In this interview, Mark Sangster, VP & Industry Security Strategist at eSentire, gives SMBs advice on how to minimize the risk of a data breach through better security practices, sets out priorities for a successful data security plan, and opines on the key challenges for the information security industry over the next five years.
Massive data breaches have unquestionably demonstrated that no organization, regardless of size, is immune to risky security practices. While large organizations have the financial resources to deal with the fallout of a data breach, SMBs are in a perilous position. What can they do?
Unlike larger large firms with comparable resources with which to protect client non-public information, small firms can find themselves trapped between cyberattacks like ransomware that don’t discriminate based on the size of the firm, and regulators who are indifferent to your size when investigating a potential violation.
A 90-day snapshot of security operations statistics comparing large to small firms indicates relative volume of security incidents, but closer to par breaches and security events requiring immediate response. In this case, a large firm represents 500-750 employees working throughout 20 locations; whereas, a small firm is comprised of 25-50 employees at one location. The small firm generates 65,000 security traffic elements, that filter down to 20 incidents which led to one urgent incident that required immediate response. The large firm generated over 40 times more traffic, 325 security incidents (16 times more), and one escalation.
While the larger firm generates significantly more security traffic elements, as the security events were investigated, the ratio of escalated incident and incidents baring emergency response, moves closer to one to one. Diving deeper, the data indicates that the emergency incidents were born of the same, industry-targeted attack. In other words, both the large and small firm were impacted and breached by the same targeted attack. Neither the criminals, nor their tools discriminate by the number of employees.
It’s important that as firms expand their business in a growing environment of cyber threats, remember Sheriff Brody’s advice: size does matter when you’re going after big fish. As Sheriff Brody quips in Spielberg’s 1975 blockbuster, Jaws, “You’re going to need a bigger boat.” Weigh then benefits and the risks. And recognize that there is chum in the water, put there by the criminals and the regulators alike. And be prepared for the behemoth that might bite your line.
Inventory hardware, applications: Keep a register of all laptops, servers and applications. This should include cloud services such as Amazon EC2, Microsoft Office 365 or other document management services.
Identify and audit data and related obligations: By extension, you have the obligation to understand the legal and regulatory boundaries in which your clients operate, and to meet those requirements. Ensure you understand your obligations.
Engage and IT consultant: Managed Services firms can provide device management (updates and patching), along with basic system on-boarding and off-boarding processes. They can also help you encrypt devices and set up private networks to encrypt email and file transfers.
Establish cybersecurity and acceptable use policies: Leverage a consultant to build fundamental policies about the management, transfer and storage of client confidential information.
Protect sensitive data and avoid portable media: Avoid using media such as USB keys to store and transfer non-public information. USB keys are a main source of infection and are difficult to control if the data is not removed once the authorized use is complete.
Require encryption: Unfortunately, password credentials are routinely acquired by unauthorized users. For this reason, you should encrypt hard drives or devices.
Use VPN security: The best way to protect data in motion from such attacks is to use a Virtual Private Network (VPN) service. A VPN creates a secure and encrypted connection through which your data travels from you to the intended recipient. No information (including passwords) are transmitted in the clear. There are many low-cost and easily deployed VPN services.
Establish a records management policy (control and destruction): Determine how documents are stored, who has access and establish ‘least privilege’ with a ‘need to know’ attitude and consider how you securely destroy old documentation.
Establish a back-up system: Leverage an outsourced IT service to routinely back-up and then test backups to reduce the business disruption impact in the event of a cyber breach. Back-up are the best defense against ransomware attacks and avoid having to pay ransoms.
Consider cyber insurance: Engage an agent to weigh the cost and benefits of insuring your business against cyberattacks, and whether your business disruption, lost revenue or other non-cyber specific policies cover cyber incidents.
There are innumerable ways an attacker could gain access to sensitive data, which makes the process of building and running a strong security architecture a considerable challenge. How can organizations better understand an attacker’s mindset, motivations, and tactics to help them with their defense efforts?
Thinking like law enforcement, mean, motives and opportunities hold relevant when preparing to protect a business from cyber criminals. Criminals use lures and messaging tailored to your business, and often use your own tools against you to defeat defenses.
Opportunistic attacks like transactional ransomware is waning as criminals shift to more lucrative targets. Through broader attacks, they have identified businesses more likely to pay instead of suffering the consequences of a breach, public operation disruption or repetitional damage. Now we see phishing lures designed to peak the interest of the recipient. And they are designed to infiltrate the business and abscond with higher value assets, rather than smaller quick financial returns.
Moreover, and perhaps most concerning, criminals like to ‘live off the land’, exploiting your own vendor services and operating systems tools. Our research indicates that of more than 650 respondents, over 44% had suffered a material breach as a result of their supplier. And more disturbingly, only 15% of these breaches were reported by the vendor.
In many cases, they use a compromised user account to use remote administration tools (RAT) or the remote desktop protocols (RDP) built into all operating systems. Their activity looks like normal administrative tasks such as creating new users or changing user privileges, but at the microscopic level, the differences are evident and show a trend toward creating unauthorized users who can disable security systems, delete logs, and move through your network with impunity.
Much of this information is recorded and published by law enforcement agencies, and task forces called ISACs (Information Sharing and Analytics Centers) that focus on cyber events for core economic pillars such as banking, healthcare, law, transportation, and so on. These organizations offer public resources.
An expanding cybersecurity skills gap is creating issues for organizations of all sizes, and many of them don’t have an adequate ability to detect and respond to threats in a timely fashion. How can overworked security teams overcome this challenge?
It’s not finding the needle in the haystack. That’s easier than dealing with the needle. The headline around the cybersecurity skills gap hides the real story. It’s not simply the general shortage of experts, but it’s a shortage of specific experts within the cyber community. Of top priority is the need for experts who can hunt for threats using a myriad of cyber sensors and logs, and also experts who know how to respond when they discover unauthorized activity.
There is no shortcut to truly automate cybersecurity. Artificial intelligence can greatly reduce false-positives (data that needs to be chased down to eliminate threats, but turn out to be innocuous or a false alarm), and orchestration tools can help streamline investigations and response, but the trick is combining technology, with experts and well tested processes. Time is money. The faster an event is stopped, the less it will cost the business in the long run.
Most mid-sized firms prefer focus on their business and partner with a vendor who can deliver services that are either too expensive to develop in-house or too difficult to staff. Managed detection and response services provide threat hunting and response services that can complement in-house expertise in network and logging management.
What advice would you give to a newly appointed CISO that needs to strike a balance between data use and the associated risks? What are the priorities for a successful data security plan?
IT and security are stressed by the opposing forces of the demand for competitive advantages through adoption of technology, and while mitigating, lowering or avoiding risks that could materially impact the business. The reality is that most if not all data is digitized and shared across an ever more distributed IT environment and scattered workforce.
Cybersecurity is a risk issue and not a IT practice. And CISOs need to speak the language of the Board and executives. It’s critical to consider risk, align with the general counsel and provide technical information in a way that resonates with business leaders. The role of the CISO is to impact the quantifiable risk, with mitigation strategies so that business leaders can make an informed decision about spend and risk tolerance.
CISO top priorities:
- Regular cadence of annual planning, quarterly reporting to the board.
- Dashboard and flash communications that focus on regulatory changes, security performance, risk registry, and incident testing and results.
- Run 2-4 annual incident simulations based on most likely scenarios. Engage the board in their role and review findings.
CISOs and board alike can leverage public documents such as the National Association of Corporate Directors (NACD) Cyber Risk Handbook and the National Cyber Security Centre (NCSC) Board Toolkit for programs, dashboards and best practices.
What do you see as the key challenges for the information security industry over the next five years?
Budgets for security continue to grow, and in smaller firms, now garners the attention of senior management, the board, and even strategic investors. This is a blessing and a curse. The blessing is direct access to decision makers, resources and funds to run a security program. Perhaps an exaggeration, the curse is direct access and ever watching spotlight. It’s important to proactively address security concerns, focus on risk not security tools, and engage the board in decision making rather than coming with hands out for more funds and headcount.
Attacks that leverage your own tools (living off the land) will increase and the subtlety of these attacks will provide almost perfect camouflage with which to hide in plain sight within your environment. This means controls must tighten, relying on multiple stages, and systems that look for a collection of anomalies instead of well know signatures and patterns. AI, behavioural analytics and user access controls will become paramount.
The consequences of breaches will continue to tighten the reins of accountability. Insurance firms will hones their actuarial data and demand heightened security. More claims will be rejected when the insurer thinks the claimant failed to meet basic security standards, and courts will treat cyber claims under tort law which means well understood damages, and the ability for plaintiffs to collect without proving damages. As in, the risk of damage associated with exposed data will be rough for courts to award settlements.
The adoption of emerging technology will accelerate shortening the window in which security professionals can access risk and deploy mitigation strategies. Interconnected and always connected (5G) devices will be pervasive and accelerate the drive for distributed workforces and perimeter less organizations.