify consumers of the breach as well.
  • Develop a written incident response plan – The incident response plan must provide details on how the organization will deal with a breach, including information on how it will restore operations and appropriately communicate about the breach both internally and externally.
  • Submit annual cybersecurity reports to the insurance commissioner – The report will verify compliance with the law’s provisions. The commissioner can inspect all records related to the cybersecurity policies at their discretion.
  • File for exemption under HIPAA or Gramm-Leach-Bliley Act – Organizations that are subject to and in compliance with either of these acts can file for an exemption from the requirements of Iowa’s law. Pay particular attention to this provision in your state’s law, as it is not part of the NAIC model.

Clearly, the regulatory landscape for cybersecurity is changing by the month. For help in understanding how new laws affect your organization—and what requirements are on the near horizon—contact Pratum today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.