Pratum Blog

Cybersecurity for Your Business

Cybersecurity conversations filled the halls when 400 Iowa business leaders came together for the first time in two years in early June. New breaches dominated the headlines as the Association for Business and Industry’s Taking Care of Business conference convened. In fact, throughout the gathering, Iowa’s largest community college was shut down while trying to recover from a ransomware attack.

All the breaking breach news put cybersecurity at the front of many minds. It was hard to find a conference attendee who still thought their business is too small or their data too boring to draw a hacker’s interest.

To help leaders across industry sectors understand how to ramp up their organizations’ security posture, Pratum Founder and CEO Dave Nelson joined a panel discussion on best practices for business cybersecurity. Here are key tips highlighted during the discussion.

  • Protect the data, not the device – The world’s rapid jump to remote work in 2020 accelerated the move toward security that is data-centric rather than device-centric. In short, the old approach focused on locking down access to servers, devices and networks that were all under a company’s physical control. But as thousands of employees instantly switched to working on personal devices and networks, organizations realized that data needs to carry protection wherever it travels.
    “You no longer control the devices or networks. And that’s scary for data managers and business leaders,” Dave Nelson said. “Many of the risks that leaders were willing to take were based on a security model that was basically invalidated overnight.”
    Read this Pratum blog to learn more about the shift to data-centric and zero-trust architecture.
  • Call your attorney first during a breach – If you realize hackers have gotten into your system, your first call should almost always be to your attorney. Brian McCormac, an attorney at Pratum partner BrownWinick, pointed out during the panel that activating attorney-client privilege early serves your best interests. “Once a client engages us,” Brian said, “we can engage the cybersecurity service under attorney-client privilege.” That allows frank conversations with the cybersecurity company without putting things into the legal record.
    You should also contact your attorney before your insurance carrier to increase the chances that you can work with an attorney you know. “An insurance company will probably assign you a law firm in another city,” Brian said. “They don’t know who you are. And counsel that is only working with you one time probably won’t take your call at midnight if you’re in the middle of a breach.”
  • Call in cyberinsurance at the right time – The panel offered several other best practices for working with cyberinsurance carriers. Dave noted that talking to your insurance carrier first may be “giving them notice of an issue that they wouldn’t even need to know about otherwise.” Work with your attorney and cybersecurity consultant to fully assess the situation before getting insurance involved.
  • Build your response team in advance – Successful breach recoveries typically come from building solid relationships with an attorney and cyberinsurance consultant before the problem starts. Your incident response team helps you establish policies that will probably prevent breaches in the first place and helps you handle breaches more efficiently. Plus, if your team knows your business in advance, they’ll be able to provide more accurate and timely advice when you’re facing a critical incident.
  • Identifying your partners in advance also gives you time to ask your insurance carrier to put them on the approved vendors list. If you don’t do this ahead of time, you’ll be stuck using your insurance company’s providers, even if they cost more than your preferred local provider and don’t know your business.
  • Train your employees – BrownWinick attorney Drew Larson said, “Your weak vector isn’t always a hacker. It’s often an employee.” Brian echoed the point by noting that most breaches start with an employee clicking on a malicious link in a phishing e-mail. “It causes great harm,” Brian said, “but it’s not the person in a basement in the Ukraine hacking away at your firewall.”
    The solution is to train your entire team in how their actions affect the organization’s security—and then train them again every few months. Our Employee Security Training Planner helps you lay out an ongoing plan to build cybersecurity into your culture.
  • Start developing
    your program today!

    Employee Security Training Planner

    8 Steps to a More Secure Organization

    Get it Now
  • Pay attention to mobile device management – Dave noted that every robust security policy should address best practices for mobile device management. Tools such as InTune, for example, let you separate personal and business use of the device by quarantining business data in a sandbox area on the phone. And even if a user doesn’t turn on encryption on their phone, you can have certain data encrypted.
  • Encrypt your data – Speaking of encryption, the panel recommended giving more attention to your policies for this critical area. Proper encryption not only keeps bad guys out of your sensitive data but also provides legal advantages. Brian noted that, “Encryption often provides a safe harbor under breach notification laws. In some cases, you can avoid those notices if you encrypt the data.”
  • One great tip – Closing out the panel, Dave and Brian offered these best practices when asked for one recommendation they’d make to any organization:

Dave Nelson: "Get an IT risk assessment. That keeps you from spending so much money on the wrong areas that you don’t have money left for the important ones. If you don’t start with a risk assessment, you’re just throwing darts—and you don’t even know if you’re facing the dartboard."

Brian McCormac: "Map your data. Invariably, you have info you don’t know you have. Businesses are very siloed. HR doesn’t know what marketing has, and legal doesn’t know what anybody has. One company was collecting racial info in Europe, which is a big no-no. Why? They didn’t know. They just said they always have. So pursue a plan for data minimization. Have only the data you need and make it available only to those who must have it."

For help in understanding how any of these areas affects your specific situation, contact Pratum today.

Secure Iowa Conference 2021

In the last six months, every week seems to bring a major new cybersecurity headline. So when the Secure Iowa Conference returns in person on October 6 after a two-year, pandemic-induced hiatus, one day will barely contain all the updates.

At the event tailored for Iowa’s security, privacy and audit professionals, keynote and breakout speakers will cover:

  • The impact of new government regulations, such as CMMC, President Biden’s cybersecurity executive order and Iowa’s new cybersecurity requirements for the insurance sector.
  • Insights into root causes behind high-profile breaches of Microsoft Exchange Server, Colonial Pipeline and more.
  • The latest detection-and-response tools that can shut down breaches in the earliest stages.
  • Best practices for application security, server configuration, network segmentation, etc.
  • Tips for efficiently handling customer security questionnaires that often overwhelm IT teams.

New Leadership from a Longtime Partner

Pratum has helped organize and sponsor Iowa’s largest information security conference since its inception. Pratum Founder and CEO Dave Nelson helped start the Secure Iowa Conference in 2012 when he served as president of ISSA Des Moines Chapter. So as the conference reached 400 attendees and outgrew the management capacity of ISSA Des Moines’ volunteer board, Pratum was the obvious choice to purchase the event in 2021.

Pratum is the right team to take the conference to the next level. The company has had a lead role in sponsoring and operating the conference since its beginning. As Pratum fully takes the reigns on the conference, our board can focus on creating additional educational opportunities for members.

Kevin Seuferer President ISSA Board of Directors

ISSA will remain involved in the Secure Iowa Conference by:

  • Continuing to sponsor conference admission, allowing tickets to remain free for attendees.
  • Receiving annual revenue from the conference, which will fund expanded programming for ISSA members.
  • Supplying and helping to select conference speakers.

New Venue in 2021

Return attendees should note the new location for Secure Iowa: Hy-Vee’s Ron Pearson Center in West Des Moines. After several years in Ankeny, the event moves to the Pearson Center to take advantage of spaces built to handle keynotes, breakouts and exhibits. The 5-year-old venue also provides cutting-edge lighting and presentation systems fitting for the tech-focused conference.

Secure Iowa Conference 2021

Conference Date:
October 6, 2021

Location:
Ron Pearson Center
West Des Moines, Iowa

Admission Price:
Free

Attendee Registration
Sponsor/Exhibitor Information
Strengthen Your Cybersecurity Defenses

Does ransomware seem like it’s your problem yet? We have the tips to help you fight ransomware—but first you have to decide you’re ready to take some action.

Ransomware Steals the Headlines

Did ransomware get your attention when you heard about East Coast gas stations running dry after an attack led the Colonial Pipeline to shut down? How about when eager lawyers filed a class action lawsuit against Colonial, alleging that its inadequate cybersecurity measures harmed consumers?

Did ransomware send a shutter through your grocery budget when an attack shut down nine beef-packing plants at JBS, the world’s largest meat processing company?

Did it grab your interest when the average ransom payment more than doubled to $312,000 in 2020?

The message seems to be sinking in that it’s time to get serious with a plan to fight ransomware. A month after the Colonial Pipeline breach, 2/3 of organizations reported that they intend to take action to harden their defenses.

The Government to the Rescue (?)

The U.S. government is also stepping up its response. President Biden issued an executive order in May aimed at, among other actions, strengthening software security in federal agencies and creating a federal board to investigate major breaches. The administration says it intends to shift the focus from incident response to incident prevention.

Dozens of states are working on new regulations to step up cybersecurity across several industries. 

Biden will surely address Russia’s hacker-friendly climate when he meets with Russian President Putin in mid-June, as the JBS attack (like the Colonial Pipeline attack and multiple others) was almost immediately attributed to a criminal organization in Russia. But if you’re pinning your organization’s safety on the hope that Russia will crack down on hackers, you may also have a tendency to think vampires make excellent stewards of blood banks.

The fact is that the government can’t keep up. Hacking operations are well-run businesses employing some of the world’s best coders. They shift tactics constantly and engage in flexes like quoting your own cybersecurity policy back to you if you claim that you can’t afford the ransom they demand.

The creaky engines of legislation and even executive action can’t pivot as fast as the bad guys. And the vast web of overlapping and disconnected entities in state and federal government leaves gaping holes in cybersecurity efforts.

Take Control of Your Own Ransomware Strategy

So, while new regulations may put a dent in the ransomware wave, protecting our organizations relies on each of us leaders taking decisive action specific to our situations. If all the ransomware headlines have provided the wake-up call you need, here’s what you can start doing.

  • Patch your systems – A lot of IT leaders focus their angst on stopping zero-day threats. But digest this fact: One recent analysis showed that almost two-thirds of system vulnerabilities involve bugs that were identified two years ago. That literally means that the majority of your vulnerabilities are already solved if you just make the effort to use available patches. Hackers love to grab low-hanging fruit. Don’t let them find it on your system. Get a vulnerability scan and then address the gaps.
  • Use proper port settings – Leaving certain port settings open unnecessarily gives hackers an easy gate into your system. CIS Controls 9 and 12 offer information on some common settings to check.
  • Actively monitor your systems – If a bad actor does get a toehold in your system, spotting it immediately lets you shut down the breach before things get out of hand. IBM reports that it takes 280 days to identify the average breach. You can do a lot better. The latest defense is a Managed Detection and Response solution that constantly monitors activity, uses artificial intelligence to recognize multiple different acts as a brewing attack and actively steps in to shut down suspicious activity.
  • Segment your systems – By effectively isolating/air-gapping various parts of your system, you limit how far hackers can get if they penetrate one part of the network.
  • Limit each user’s access – Similar to the previous point, implementing a policy of least-privileged access and Identity and Access Management means you keep hackers from getting into your entire system if they compromise one user’s credentials.
  • Have a robust backup strategy – Even if ransomware locks up your data, an effective backup of your data lets you quickly restore operations. Test the backup often to ensure it’s doing its job.
  • Plan ahead – A detailed incident response plan helps everyone know what to do to limit the damage when you come under attack. Breach costs are 38% lower for companies that have an IR plan in place before the breach.
  • Train your team—and keep training them – Malware frequently gets onto a system when a user clicks a bogus e-mail link or falls for social engineering via text messages. Engaging every member of your team in cybersecurity of how it keeps the business running—will provide one of the best defenses. Provide regular training on the latest tricks in phishing and other social engineering tactics.
  • Get an outside opinion – An IT risk assessment, vulnerability scan and penetration testing all provide essential checks on your current cybersecurity posture and point to critical remediations you need to make. Contact Pratum to find out how we can help get you ready to stop ransomware attacks before they strike.

Ransomware Poster

Ransomware Poster

8 Steps to a More Secure Organization

Get Poster
The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.