Pratum Blog

Woman working from home on laptop

In the spring of 2020, IT teams had a matter of days to retool their environments to handle entire staffs working from home. Under normal circumstances, that shift would’ve been rolled out meticulously over years. What security lessons have we learned in the two years of this great experiment? In this recap, we check in on lessons learned about the human and cybersecurity implications of scattering data and workers to any location with a solid internet connection.

Security Upgrades Move to the Front

The work-from-home revolution work introduced a host of new data security threats overnight. Employees working remotely log in through unknown WiFi connections, including vulnerable public networks in places like coffee shops. Data moves off corporate servers and into cloud settings. Personal vigilance wanes without the peer pressure of nearby co-workers.

All this gave many IT leaders the motivation (and executive support) to step up security programs during the pandemic. A December 2021 survey from software company MalwareBytes showed that 74% of IT decision makers had implemented new security tools since the spring of 2020, and 71% had implemented new cybersecurity training. As a result, 56% of IT leaders say their environment is slightly or significantly more secure than before the shift to work-from-home. If your security posture looks basically the same as it did in January of 2020, you’re probably leaving a lot of doors open to attackers.

Threats from People You Trust

Even if your team rose to the security challenge, your larger data ecosystem could still pose a problem. Jim Pray, chief technology officer at the Iowa law firm BrownWinick, says many of the cyber attacks his office saw during Covid came in through clients’ systems.

“We saw a big influx of our clients being hit because they weren’t prepared to go to work-from-home. They were getting Office 365 phishing hits, and then the hackers were trying to phish us by using the client accounts,” Pray says.

He’s describing a type of business email compromise scam, a category of cyber crime that exploded over the last two years. In these attacks, hackers take over someone’s email account and pose as a trusted partner. Many of the schemes have fooled workers into sending hundreds of thousands of dollars to fraudulent accounts. And people working from home make easier targets. In the past, an employee may have walked down the hall to confirm a message from a colleague. If that person is working at home, they may just click the link to speed things up.

User Experience Gets Its Due

These attacks illustrate a core fact of cybersecurity: Most cyberattacks start with a social engineering fail, such as an end user opening a malicious email attachment or unknowingly giving their login credentials to a hackers’ site. That means every cybersecurity program rests on enlisting every employee as a frontline defender.

But remote work and the pandemic have heavily eroded users’ cyber wariness. Working off-site can introduce distractions that chip away at anybody’s vigilance over things like fishy-looking emails. Security experts regularly discuss how to overcome the “fear fatigue” that has maxxed out the number of things we can worry about at any given moment.

Pratum vCISO Ben Hall urges open conversations about these challenges. “Encourage people to speak to managers about the issues they’re having, whether that’s having trouble accessing things remotely or just feeling like they’re being watched all the time,” Hall says.

Hall points to “shadow IT” as one big issue. Even if you don’t know the term, you know the situation: Numerous security safeguards make your company’s official technology tools a pain to use. So you just put a file on Google Docs and send the link to your co-workers. Hall says companies must face this reality and either make the official tools easier to use or embrace the shadow tools and make them more secure. “If employees are going to keep using Google Drive, consider a business subscription so you can apply some controls around what’s there and how it’s stored,” he says.

“Make it easier while maintaining security,” Hall adds. “Encourage everyone to be vocal and polite to work on the solution together."

Empowered Users Replace Punished Users

The best security cultures have learned to stop referring to employees as security vulnerabilities (a common IT attitude) and start viewing them as security assets. That’s not just a matter of semantics.

Many employees see phishing tests “as a gotcha,” BrownWinick’s Pray says. That’s understandable considering that some companies have posted lists of employees who fail the test or threatened to fire anyone who fails three tests.

That’s sending the wrong message, Pray says. “We want them to know that we don’t want them to click the tests. We want them not to click the test.” Instead of taking a punitive attitude toward those who fail the test, identify ways to improve their performance next time. “If a lot of employees fail a phishing test, I have to see that as a failure on my part, not the employees’,” Pray says. “So we’ve ramped up our training.”

Key Best Practices

If you’re looking for simple ways to gauge your IT program’s security maturity, check how you’re handling these basic policies:

  • Multifactor authentication – No security move offers a bigger payoff than implementing multifactor authentication (MFA). MFA may seem like a hassle, but it works so well that the market is essentially penalizing those who aren’t using it. For example, Pratum’s Hall says, “If you’re don’t have MFA in place and you’re looking at cyber insurance, you either won’t get it or won’t get an acceptable premium amount.”
  • Live human communication – Old-fashioned MFA should remain part of your arsenal. Hackers have proven that they can infiltrate email accounts and pose as an executive or a client asking for a payment that goes to a fraudulent account. Teach your employees that if something seems iffy, they should pick up the phone and confirm with the email’s sender that the message is legit.
  • Limited access – Many companies give too many users too much access to the environment. IT teams may be tempted, for example, to give end users administrator rights on their computers to reduce the number of service calls IT gets. But that could let employees install risky software. And if an employee has a lot of network access, a hacker who gets their credentials can go anywhere the real user can. The right approach is least-privileged access, which limits everyone’s access to no more than the files they need to do their jobs.
  • Virtual Private Networks – A VPN lets employees securely log into a company network from anywhere. The issue is that with data increasingly residing in cloud settings such as Microsoft OneDrive, employees may not log into the VPN very often. That’s a problem because critical software updates are typically pushed to end users’ machines when they log into the VPN. That means companies should consider requiring everyone to log into the VPN on a regular basis.

Pratum’s Hall encourages leaders to embrace the inevitably of a changing workforce and find ways to handle it successfully. “We have to control it without being controlling,” he says. “It seems like a hybrid model is going to be a popular one. Encourage your staff to do whatever they need to do their work.”

For help identifying your work-from-home risks and opportunities, contact Pratum to talk with one of our cybersecurity consultants.

Team members practicing incident response tabletop scenario exercises

Every effective cybersecurity program includes regular tabletop exercises where your team gets to practice dealing with a security incident. And realistic exercises start with choosing a scenario that’s appropriate to your actual security risks. In a recent blog, we shared tips for conducting the tabletop exercise itself. In this post, we share three basic scenarios to get you started on creating the right situation for your exercise.

Note that the scenarios shared here don’t come with answers to each problem. A tabletop exercise isn’t a fill-in-the-blank exam. It’s a convincing simulation that lets your team practice working through your incident response plan and a key way to identify needed changes in your incident response plan. Use these sample scenarios to start dreaming up situations that will give your team the most realistic experience.

Key Elements for Any Tabletop Exercise Scenario

You’ll find a few common aspects in every good scenario:

  • Custom details – In your tabletop exercise, tailor the scenario to your team by using names of actual employees, the software your team uses, real customers, etc. All this will heighten the realism and help everyone grasp the consequences of something like your top customer calling because your service isn’t working.
  • An unfolding threat – Throw a series of developments and plot twists at the participants to reflect that, in a real-life incident, you never know all the facts upfront.
  • Unavailable personnel – At some point, reveal that whoever is in charge of your team (or a staff member with necessary expertise) is unreachable. This forces everyone to work the problem on their own rather than just saying that they’ll call someone else for guidance.
  • Outside pressure – Throw questions from clients, partners, the media, etc. into the mix to raise the tension and test the communications aspects of your incident response plan.

Essential Questions to Ask in Any Scenario

With any scenario you use, structure the exercise so that participants have to answer the following questions:

  • Does this qualify as an incident?
  • What’s your first step after realizing that something odd is happening?
  • What information/evidence do you need to collect?
  • How do you know what data was compromised/exfiltrated?
  • Who else in your organization needs to be notified and what should be shared internally?
  • How long will it take to recover your data from backup?
  • Do you have talking points ready for staff members who may get calls from customers? When do you proactively notify customers of the problem?
  • What deadlines from your service level agreements (SLAs) are at risk while your system is compromised?
  • Will you pay the ransom?
  • What are your reporting requirements after the incident is over?

Tabletop Exercise Scenario #1: Ransomware

Backstory: You’re a midsize professional services firm with 100 employees, which includes a three-person IT team.

Day 1, 7:05am
After a long holiday weekend, a couple of early birds arrive at work and report to IT that they can’t access files on their workstations or the network drive.

Day 1, 7:35am
IT team members rush to the office and find that numerous files on the server and workstations appear to be encrypted.

Day 1, 7:55am The only file anyone can open is one that has appeared in every directory. It’s called RECOVER-FILES.txt. Upon review, the team discovers that this is a ransom message and decides to notify the IT leader.

Day 1, 8:05am
The team realizes that the IT leader is on a cruise and unreachable.

Day 1, 3:50pm
Upon further investigation, 80% of your workstations and 50% of your servers and applications were encrypted. Forensic analysis found evidence of data exfiltration and indicated that the threat actors were actively in your network for months before the attack. Recovery will probably take several days or weeks. Not all data is recoverable.

Tabletop Exercise Scenario #2: Business Email Compromise

Backstory:You’re a family-owned, 60-person company that builds components for large agricultural equipment manufacturers.

Day 1, 4:05pm
The CFO receives an email from the CEO, who is traveling in China. The CEO’s message shares greetings from his wife and mentions how much they enjoyed their time in Beijing. He goes on to say that he has decided to proceed with the purchase of a large piece of equipment that the team has been discussing for weeks. He gives the CFO a bank account to use for the $400,000 payment, and the CFO makes the payment.

Day 5, 8:05am
When the CEO returns to the office, the CFO mentions the purchase to him, and the CEO responds, “I never told you to make that purchase. What are you talking about?” The C-suite calls IT in to investigate whether the CEO’s email has been compromised and where the money went.

Tabletop Exercise Scenario #3: System Compromise/Double-Extortion Ransomware

Backstory:Your company runs a cloud-based sourcing service. Customers log into your portal to order the parts they need to conduct operations each day.

Day 1, 10:02am
A customer submits a support ticket saying that they can’t get into the Admin Console for your service and can’t query data from their database for custom reporting. Your support team attempts to use the service and discovers they can’t get into it either.

Day 1, 10:10am
Your internal team sends the issue to your offshore software development team—and they can’t get into the service either.

Day 1, 3:45pm
Forensic investigation finds a ransom note and also discovers that the threat actor was able to capture cached admin credentials and pivot to other systems and resources.

Day 1, 4:59pm
You realize that the attacker successfully exfiltrated critical data and is threatening to disclose it if ransom isn’t paid. You haven’t yet determined what data they exfiltrated

Clearly, each of these scenarios can go in a lot of directions and will give your team plenty of things to discuss. If you’re just starting to use tabletop exercises, you’ll usually benefit from having an experienced third-party expert help develop the scenario and lead your team through the exercise.

Contact Pratum to talk with one of our cybersecurity consultants.

Business Impact Analysis image

Leading a business means deciding which risks are worth taking, and a business impact analysis (BIA) provides a critical resource for making informed risk management decisions. This blog explains how to conduct an effective business impact analysis that will point you toward the right investments for your overall risk assessment strategy.

Let’s start with a few fundamentals: At the basic level, your risk management goal is identifying the likelihood and impact of any given risk. You’re looking for answers to questions such as, “How likely is it that our ERP platform could go down? How long would it take us to restore operations? How much does it cost us every hour that our ERP is down?”

A risk assessment helps you identify your vulnerabilities. With that information in hand, you can then conduct a business impact analysis to help you determine what will happen to your organization if you actually take a hit in a vulnerable area. The business impact analysis assigns actual costs to each risk, which then guides creation of plans and policies that let you prepare accordingly.

Your budgeting process becomes much more clear when the business impact analysis puts a price tag on specific operational interruptions and points to whether you should invest in preventing or mitigating those interruptions. (For help making sense of all the terms used in the realm of incident response, read this blog summarizing the relationships among incident response, disaster recovery and business continuity.)

Disruptions to Consider

Your team assigned to the business impact analysis will need to set their minds to “glass half empty” mode. Think about all the bad things that could befall your organization. Common scenarios include:

  • Hackers encrypting your data in a ransomware attack or shutting down your system with a DOS attack.
  • A natural disaster shutting down your facility or preventing employees from reporting to work.
  • A key employee quitting immediately and unexpectedly.
  • Losing a key application or service that is mission-critical to your overall business.
  • A supplier failing to deliver critical components because they get hit with something on this list.

For each disruption, you should account for special timing that could amplify the situation’s impact. Think about your critical production times in any given year, or even in a given week or day. An issue that shuts you down for two hours at midnight on a holiday weekend is one risk level. It’s quite another if that shutdown hits at 1pm on a weekday.

Also be sure to consider dependencies within your organization. Identify where problems will start cascading to other areas, ramping up the business interruptions and costs.

Costs to Consider

Now that you’re thinking about worst-case scenarios, stay in the zone and start calculating the costs from the various disruptions on your list. Account for factors such as:

  • Financial penalties for failure to meet service level agreements (SLAs) in your contracts.
  • Lost revenue both in the short term (because you aren’t delivering product/services) and in the long term (because customers leave you for another vendor).
  • Hard costs to restore data or physical facilities.
  • Additional interest/fees accrued because you couldn’t pay your bills.
  • Regulatory penalties for data breaches, etc.

Knowing the costs will help you start to establish recovery time objectives (RTOs) and recovery point objectives (RPOs) in each risk area. The RTO sets expectations for how quickly you need to get running again in a specific area. The RPO identifies how far back in time you must go to recover the data you need. For data such as training materials, an RPO of a week or even a month ago may be fine. For other situations, such as market-driven financial data, your RPO may be more like 30 minutes.

How to Conduct a BIA

Your business impact analysis team will follow these common steps:

  • Get Executive Buy-In – You’ll need widespread participation to conduct an accurate analysis. Talk with top leaders to win their support and then have them communicate that they expect others to do their part to make the business impact analysis effective.
  • Assign a Team to Conduct the Analysis – If you don’t have the internal expertise for this work, you can hire a third-party partner like Pratum, to guide you. Along with adding experience in this area, an outside consultant helps make up for any blind spots or inherent biases that come with evaluating your own risks.
  • Establish the Scope – Determine whether your business impact analysis will address one department, the entire organization, etc.
  • Gather Information – To fully assess various interruptions, you’ll need input from a variety of stakeholders throughout organization. Gathering insights from department leaders, managers, etc. will help you discover threats you hadn’t thought about and get more accurate estimates of what interruptions can cost you. The U.S. Department of Homeland Security offers a simple BIA questionnaire you can use as the starting point for your surveys. Most teams follow up on the questionnaires with in-person interviews.
  • Analyze the Information – This is the heavy-lifting stage. The team will designate each business process as critical or non-critical, rank processes by priority for restoration, indicate costs of interruptions and restorations, etc.
  • Issue a BIA Report – This document summarizes all the areas discussed above in clear, quantifiable terms so that your organization’s leaders can make informed decisions. It also provides supporting documentation for readers who want to take a deep dive.
  • Develop Plans – With clear analysis of risk, likelihood and remediation costs, you can start planning your activities and spending.

Take Action

For help with BIA and all other aspects of risk assessment and incident response, contact us today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.