The White House is now formally telling all businesses to take action to protect themselves from cyber threats. These threats are not new, but are now being acknowledged by the government on a whole new level. This additional emphasis by our government should be taken seriously, given the geopolitical and network security landscapes of 2022.
I, personally, appreciate the White House, the FBI, and CISA, taking the steps they have recently taken to bring this to the attention of business owners. The time to act is NOW. I published an article in March of 2021 Titled Cyber Security in 2021: 16 Steps to protect your company. What has changed in the past year, and how are the White House’s recommendations different from mine?
We have seen significant cyber attacks and breaches in the news, most notably the pipeline attack in May of 2021, which led to President Biden’s declaration of a National State of Emergency on May 9th, 2021.
There was also the Kaseya breach in July of 2021, which crippled over 50 Infrastructure Management firms and encrypted the data of hundreds of businesses in Florida. Let’s add to this:
- The arrests of several of the hackers responsible for these events
- The possibility of legislation making it illegal to make ransomware payments
In general, we have a whole new confusing and challenging landscape to traverse.
So what do you do if you own a business that is not properly protected, and you get encrypted, and you have no way to regain access to your data other than pay the ransom? In 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declared it illegal to pay a ransom in some (most) cases.
Essentially, OFAC is saying that paying a ransom is funding cyber terrorism and possibly financially aiding other countries’ malicious efforts.
Here are the steps the White House published urging businesses to take action.
Step 1: Mandate the use of Multi-Factor Authentication
Step 2: Deploy Modern Security Tools
Step 3: Ensure systems are protected
Step 4: Backup data
Step 5: Run Exercises
Step 6: Encrypt Data
Step 7: Educate Employees
Step 8: Engage with local resources
While I do not disagree with any of the suggestions made by the White House, the order in which they are listed is dangerous for firms that do not have most of these steps in place. People tend to think any ordered list is in order of most-to-least important, and that is not the case with this list.
As a business owner myself, when presented with a problem I want to limit my risk as quickly as possible. Insurance is a great way to limit your risk. Before you can get insurance, you need to determine your risk and your risk tolerance. That is why you need a risk assessment as the starting point. You are likely to find you will not be able to get insurance until some of the important tools and protections are implemented. If you have taken none or few of these steps, I suggest you take the following steps as soon as possible. A brief discussion of each item follows the list.
- Complete a Security Assessment.
- The firm you select in Step #4 should be able to do this for you. Not all assessments are equal. When done properly an assessment will identify what and where your critical and sensitive data is, as well as risk factors from technological, human, procedural, and environmental variables.
- Make sure you have proper backup of all critical data and that the backup cannot be accessed by an attacker to be encrypted.
- If they can get to it, they will encrypt it, too!
- Get Cyber Security Insurance.
- Engage with a local Cyber Security and IT Management firm if you do not already have one.
- If have a relationship, evaluate if the firm you are working with has the expertise to help lower your risk, and if they are doing all the right things.
- Deploy modern security tools. This covers a lot of areas:
- Perimeter protection (firewalls)
- Intrusion Detection
- Intrusion Prevention
- anti-malware
- behavioral analysis
- anti-virus, and the newest addition to the list:
- Zero Trust. The FBI and CISA now recommend all businesses implement Zero Trust and continue to publish new guidelines for their recommended Zero Trust strategy.
- Encrypt your data.
- Educate your employees.
- Build a culture of cyber security.
- Create a cyber security program with written policies.
- Test and update the policies regularly.
Let’s break these items out further
Risk Assessment:
A Risk Assessment should give management an accurate picture of the risk and the factors making up your risk. Beyond the cyber security tools and procedures, what other factors can cause financial harm? Ownership and management issues need to be considered. Supply chain issues should be reviewed. Methods and procedures are vital items in your level of risk. Rose Computers makes a risk assessment a vital part of the business process when meeting with new clients.
Data Backup
Backing up your data seems obvious. Backup needs to be planned carefully to assure you are properly protected. The 3-2-1 backup rule suggests you maintain 3 total copies of your data, on two different media types, and that one set of data is stored at a different location. Some people are modifying the last item to mean air-gapped or not accessible by any other system like the Internet.
Cyber Security Insurance
Nobody can guarantee you will not be breached. The current statistics show you are far more likely to suffer a significant cyber security incident than to have a fire. Protect your livelihood with an adequate cyber security insurance policy and take the time to understand the coverage and the limits. Understand what might prevent the underwriter from paying out in the event of an issue.
Engage with local resources
If you have cyber security professionals on your team, document and engage with local FBI, state agencies and CISA departments. If you do not have internal cyber security professionals engage with a professional or a team of professionals like Rose Computers that have the expertise to help you limit your risk and keep you current with tools and processes for proper governance.
Deploy Modern security tools
The list of tools and protections continues to grow every year. In addition to the hardware and software tools that go into a good infrastructure, process, machine learning, artificial intelligence and log retention are becoming more common and important. Tools required in your environment vary depending on the type of business you are in and the result of your risk assessment in step #1. Tools that all business should incorporate include:
Next Generation Firewalls with Unified Threat Management
Anti-virus software with an active alerting system
Intrusion Prevention software
Intrusion Detection software
Anti-Malware software
Spam Control
Anti-Phishing mechanisms
Password Management software
Multi-factor authentication tools
Content Filtering and web application filtering.
Patch management and reporting
Encryption software
Zero Trust. Zero Trust can be a set of rules or procedures you follow or an application software that enforces least privilege rights and prevents applications from performing functions or accessing data unless specifically allowed by policy.
Organizations with compliance requirements may also need log aggregation and retention and/or a Security Information and Event Management package (SIEM).
Encrypt your data
This is one of the more challenging statements in the current state of tools and technology. Ideally you want all data encrypted such that if a bad actor was able to exfiltrate it, they cannot read it. Disk encryption, as required by HIPAA, does not accomplish this. This is where you should consider protection beyond compliance. The three approaches to protection from exfiltration include Data Loss prevention (DLP) that historically have been overly complex and not totally effective, file level encryption which achieved the desired result, but is typically intrusive and expensive, and the newest information protection, which encrypts data at rest as well as preventing it from being shared improperly.
Educate your employees
Build a culture of cyber security. Phish testing and security awareness training is vital to limiting your risk. Required by HIPAA, training your employees about cyber security reduces incidents and offers the opportunity for management to give a clear message to the team that management recognizes the risk, is taking it seriously, and expects all employees to take it seriously. This is what each employee can do to help the company and protect their livelihood.
Create a cyber security program with written policies
Having written policies around security is the first step in an ongoing program for cyber resilience. This is where the White House suggests running tests. Do drills. Test your incident response policy. Security is an on-going process and updating your policies and procedures in addition to your tools goes a long way to making your organization resilient to whatever the future holds for you.
In Conclusion
Start now. Do not let your firm become a statistic. You have worked too hard to lose your livelihood or suffer financial damage because you have not taken the right actions around cyber security. It is ok, if you are new to this, or have not yet taken these important steps to protect your business, as long as you Take Action now.
Security First. Protect Yourself at All Times.
David Rose
President
Rose CTS
____________________________________________________