Pratum Blog

The Six Month Checkup: Part One

We’re roughly six months into the world’s sudden, unplanned leap into a work-from-home (WFH) lifestyle. And most of the IT policies thrown together to handle a sprint are showing clear gaps now that we’re running a marathon. To see what we’ve learned so far and how organizations should be adapting, we talked with Pratum CEO Dave Nelson and PC Matic Federal President Terry McGraw.

Here we share the first of two blogs featuring an edited transcript of the conversation with these cybersecurity leaders. You can watch the full video below.

What are the key threats at this point?

Dave: An uptick in social engineering attacks. With this shift to remote work, a lot of informal approvals in the office went away. Now you can’t just check in with your boss down the hall about a transaction they want you to make. There’s a lot of confusion, and processes weren’t solidified during the WFH transition. Attackers are capitalizing on the chaos with spearfishing, pretexting, and other attacks.

Terry: This scenario has accelerated and exacerbated parts of the cyberthreat landscape that have been there for a while but had a limited vector.

The measures we took to ensure the mobile workforce was secure now have to apply to your general organization, and I don’t think our architectures were well equipped to do this at scale.

Terry McGraw President - PC Matic Federal

Social engineering and deep fakes still work because people lack two-party check systems. If I get an e-mail or a phone call that seems a little suspect, I should have a two-party check to verify it.

How have the threats changed?

Terry: The barrier to entry to being an e-criminal now is just a desire to commit crime. Five, eight years ago, people needed to know how to craft and employ these tools. Now you can lease the infrastructure to create an attack. The rapidity with how quickly tradecraft becomes commoditized and then reused in the e-crime environment is one of the biggest upticks we’ve seen.

Dave: When you think of the physical tools you need to carry out a war, the U.S. was well-equipped with the infrastructure to build the tools for that. But in cyberspace, a small organization that’s not even backed by a nation state but wants to rain down terror can lease resources and target and overwhelm someone in a very short period of time.

How should we adjust IT architecture for this environment?

Dave: We have to move to an environment where I don’t care what device you’re accessing data from or what location you’re accessing it from. I need to protect data because that’s what moves around in a vendor environment or a client environment.

In WFH, we sent a lot of people home without a laptop. They went home, and we turned on VPNs we didn’t have turned on before. We allowed use a personal computer that’s used by everyone in the home and that probably has viruses running around all over it. We allowed that to connect into the corporate network or the corporate cloud. Now we have all these unknown devices and unknown threats sitting there unmanaged.

We figured we could do that for 90 days. But now we’re in September, and we’re thinking it may be next June before people go back, if we’re lucky. So we have to reevaluate those risks we took early on.

We have to think about moving to a data-centric model. If you haven’t even begun, you’re behind the eight ball already.

Dave Nelson CEO - Pratum

Terry: I’m a big fan of zero trust architecture, which, at its core, is being as granular as you can be in user object permission schema and validating that the data and the user are scoped to the exact access they need and validated every time.

I can’t tell you how many times I’ve walked into an organization that swore they had multifactor authentication (MFA), and it’s nowhere in sight. Sadly, the percentage barely moves year over year.

It’s primarily an architectural problem, but it’s exacerbated by the fact that we don’t have basic blocking and tackling in place. We don’t have MFA involved. We don’t have a good handle on our data. We don’t have full asset enumeration. Those were all problems we could gloss over because we had a somewhat contained office environment. But now you’ve broadened the aperture. You have to just assume everything is dirty. You have to look at containerization and segmentation and MFA.

What are the first steps for tackling these challenges?

Terry: I like to start with a macro model. There are lots of frameworks that deal with pieces of the problem. But if you raise it up one level, I need three major things to reduce my business risk in a cyber environment:

  1. I need to have sensing technologies that determine adversary access to my environment.
  2. I need a view of myself. I need to understand the limits of my environment and have good eyes on things accessing my data.
  3. I need to have a good handle on all the things that are mission-critical in my environment and those I do business with.

The one thing I would do today if I hadn’t already done it is implement MFA. I need to make sure everyone touching my environment is authenticated from the system they’re working on.

Dave: If you did a risk assessment before, the environment has changed. So ask four main questions:

  1. What data do I have? Assess your risk based on the confidentiality, integrity and accessibility of that data in the whole life cycle.
  2. Where does it come from?
  3. What do I do with it while I have it? Does it go outside the organization?
  4. What happens when I’m done with it? Does it need to be saved somewhere? Destroyed?

In each piece of the life cycle, your risk changes because different people and systems have different access. Assessing risk continually is really critical.

How much can we realistically expect end users to maintain home routers and handle other IT tasks?

Dave: I don’t think it’s realistic to expect anything out of them. So it goes back to zero trust architecture. Say, “I don’t trust you or the devices you’re coming from, even if it’s a device I manage.” If I assume that I’ve been breached, then I don’t care anymore about the workstation. I care about the user and what they can do. So the key is really restricting down the user access.

Let’s say I click a link and get ransomware. Anything I have access to is subject to being encrypted. If we restrict Dave’s access to only what he absolutely needs to do his job, then we can restrict the depth to which ransomware gets into our organization and starts encrypting files, which reduces the cost.

Terry: Even in traditional networks, limiting lateral scope is important. Microsegmentation has been growing for a while, but it’s been cost-prohibitive. Now with more cloud data environments and need being the mother of invention, I think we’ll see more microsegmentation solutions hitting the market soon.

You should also validate that what you think about your environment is true. That probably means having a third-party organization doing a pen test.

Are you ready to learn how Pratum’s experts can help your organization adjust to the fast-changing world of remote workforces? Check out our services or contact us today!

What You Need to Know about Cyber Insurance

Other people make many insurance decisions for us. Mortgage lenders and governments, for example, aren’t interested in our opinions about carrying homeowners or car insurance. Plenty of companies, on the other hand are still wrestling with the question of, “Do I need cyber insurance?”

That, of course, depends on your business and your tolerance for risk. But one fact is non-negotiable: If a hacker finds their way into your business, your bottom line is going to suffer—probably for longer than you think.

Among small and midsize businesses, a Kaspersky survey found that the average data breach costs around $100,000. That financial toll carries a long tail, with IBM research showing that about 39% of the breach’s costs come after the first year. The price tag includes obvious issues such as re-creating lost data, but victims also pay via business lost when customers lose faith in your ability to protect data. IBM shows that lost business represents about 40% of a breach’s cost.

For many small businesses, the accumulated impacts of a hacker’s blow prove mortal. The National Cybersecurity Alliance reports that 60% of small companies are out of business within six months of being hacked.

Cyber insurance doesn’t replace a strong cybersecurity plan. But it does provide another layer of protection that businesses increasingly want. Between 2015 and 2018, the cyber insurance market tripled in size, according to a Marsh-Microsoft study.

As you assess how much cyber insurance you need, how to choose the right cyber insurance policy and more, use these questions as a guide.

How common is cyber insurance?

Overall, according to the 2019 Marsh-Microsoft study, 47% of organizations say they have a policy in place, up from 34% in 2017. The number definitely skews toward bigger companies, with 57% of firms with revenues over $1 billion carrying cyber insurance and 36% of companies with revenue under $100 million carrying it. But remember what we just learned about how frequently small companies go out of business after getting hacked. There’s almost certainly a correlation between lack of insurance and fatal hacking events.

Companies are growing more confident in knowing how to use cyber insurance. In the 2017 Marsh-Microsoft study, 44% of companies said they were uncertain about how cyber insurance meets their needs. In 2019, that number was down to 31%.

Your company’s contractual agreements may drive your cyber insurance decisions. Take, for example, a logistics company that could face breach of contract charges if they’re out of service for as little as 8 hours. Considering that one famous breach temporarily crippled the shipping giant Maersk, which has ships arriving in ports every 15 minutes, it’s easy to see how the costs could rapidly escalate. In September, Hartford, Connecticut, schools had to postpone the first day of school due to a ransomware attack, and a Chilean bank had to close all of its branches after it was hit by ransomware. Obviously, your cyber insurance decisions need to involve consultation with your attorney and a clear review of your exposure to business interruption.

How much cyber insurance do I need?

Like all insurance discussions, the right coverage depends on your situation, your risk tolerance and discussions with your insurance carrier. But one marker is a 2019 Capgemini study that concluded only 18% of companies have adequate cyber insurance coverage.

Insurance companies are constantly revising their own opinions on coverage and premiums as new threats keep arriving through innovations such as the Internet of Things (IoT) introducing thousands of new vulnerability points.

As with all insurance, your calculation must consider your potential losses and how much you can afford to pay out of pocket. You’ll have to consider costs to recover/recreate your data, how long you could be out of business while recovering, what lawsuits you might face, etc. Don’t get lulled into thinking you’re covered just because you have a policy and the number sounds impressive.

What does a cyber insurance policy cover?

Coverage typically breaks down into two categories:

  • First-party Coverage: This pays for your direct costs to recover from a breach, such as restoring data.
  • Third-party Coverage: This pays for costs that others hit you with after a breach, such as government fines or lawsuits by customers/partners who were compromised during your breach.

Don’t assume your overall business interruption coverage includes cybersecurity events. In most cases, you’ll need a separate policy to cover those specific issues.

You also should review the details of which cybersecurity events your specific policy covers. Some default policies exclude coverage for breaches caused by social engineering, such as phishing e-mails or pretexting phone calls, labeling them “voluntary transfers” of information. Since most studies show that about 90% of attacks come through social engineering, that’s an exclusion you can’t ignore.

Some policies also exclude events caused by willful breaches by employees. You need to understand that exposure and decide how it aligns with your risk tolerance.

How much do cyber insurance policies cost?

The underwriting process will determine your premium through a detailed look at your industry, your data usage, your cybersecurity policies and more. Using multifactor authentication, for example, could reduce your premium. But for a general price check, consider a 2019 AdvisorSmith study that found an average annual cost of $1,500 for a $1,000,000 policy with a $10,000 deductible.

It should go without saying, but honesty is critical during the underwriting process. Misrepresentations of your security posture will almost certainly come to light in the event of a claim, opening you up to a voided policy or potential legal action.

How do I choose a cyber insurance provider?

Look for a company with significant cyber insurance experience—and skills specific to your size and type of business. Plenty of companies have rushed into this space in recent years, and many of them have limited experience with relevant underwriting and claims.

Underwriting cyber insurance typically includes a long list of questions about your preparedness, and you should be skeptical of companies that ask vague questions. It’s a red flag if a company asks for a simple yes/no answer to a question like, “Are you compliant with all applicable security standards?” Which standards? You and the insurance company must completely understand and agree with each other to avoid a denied claim when problems arrive.

Does good cyber insurance reduce how much I have to worry about security?

Think of it like your homeowner’s insurance. Just because you’re covered, will you consider it no big deal if a storm rips your roof off? Let’s assume not. Disasters carry costs far beyond the simple cost to replace what was broken or stolen.

Plus, insurance companies will set your premiums and decide on claims with a careful eye on your overall cybersecurity preparedness. If an insurer finds sloppy security work on your part, they may reject a claim. Plus, even if insurance does pay to restore your data, cash payments only do so much for restoring your reputation with customers. So in summary, don’t get lazy on protection, no matter how strong your insurance game.

For help clarifying how cyber insurance fits into your overall security policy, contact Pratum’s team.

Data Security vs. Data Privacy

Security and privacy seem interchangeable to most of us. Cover one, and you’ve checked both boxes, right? Not exactly. Think of them more like the Yin Yang symbol. When you talk about data security vs. data privacy, you’re talking about two interrelated, but distinctly separate concepts.

And knowing the difference grows more important each month as nearly every organization evolves into a repository for Personally Identifiable Information (PII). That means that if you’re not thinking about your specific data privacy policy, you’re leaving your organization vulnerable to fines and lawsuits.

Our society’s appetite for gathering personal information is hard to truly comprehend. The stats about how much data we create every day can make your eyes glaze as quickly as astronomers talking about interstellar distances. One popular estimate pegs the daily data stream at 2.5 quintillion bytes (that’s 18 zeroes). And the giant data suction hose only gapes wider each month as the Internet of Things (IoT) and 5G’s rollout turn anything with power into a new surveillance node. Various experts predict the number of IoT devices in use by 2027 will reach up to 41 billion. You don’t need a tinfoil hat to see the implications.

But our concern here isn’t who’s tracking you. It’s how much of that personal data your organization is responsible for protecting. You probably have more customer data than you even realize thanks to everyday processes such as scanning business cards into your CRM, using cookies on your website, storing customer satisfaction surveys and more. And governments worldwide are increasingly committed to holding you legally liable for that data you’re stewarding. You may not have a Chief Privacy Officer on the payroll yet, but it’s time for someone on the team to start thinking like one.

The Cost of a Privacy Violation

Every leader should get familiar with the legal concept of a “data fiduciary.” The New York Privacy Act currently working its way through that state’s legislature includes the phrase, and it’s likely to show up in a lot of laws. It requires companies to think about customers’ data the way a lawyer or physician does. Clients divulge their private affairs to you for just one reason: so you can serve them better. Leveraging that data for your own benefit, or even acting recklessly with it, violates your responsibility.

New York’s proposed law is the latest in a string of major new regulations that determine how entities handle information. You should see two key data privacy takeaways:

  • New data privacy legislation is in the works in multiple states and nations including Brazil and India. In November, for example, Californians will vote on whether to create an agency to enforce its data privacy law. Pratum’s analysts anticipate this being a wakeup call for hundreds of companies that hold data for California customers.
  • Agencies are growing teeth when it comes to fines for data privacy violations.

During the first year of the European Union’s privacy regulations, the EU went light on fines, tempting some companies to risk paying a token penalty rather than invest in compliance.

Then the hammer fell. In 2019, the EU leveled its first big penalty with a $230 million fine of British Airways for violating the law’s requirements. Here in the U.S., Facebook absorbed one of the federal government’s largest penalties ever: $5 billion for violating consumer privacy, which is roughly 7% of Facebook’s annual revenue. You can do the math on how such a fine would impact your bottom line.

Right now, governments are mainly going after big companies. But the Federal Trade Commission’s long list of privacy enforcement actions proves they’re also pursuing plenty of firms that aren’t household names.

Note that some of the root problems that earned fines weren’t nefarious activity so much as crimes of omission with basic security hygiene. When the Equifax data breach earned the company a $575 million fine, its key problem was failing to patch its network in response to a known vulnerability, leading to the compromise of 147 million records.

So What Is Data Privacy?

Now that you’re listening, let’s clarify the frequent confusion. An IT adage says that you can have security without privacy, but you can’t have privacy without security. In other words, don’t get cocky about your privacy posture just because you’ve never had a breach.

Security ensures that no one gets unauthorized access to data. But a privacy issue arises when you knowingly give personal data to entities you shouldn’t share it with. Our friends at Facebook or Google provide a familiar example. Even if they have rock-solid security, they’re still selling details about you to advertisers, market researchers and others. That’s a privacy concern. If they DO get breached, they can have both security and privacy incidents.

Thorough privacy policies also address who within your organization has access to data and how clearly you tell customers what you’re collecting and what you’re doing with it.

Data Privacy Laws

Anyone in the healthcare or financial industries probably has a working knowledge of privacy regulations, thanks to standards like HIPAA and PCI. But the last two years have brought new privacy regulations to the broader market. Two big ones have set the course for many similar laws coming online:

  • What is GDPR? – The EU’s General Data Protection Regulation took effect in May 2018. You probably noticed its arrival when every website started asking you to confirm use of cookies. Under the law, EU, UK and EEA (European Economic Area) residents now have access to and can correct, delete, and export personal information. The law, designed to provide a unified standard across national borders, applies to anyone who collects data of EU citizens.
  • What is CCPA? – California led the U.S. consumer privacy charge with the California Consumer Privacy Act, which became effective on Jan. 1, 2020. Its influence stems not only from being the nation’s first such law, but from the fact that it applies to any company with customers or computers in California. That ropes in a lot of organizations. Smaller companies are exempted from the law, as it applies only to companies that have more than $25 million in annual revenue, collect data on 50,000 consumers or more or derive 50% or more of their revenue from selling personal information. (Click here for a full analysis of CCPA’s impact.)

Several states have passed their own privacy legislation, with a wide spectrum of requirements and definitions about controls, categories of covered data, etc. Several lawmakers have been working on concepts for a national framework similar to GDPR to make it easier for companies currently trying to comply with varying state standards.

How to Improve Your Data Privacy Policy

In this rapidly evolving privacy landscape, you’ll need a well-informed team to clarify your responsibilities. Along with a knowledgeable attorney, you should confer with a cybersecurity company such as Pratum on:

  • How evolving privacy laws apply to you.
  • Developing policies that adequately cover both security and privacy. With multiple standards emerging nationwide, it typically takes an experienced professional to write an across-the-board privacy policy you can count on.
  • Understanding what data you’re collecting and how long you retain it, both of which can impact your liability.
  • Training employees throughout your organization on their responsibilities. Your marketing department, for example, plays a key role in your privacy position. And your HR processes should address privacy from an employee’s first day through steps such as granting role-based access, which limits employees to only the data they need to do their job.

If you’re ready to have a conversation about your organization’s privacy responsibilities, contact a Pratum consultant.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.