We’re roughly six months into the world’s sudden, unplanned leap into a work-from-home (WFH) lifestyle. And most of the IT policies thrown together to handle the switch are definitely showing their gaps. We recently had a conversation with Pratum CEO Dave Nelson and PC Matic FederalPC Matic Federal President Terry McGraw to hear their insights on what we’ve learned so far and how organizations should be adapting to the new threat landscape.
Here we share the second of two blogs featuring an edited transcript of the conversation with these cybersecurity leaders. You can watch the full video through the player on this page.
Terry: I’m not a lawyer, so I’m not providing legal advice. But anytime you’re extending a corporate view into a privately owned device, there are innumerable complications that open both the business and the person up to liability.
I think we need to train, coach and even enable. Provide for your home users’ antivirus or VPN solution. Help them lock down their own environment with training tips. Make sure the basic blocking and tackling is done. But when you try to extend your visibility down to that device, that’s when you open yourself up to a morass of liability concerns. Employees may wonder, “Who’s accessing my camera? Did they access my files?” As a business leader, I don’t think I want to get into that environment. I think the better way is to just assume everything is dirty and lock down your internal data systems rather than trying to play Whack-A-Mole at the end user level.
Dave: I totally agree. I’m also not an attorney, so this isn’t legal advice. But you see companies that have been sued because they wiped a phone when an employee left or they took a laptop that they thought had data on it, and it turned out to be an employee’s private laptop.
What happens when something doesn’t work at someone’s house? Are you going to send a tech out there to fix it? Is that a new job description that you’re supporting all that hardware?Dave Nelson CEO- Pratum
Once you start taking some responsibility, you’re taking some liability. What if that network becomes part of a breach and you had responsibility for keeping it secure? You have some liability for that breach.
Get your HR team involved. Get your legal team involved. Don’t just rely on your general business legal counsel. You need somebody who really understands tech law and how it’s applied. Also look at employment law as well, because in certain states you can do things with employees you can’t do in other states.
For example, how do you deal with break time or with leave? Do you disable somebody’s access when they’re on leave so that they can’t claim later that they weren’t really on leave because you made them check their e-mail?
Terry: You have to be sensitive to data being removed from your controlled environment. Put policies in place that say, “Don’t download docs.” You can’t always prevent it, but you can have a policy in place that says if you do this, we’ll terminate you.
There are clever ways you can control data at very low costs. A lot of the Google and Microsoft Office solutions are very inexpensive for small business. And using those can help your business efficiency as well as improving your security position.
Terry: Don’t assume people know the control measures you have in the office. I guarantee they probably don’t. And if you have teenagers, I know doggone well security is probably the last thing on anybody’s mind at the house.
Don’t assume that workers’ home systems are patched, that they have a good antivirus solution or that their router is locked down. If you can’t control that physically, then you have to do it through policy and training.Terry McGraw Presiden- PC Matic
If you don’t have a formal training program, leverage one like KnowBe4. In my last organization, we sent out a newsletter with best practices to leverage with your family. Give it to mom. Give it to the kids. Show them things to do to be safe at home.
I would be sure to use some specific social engineering training in there.
Dave: The best scams? You won’t see them coming. The best con men are the ones you trust and believe. That’s where people get taken for big, huge scores. Train your employees so they understand they’re under attack and being targeted.
Terry: Sadly, some of the things are playing on human nature. At a company in the Middle East, one of their young IT members was blackmailed for his credentials by an e-crime group because they hacked into his home computer and found illegal material on it. In the end, he was caught both for giving up his credentials and for having the illegal material on his computer.
You’ve seen deep fake videos. Well, there’s enough of my voice samples out there that you can string together a deep fake of my voice, and it will sound like a nearly normal conversation. Let’s say one of my subordinates gets a call from me where I say, “I need you to wire this money for a merger and acquisition conversation we’re having, and I need you to do it by end of day today. Don’t let me down.” Click. My team should know the business process is to send a text or e-mail to me validating the request. Conversely, if I get a text or e-mail, I pick up the phone and confirm it.
With those two-party check systems, a lot of the social engineering stuff comes apart.
Dave: We’ve relied a lot on patterns in the past. Those are still useful. But we need to start looking more at user entity behavior analytics. What’s outside of the normal pattern? Maybe I just got an e-mail from Terry, but I’ve never gotten an e-mail from Terry before. The content of that message is that he’s asking for a specific transaction. That makes it a greater risk. So now I can assign a risk score that says this e-mail from Terry is really high risk, so we need to evaluate it.
It’s also about patterns on devices. If a device usually comes in through this API and accesses this data, but all of a sudden it tries to access other data or comes through another API, all of these things can increase the score of the riskiness of that behavior. How do I analyze that? What threat patterns do we have?
The machine learning and AI that can predict some of that are very much in their infancy and won’t change the world tomorrow. But there are some really good prospects for how we can start seeing these behaviors in a new light and not rely on humans’ little hairs on the backs of our neck going up.
Dave: Distractions. People don’t know what they’re doing with their kids in terms of school. They don’t know if they’re ever going back to the office. They don’t know if the temporary processes they’re struggling with now will remain. All of those distractions take us away from security stuff.
Terry: Small businesses, especially, were already under pressure from the economic impact of COVID. Ransomware attacks and the prevalence thereof will put way more of them out of business. The average ransom last year was $63,000. If you add in remediation and containment costs, most small businesses will never recover from that.
I don’t think time is on our side. Now is the time to come together as a community. We always give lip service to it. But we’re still fighting in our own foxholes, and the enemy plays across that entire infrastructure.
Dave: I think the same thing that’s made it difficult is the same thing that will make it better. When things are going well, there’s this idea of “Let’s not change what’s working.”
It typically takes some kind of catastrophic event for businesses to stop and say, “Where do we go from here?” No one was willing to upset the apple cart before. Now business leaders are saying, “If I’m facing a massive transformation, let’s put it all on the table.”
Terry: I agree: Never let a good crisis go to waste. This is going to force us to accelerate things we’ve known about for a long time. Zero trust architectures are not new. Multifactor authentication is not new. Distributed environments are not new.
In the larger sense, I’ve always been impressed by the human spirit’s ability to endure and overcome the greatest hardships. It’s time for us as a community to do more sharing and communication and be less risk-adverse about sharing communication across party lines. But at the end of the day, this too shall pass.
We’re roughly six months into the world’s sudden, unplanned leap into a work-from-home (WFH) lifestyle. And most of the IT policies thrown together to handle a sprint are showing clear gaps now that we’re running a marathon. To see what we’ve learned so far and how organizations should be adapting, we talked with Pratum CEO Dave Nelson and PC Matic Federal President Terry McGraw.
Here we share the first of two blogs featuring an edited transcript of the conversation with these cybersecurity leaders. You can watch the full video below.
Dave: An uptick in social engineering attacks. With this shift to remote work, a lot of informal approvals in the office went away. Now you can’t just check in with your boss down the hall about a transaction they want you to make. There’s a lot of confusion, and processes weren’t solidified during the WFH transition. Attackers are capitalizing on the chaos with spearfishing, pretexting, and other attacks.
Terry: This scenario has accelerated and exacerbated parts of the cyberthreat landscape that have been there for a while but had a limited vector.
The measures we took to ensure the mobile workforce was secure now have to apply to your general organization, and I don’t think our architectures were well equipped to do this at scale.Terry McGraw President - PC Matic Federal
Social engineering and deep fakes still work because people lack two-party check systems. If I get an e-mail or a phone call that seems a little suspect, I should have a two-party check to verify it.
Terry: The barrier to entry to being an e-criminal now is just a desire to commit crime. Five, eight years ago, people needed to know how to craft and employ these tools. Now you can lease the infrastructure to create an attack. The rapidity with how quickly tradecraft becomes commoditized and then reused in the e-crime environment is one of the biggest upticks we’ve seen.
Dave: When you think of the physical tools you need to carry out a war, the U.S. was well-equipped with the infrastructure to build the tools for that. But in cyberspace, a small organization that’s not even backed by a nation state but wants to rain down terror can lease resources and target and overwhelm someone in a very short period of time.
Dave: We have to move to an environment where I don’t care what device you’re accessing data from or what location you’re accessing it from. I need to protect data because that’s what moves around in a vendor environment or a client environment.
In WFH, we sent a lot of people home without a laptop. They went home, and we turned on VPNs we didn’t have turned on before. We allowed use a personal computer that’s used by everyone in the home and that probably has viruses running around all over it. We allowed that to connect into the corporate network or the corporate cloud. Now we have all these unknown devices and unknown threats sitting there unmanaged.
We figured we could do that for 90 days. But now we’re in September, and we’re thinking it may be next June before people go back, if we’re lucky. So we have to reevaluate those risks we took early on.
We have to think about moving to a data-centric model. If you haven’t even begun, you’re behind the eight ball already.Dave Nelson CEO - Pratum
Terry: I’m a big fan of zero trust architecture, which, at its core, is being as granular as you can be in user object permission schema and validating that the data and the user are scoped to the exact access they need and validated every time.
I can’t tell you how many times I’ve walked into an organization that swore they had multifactor authentication (MFA), and it’s nowhere in sight. Sadly, the percentage barely moves year over year.
It’s primarily an architectural problem, but it’s exacerbated by the fact that we don’t have basic blocking and tackling in place. We don’t have MFA involved. We don’t have a good handle on our data. We don’t have full asset enumeration. Those were all problems we could gloss over because we had a somewhat contained office environment. But now you’ve broadened the aperture. You have to just assume everything is dirty. You have to look at containerization and segmentation and MFA.
Terry: I like to start with a macro model. There are lots of frameworks that deal with pieces of the problem. But if you raise it up one level, I need three major things to reduce my business risk in a cyber environment:
The one thing I would do today if I hadn’t already done it is implement MFA. I need to make sure everyone touching my environment is authenticated from the system they’re working on.
Dave: If you did a risk assessment before, the environment has changed. So ask four main questions:
In each piece of the life cycle, your risk changes because different people and systems have different access. Assessing risk continually is really critical.
Dave: I don’t think it’s realistic to expect anything out of them. So it goes back to zero trust architecture. Say, “I don’t trust you or the devices you’re coming from, even if it’s a device I manage.” If I assume that I’ve been breached, then I don’t care anymore about the workstation. I care about the user and what they can do. So the key is really restricting down the user access.
Let’s say I click a link and get ransomware. Anything I have access to is subject to being encrypted. If we restrict Dave’s access to only what he absolutely needs to do his job, then we can restrict the depth to which ransomware gets into our organization and starts encrypting files, which reduces the cost.
Terry: Even in traditional networks, limiting lateral scope is important. Microsegmentation has been growing for a while, but it’s been cost-prohibitive. Now with more cloud data environments and need being the mother of invention, I think we’ll see more microsegmentation solutions hitting the market soon.
You should also validate that what you think about your environment is true. That probably means having a third-party organization doing a pen test.
Other people make many insurance decisions for us. Mortgage lenders and governments, for example, aren’t interested in our opinions about carrying homeowners or car insurance. Plenty of companies, on the other hand are still wrestling with the question of, “Do I need cyber insurance?”
That, of course, depends on your business and your tolerance for risk. But one fact is non-negotiable: If a hacker finds their way into your business, your bottom line is going to suffer—probably for longer than you think.
Among small and midsize businesses, a Kaspersky survey found that the average data breach costs around $100,000. That financial toll carries a long tail, with IBM research showing that about 39% of the breach’s costs come after the first year. The price tag includes obvious issues such as re-creating lost data, but victims also pay via business lost when customers lose faith in your ability to protect data. IBM shows that lost business represents about 40% of a breach’s cost.
For many small businesses, the accumulated impacts of a hacker’s blow prove mortal. The National Cybersecurity Alliance reports that 60% of small companies are out of business within six months of being hacked.
Cyber insurance doesn’t replace a strong cybersecurity plan. But it does provide another layer of protection that businesses increasingly want. Between 2015 and 2018, the cyber insurance market tripled in size, according to a Marsh-Microsoft study.
As you assess how much cyber insurance you need, how to choose the right cyber insurance policy and more, use these questions as a guide.
Overall, according to the 2019 Marsh-Microsoft study, 47% of organizations say they have a policy in place, up from 34% in 2017. The number definitely skews toward bigger companies, with 57% of firms with revenues over $1 billion carrying cyber insurance and 36% of companies with revenue under $100 million carrying it. But remember what we just learned about how frequently small companies go out of business after getting hacked. There’s almost certainly a correlation between lack of insurance and fatal hacking events.
Companies are growing more confident in knowing how to use cyber insurance. In the 2017 Marsh-Microsoft study, 44% of companies said they were uncertain about how cyber insurance meets their needs. In 2019, that number was down to 31%.
Your company’s contractual agreements may drive your cyber insurance decisions. Take, for example, a logistics company that could face breach of contract charges if they’re out of service for as little as 8 hours. Considering that one famous breach temporarily crippled the shipping giant Maersk, which has ships arriving in ports every 15 minutes, it’s easy to see how the costs could rapidly escalate. In September, Hartford, Connecticut, schools had to postpone the first day of school due to a ransomware attack, and a Chilean bank had to close all of its branches after it was hit by ransomware. Obviously, your cyber insurance decisions need to involve consultation with your attorney and a clear review of your exposure to business interruption.
Like all insurance discussions, the right coverage depends on your situation, your risk tolerance and discussions with your insurance carrier. But one marker is a 2019 Capgemini study that concluded only 18% of companies have adequate cyber insurance coverage.
Insurance companies are constantly revising their own opinions on coverage and premiums as new threats keep arriving through innovations such as the Internet of Things (IoT) introducing thousands of new vulnerability points.
As with all insurance, your calculation must consider your potential losses and how much you can afford to pay out of pocket. You’ll have to consider costs to recover/recreate your data, how long you could be out of business while recovering, what lawsuits you might face, etc. Don’t get lulled into thinking you’re covered just because you have a policy and the number sounds impressive.
Coverage typically breaks down into two categories:
Don’t assume your overall business interruption coverage includes cybersecurity events. In most cases, you’ll need a separate policy to cover those specific issues.
You also should review the details of which cybersecurity events your specific policy covers. Some default policies exclude coverage for breaches caused by social engineering, such as phishing e-mails or pretexting phone calls, labeling them “voluntary transfers” of information. Since most studies show that about 90% of attacks come through social engineering, that’s an exclusion you can’t ignore.
Some policies also exclude events caused by willful breaches by employees. You need to understand that exposure and decide how it aligns with your risk tolerance.
The underwriting process will determine your premium through a detailed look at your industry, your data usage, your cybersecurity policies and more. Using multifactor authentication, for example, could reduce your premium. But for a general price check, consider a 2019 AdvisorSmith study that found an average annual cost of $1,500 for a $1,000,000 policy with a $10,000 deductible.
It should go without saying, but honesty is critical during the underwriting process. Misrepresentations of your security posture will almost certainly come to light in the event of a claim, opening you up to a voided policy or potential legal action.
Look for a company with significant cyber insurance experience—and skills specific to your size and type of business. Plenty of companies have rushed into this space in recent years, and many of them have limited experience with relevant underwriting and claims.
Underwriting cyber insurance typically includes a long list of questions about your preparedness, and you should be skeptical of companies that ask vague questions. It’s a red flag if a company asks for a simple yes/no answer to a question like, “Are you compliant with all applicable security standards?” Which standards? You and the insurance company must completely understand and agree with each other to avoid a denied claim when problems arrive.
Think of it like your homeowner’s insurance. Just because you’re covered, will you consider it no big deal if a storm rips your roof off? Let’s assume not. Disasters carry costs far beyond the simple cost to replace what was broken or stolen.
Plus, insurance companies will set your premiums and decide on claims with a careful eye on your overall cybersecurity preparedness. If an insurer finds sloppy security work on your part, they may reject a claim. Plus, even if insurance does pay to restore your data, cash payments only do so much for restoring your reputation with customers. So in summary, don’t get lazy on protection, no matter how strong your insurance game.
For help clarifying how cyber insurance fits into your overall security policy, contact Pratum’s team.