Preparing for Cyber Disasters

By / / Posts, Research / Leave a Comment

Written by Christopher Myers

If you are a small business owner, a self-employed entrepreneur, or local government, how confident are you in your organization’s physical and cybersecurity? You may not even have an Information Technology department, but you still almost assuredly utilize IT assets, both physical and software-based. Do you track those assets well enough to know exactly where all of them are, and what they’re being used for? The majority of America’s small business owners don’t believe they will be targeted by a cyberattack, and only 28% have a response plan in place.1 Those organizations should be aware of the dangers of such an attack though, with the average total cost of a single data breach totaling $4.45 million, and a single data breach for organizations with fewer than 500 employees costing on average $3.31 million in 2022.2

If you still have employees, coworkers, and supervisors that are unphased by the costs noted above, consider the many recent headlines detailing cyberattacks against local governments, including “Ransomware Attack at NJ County Police Department Locks Up Criminal Investigative Files,” “Cyberattack disrupts Lowell city government, shuts down computers,” “Oakland Declares State of Emergency Due to Ransomware Attack,” and “Dallas pays millions for ransomware expenses after May attack.”3,4,5,6 These are only a few of the reports detailing government incidents, but there are a multitude of attacks against local businesses as well, and the following headlines detail some of the most concerning, considering that these attacks were against healthcare organizations: “Local hospital system hit with a ransomware attack,” “Cyberattack forces Idaho Hospital to send ambulances elsewhere,” and “Central Illinois Hospital closing after 2021 ransomware attack.”7,8,9

The dangers of a cyberattack are not just real, but are likely. The Small Business Innovation Research program, a government funded program that is managed by the Small Business Administration, notes that in 2014 half of all small businesses reported that they had been the victim of a cyberattack, and over 60% of the victims went out of business.10 What then, can an organization do in order to dissuade or respond to such an attack? In the below paragraphs, I will review some of the best organizational policies that can lead to a better protected and prepared environment. While the following text will primarily detail policies, if you are interested in hardware and software solutions, then I would highly suggest you read through my previous article titled “Protecting Your Information Technology,” if you haven’t already done so.

The first action that an organization should take to increase their cybersecurity is appropriate IT asset management. Some organizations live with mindset of Schrödinger’s cat, believing that if they don’t look into where their assets are, then they will be able to indefinitely stave off the discovery of any problems with them. In reality though, if an attacker discloses a data breach, instead of an internal security team disclosing one, then the cost of the breach ends up on average $930,000 more expensive.11 Your organization may have only a couple of computers and mobile devices, or may have hundreds. The question is though: do you know where they are, who has access to them outside of work hours, how they are being used, and whether any non-authorized assets are connected to them?

Take, for example, a single simple router offering your organization’s Wi-Fi to employees and customers. Do you know who actually is using your Wi-Fi, and do you have a baseline to determine what appears as normal, and what qualifies as an abnormality? After all, an employee could have a malware-infected personal device that’s using that router, with an adversary collecting information on your network through that malware. Another adversary could use brute force or social engineering to get your Wi-Fi password, then accomplishing a man-in-the-middle attack on unpatched systems in order to steal information being transferred over the network.

Another issue that a multitude of government organizations are aware of, but don’t resolve, are organizational devices that escape with prior employees. These employees may quit, transfer departments, or end up fired, taking their devices with them when they leave. A successful IT department should immediately lock down those devices and remotely wipe them, in order to minimize the chances that they are used in an attack later on (after all, insider threats are not uncommon). Simply tracking all of your IT assets and their uses gives you advanced knowledge of possible attacks, which can in turn speed up your response, saving substantial costs and downtime.

Australian National University provides a fascinating case study where appropriate IT asset management would have likely prevented the massive 2018 cyberattack against them. The ANU released a uniquely in-depth report on exactly how an attacker gained unauthorized access to their network, leading to a breach that included their human resources, financial management, and student administration information. The ANU reported that the attacker gained access through their webserver and then legacy server infrastructure, which was meant to be decommissioned but was still attached to their Virtual Local Area Network.12 The adversary used privilege escalation and lateral movement to create virtual machines, gather additional information, and exfiltrate data over a period of five months. If these servers, already prepared for removal, were simply disconnected from the network, and if ANU had been tracking unique movement on their active servers, then the attack would have at the very least been mitigated.

Asset management is key to determining the current state of your network, but it isn’t the only suggested action to take in order to better your organization’s cybersecurity. The next step would be to institute solid cybersecurity-centric policies and procedures.

One of these simple policies is to ensure that all sensitive data is encrypted at an appropriate encryption level, both in transit and at rest. Suitable encryption ensures that even if an adversary can exfiltrate data, then they aren’t able to utilize it, but be aware that not all encryption is safe. The commonly-known MD5 hash function’s security is known to be compromised, and at a minimum AES-128 is suggested for symmetric algorithms, and RSA-4096 is appropriate if you need to use an asymmetric algorithm. The infamous infidelity website AshleyMadison.com learned the value of appropriate encryption standards when they were hacked and their users’ accounts were revealed after it was discovered that the company used an older MD5 hash that hadn’t been completely phased out as they transferred to their new encryption standards. With relative ease, hobbyist password crackers were able to crack over 11 million user Ashley Madison passwords when this vulnerability was discovered.13

Beyond encryption, organizational cybersecurity policies should include least privilege, separation of duties, job rotation, and mandatory vacation. Least privilege is the concept of only giving an employee or user the minimum level of permissions needed to perform their tasks or duties. There are some similarities here to the policy of separation of duties, which ensures that all critical tasks are broken down into different processes, and that each process is performed by a different employee. In each of these, employers should ensure that staff does not have access to one-another’s shared drives, group accounts, or physical assets.

The idea behind this is that even if you don’t have a single employee that means to harm the organization, those employees and their devices can still be compromised without their knowledge. For example, if your organization’s secretary has an admin account in order to better manage files and folders, and that secretary falls prey to a phishing attempt, then your attacker will then have admin access and will be able to do far more on your system than just alter files and folders. One way to see how open your organization is to cyberattack is to simply walk around and see how many devices are open and logged-in without the user present. You don’t have to look far to find recent examples where outsiders stole substantial product, cash, or information after entering an organization thinly disguised as police, construction staff, janitorial staff, or an actual employee.14,15,16

The policies of job rotation and mandatory vacation are also important, and both are similar in that their goal is to review an employee’s access and work after they move to a new position, or while they are on vacation. Many employers may ask: but what if I trust my staff? I personally hope that your employees are trustworthy, but history shows otherwise. Simply look at the US military and how many service members with Top Secret clearances leak information every decade.17,18 These are some of the most trusted employees on the planet, having to go through multiple interviews to verify their stability and likelihood of defection, and yet there are still regular leaks. All of these policies together can maximize your organization’s cybersecurity while also instilling a culture of security throughout your staff… and you’ll need your staff in order to accomplish the next major cybersecurity project.

The final major suggestion for organizations to utilize is to build a response plan and response team (and yes, if you’re just a self-employed entrepreneur, then that team may consist of only you). Your organization may have a plan in case of fire, tornado, hurricane, or active shooter, but have you considered what your primary actions should be in case of a cyberattack? If you go-to answer is to turn off the hacked computer or mobile device, then you’ll need to get studying, as that’s actually one of the worst actions you can take, as it will likely remove any chance of reclaiming data from that device or discovering how the attacker succeeded at entering your network.

If you’re on the fence about whether you truly need a response plan and team, you should be aware that the Cybersecurity and Infrastructure Security Agency notes multiple times in their Cyber Guidance for Small Businesses that a culture of security, and a tested and vetted Incident Response Plan, are key to minimizing the compromise of IT systems.19 Also, organizations that utilize an Incident Response plan and team on average identify data breaches 54 days quicker than those without one, and organizations that can identify and contain a data breach in less than 200 days save on average $1 million compared to organizations that go beyond the 200-day mark (the average is 277 days).20

To start developing a plan, I would suggest beginning with a Continuing of Operations Plan, or a Business Continuity Plan. The focus of each of these is to ensure that government or business operations can continue in the face of disaster, and you’d do well to think beyond a disaster that affects just your organization. While a disaster could be a data breach affecting only your office, it could also include a regional internet failure or power outage. Some items to identify and consider when developing a COOP or BCP are your critical functions, what resources are required for those functions, how long those functions can be down before catastrophic failure, the threats to those functions, the impact of those threats, and what mitigation techniques you’d like to use.

You and your team (if you have a team) can use your COOP or BCP as a basis to develop policies and procedures that will need to be enacted in the event of disaster. You’ll have to consider if you have an alternate site of operations, as well as what kind of backup options you have for your organization’s data. After you’ve developed your COOP or BCP, you should accomplish two things: test it, and develop a Disaster Recovery Plan. If you and your staff aren’t testing your plan, then it’s unlikely to succeed when used (just the same as if no one knows where the stairwells are in the event of a fire… or that some of those doors to the stairwells are inappropriately locked during the day, then lives will be lost).

Regarding the DRP, it is more extensive in scope than a COOP or BCP. Your DRP should prepare you for if that cataclysmic event occurs, and you need to more or less start from scratch. By developing a DRP, you will become more knowledgeable about what you have as alternate options in case of disaster, and you’ll be better prepared if there is any sort of catastrophic failure. All of this can help you institute redundancies as well as an auditing process that keeps you and your employees apprised of how prepared your organization is for a cyberattack. After all, according to IMB’s Cost of a Data Breach Report, employee training and tested Incident Response Plans were two of the top three factors that led to the greatest cost savings during a data breach, averaging just above $232,000 in savings.21

Beyond all of the cybersecurity suggestions annotated above, you should also be aware that your organization is not alone in the event of disaster… and that you have a responsibility to report data breaches to the appropriate organizations. First of all, organizations should feel free to contact law enforcement in case of a cyberattack, with the Federal Bureau of Investigation’s Cyber Crime division being the primary option for those within the United States. The FBI has the experience and resources to recover your data and track down adversaries, and they are ready and willing to work with any organization that contacts them. Considering the financial implications, the cost of ransomware attacks was nearly half a million dollars less for organizations that involved law enforcement, compared to those that did not.22

If you do suffer from a data breach and your business resides in the US or does business with US citizens, then you must report that data breach. All 50 states have security breach notification laws that require organizations to notify consumers or citizens if any of their personal information is breached.23,24 Organizations that fail to inform consumers of breaches suffer fines. In 2022, 31% of organizations suffering from a cyberattack incurred fined due to data breaches, with the average fine totaling around $75,000.25 For organizations that fail to report cyberattacks when they are revealed, there is a massive loss to reputation, with 90% of the total costs in a cyberattack associated with damaged credibility and other beneath the surface expenses.26

The above statistics should not dissuade you from implementing cybersecurity, but should motivate you to advance your organization’s cyber defenses past where they are today. Implementing the right policies and procedures will give you and your staff a head-start on possible attacks, and may deter adversaries completely. At the end of the day, with cyberattacks taking place hourly, you just have one question to ask yourself: are you prepared?

References:

  1. Rosenbaum, E. (2021, August 10). Main street overconfidence: America’s small businesses aren’t worried about hacking. CNBC. https://www.cnbc.com/2021/08/10/main-street-overconfidence-small-businesses-dont-worry-about-hacking.html
  2. IBM Security. (2023). (rep.). Cost of a Data Breach Report 2023. Armonk, NY.
  3. Dienst, J. (2023, April 7). Ransomware attack at NJ County Police Department Locks up criminal investigative files. NBC New York. https://www.nbcnewyork.com/investigations/ransomware-attack-at-nj-county-police-department-locks-up-criminal-investigative-files/4219341/
  4. Moller, L. (2023, April 25). Cyberattack disrupts Lowell city government, shuts down computers. CBS News. https://www.cbsnews.com/boston/news/cyberattack-lowell-city-government/
  5. Kalthoff, K. (2023, August 9). Dallas pays millions for ransomware expenses after may attack. NBC 5 Dallas-Fort Worth. https://www.nbcdfw.com/news/local/dallas-pays-millions-for-ransomware-expenses-after-may-attack/3313643/
  6. Katy St. Clair and Keith Burbank | Bay City News, A. A. (2023, February 15). Oakland declares state of emergency due to ransomware attack. NBC Bay Area. https://www.nbcbayarea.com/news/local/east-bay/oakland-state-of-emergency-ransomware-attack/3158122/
  7. NBC 10 Philadelphia. (2023, August 9). NBC10 responds: Local hospital system hit with a ransomware attack. NBC10 Philadelphia. https://www.nbcphiladelphia.com/investigators/consumer/nbc10-responds-local-hospital-system-hit-with-a-ransomware-attack/3621985/
  8. Lyngaas, S. (2023, May 31). Cyberattack forces Idaho Hospital to send ambulances elsewhere | CNN politics. CNN. https://www.cnn.com/2023/05/31/politics/idaho-hospital-cyberattack/index.html
  9. CBS Interactive. (2023, June 13). Central Illinois Hospital closing after 2021 ransomware attack. CBS News. https://www.cbsnews.com/chicago/news/st-maragrets-health-central-illinois-hospital-closing/
  10. Small Business Innovation Research program. (n.d.). The Impact of Cybersecurity on Small Business.
  11. IBM Security. (2023). (rep.). Cost of a Data Breach Report 2023. Armonk, NY.
  12. Australian National University. (2019). (rep.). Incident Report on the Breach of the Australian National University’s Administrative Systems. Canberra.
  13. Constantin, L. (2015, September 10). Ashley Madison coding blunder made 11m passwords easy to crack. Computerworld. https://www.computerworld.com/article/2982959/ashley-madison-coding-blunder-made-11m-passwords-easy-to-crack.html
  14. NBCUniversal News Group. (2015, July 7). Man dressed as armored truck driver walks out of walmart with $75,000. NBCNews.com. https://www.nbcnews.com/news/us-news/man-dressed-armored-truck-driver-walks-out-walmart-75-000-n387751
  15. Staff, D. H. (2023, July 1). JPMorgan Chase refuses to reimburse customer after imposter walks into bank with fake ID, walks out with $30,000. The Daily Hodl. https://dailyhodl.com/2023/07/01/jpmorgan-chase-refuses-to-reimburse-customer-after-imposter-walks-into-bank-with-fake-id-walks-out-with-30000/
  16. Papp, J. (2021, April 12). For third time, man pretending to be employee steals Apple products from Walmart. The Augusta Chronicle. https://www.augustachronicle.com/story/news/2021/04/12/imposter-steals-19-iphones-columbia-county-walmart/7186679002/
  17. BBC. (2023, April 14). The biggest intelligence leaks in US history. BBC News. https://www.bbc.com/news/world-us-canada-65281470
  18. Haltiwanger, J. (n.d.). The Pentagon leaks: What documents leaked in the US military’s worst intelligence breach in a decade reveal. Business Insider. https://www.businessinsider.com/what-documents-pentagon-leak-us-troops-ukraine-2023-4
  19. Cybersecurity and Infrastructure Security Agency. (n.d.). Cyber guidance for small businesses: CISA. Cyber Guidance for Small Businesses. https://www.cisa.gov/cyber-guidance-small-businesses
  20. IBM Security. (2023). (rep.). Cost of a Data Breach Report 2023. Armonk, NY.
  21. Ibid.
  22. Ibid.
  23. Data Breach Reporting Requirements. Federal Register. (2023, January 23). https://www.federalregister.gov/documents/2023/01/23/2023-00824/data-breach-reporting-requirements
  24. Summary 2022 security breach legislation. National Conference of State Legislatures. (n.d.). https://www.ncsl.org/technology-and-communication/2022-security-breach-legislation#:~:text=All%2050%20states%2C%20the%20District,their%20personal%20information%20is%20breached.
  25. IBM Security. (2023). (rep.). Cost of a Data Breach Report 2023. Armonk, NY.
  26. 10 terrifying cybersecurity stats: Cybersecurity. CompTIA. (n.d.). https://connect.comptia.org/content/articles/the-cost-of-a-breach-10-terrifying-cybersecurity-stats-your-msp-s-customers-need-to-know

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.