Cyberattacks on American businesses large and small regularly bubble up in the mainstream press, but having to deal with such incidents — before, during or all-too-often after the fact — are a daily fact of life for company executives and entrepreneurs.
NJBIZ assembled a panel of experts in the field of cybersecurity to discuss the latest sorts of cyber threats and cutting-edge safeguards. Moderated by Christopher Rein, deputy director of Homeland Security’s New Jersey Cybersecurity & Communications Integration Cell, the panel addressed a business-breakfast crowd Feb. 20 at a filled ballroom of The Imperia in Somerset.
Panelists included: Robert Egan, Archer Law partner; Michael Markulec, Harbor Technology Group co-founder; Kurt Rohloff, Duality Technologies chief technology officer; Chris O’Neill, Scirocco Group Insurance account executive; and Anurag Sharma, WithumSmith+Brown principal.
Here are some edited highlights of the discussion, which started with a survey of the current landscape and developed into a give-and-take among panelists on various kinds of threats and how to guard against the most pernicious.
Sharma: We deal with a lot of small- and medium-sized businesses and [there] has been a sharp rise in phishing attacks — really sophisticated phishing attacks. There have been not only small, but big companies that have fallen for that and the read is [the] transition towards adoption of cloud-based technology.
Office 365 comes with a lot of bells and whistles, and also provides a great opportunity for hackers because now they can be sitting anywhere in the world and might get access to your mailbox if they can get one employee in the organization to click on a link or share their password. And that’s all it takes for them to get in, because they don’t need to come through the door now, they can directly go to Office 365 website and get access to your website.
Rein: Michael, how about if you talk a little bit about some of the training and some of the ‘ahas’ that come out in what you do your technology training.
Markulec: There was a great article that came out in the Harvard Business Review about six or eight months ago that talked about the return on investment for cyber solutions. Ultimately, the conclusion of the article was that training — training your staff, training your people — Is a tremendous return on investment.
We’ve seen breaches, we saw a breach in a municipality up in North Jersey that ultimately cost them tens of thousands of dollars. They lost tax records; they had to recreate those tax records. When the ransomware key that they paid for didn’t decrypt the data, they trusted the criminal, ough to believe, but ultimately the breakdown was at the human level — by clicking something.
Training is no longer once a year — Powerpoint and donuts, right? Training, especially around cybersecurity, is simulated phishing attacks, monthly re-enforcing training, interactive, small videos, things of that nature, and keeping your staff up to date on the threats that you face.
There are cases where larger businesses in this state have been hit with business email compromise and they have cost these businesses hundreds of thousands of dollars. They’ve wire-transferred hundreds of thousands of dollars overseas that they’re never going to see again. That doesn’t typically fall under their standard insurance policy. All because someone clicked on a bad link. All because someone had their email password compromised.
I can’t stress it enough, I think it’s one of the best things we can do. Train our staffs on what’s safe and the second piece to that is have a good acceptable use policy. Tell your staff what they can and can’t have on their PCs. Tell them what they can and can’t do with a computer. Two [of the] biggest things that I recommend.
Rohloff: It really is about defense and depth, as we say in the defense industry. The notion of not only just having good firewall rules, good password policies, but even segmenting your network. So one thing that I particularly focus on is the issue of advanced cryptography and the issue of even if you have data stored at rest on your network, making sure it’s encrypted at all time. Making sure that when you share information it’s encrypted at all times.
Just one aspect of it, and of course this is the tool or my hammer, I look for nails everywhere. This notion of defense and depth, making sure that you keep tabs on your employees and make sure they’re not disgruntled for some reason or another, and obviously you touched on training, which I think is great, and training is a continual process. I’d even call it the need for continual after-action analysis and as you start to see possible behaviors or force alarms or these kinds of things, go through the what-if analysis of what actually happened to diagnose and improve. Continually try to improve.
Rein: Bob, what trends do you see in litigation and in cases involving cybersecurity, and do you really see a difference in what a business must do versus should do from a legal perspective and from a culpability perspective?
Egan: The trend in the law is going from a bunch of requirements that you report cyber breaches to requirements that you do things affirmatively to prevent data breaches and any kind of unauthorized access to your system. Both are smart things because of your own liabilities that you need to protect against. So that’s kind of the movement. It’s a lot of particulars.
The courts are liberalizing certain stances in which people can sue you for just having had a data breach and having had their personal information exfiltrated. That’s really where the trend is going. There’s a bunch of regulations. Delaware just passed a new statute that requires you to take affirmative steps, reasonable steps to prevent data breaches. The European Union has something that’s coming online in May that’s very, very broad regulations that are going to affect anyone who does business in the European Union even if you’re here in the United States.
[There is] a fine line between what I think you must do and what you should do and there may even be disagreement about these things among professionals that are in the cybersecurity space as well. One thing I’d tell you that I think you must do is go to [Homeland Security’s] New Jersey CIC website. There’s all sorts of information on there that’s available to you, it’s understandable for people who aren’t techno-geeks or lawyers or people like that that can help you particularly in a small-business space. It’s a good introduction to what you have to do.
The second thing I’d tell you that you must do is talk to somebody like Chris [O’Neill]. You really need to explore cyberinsurance. It’s a complicated area. Brokers who do this can really help you a lot and there’s a trade-off there because you kind of get a little bit of an audit while you’re doing the underwriting, right?
Markulec: As we’ve been discussing and as I think everybody here has already touched on, this is kind of a risk-based equation and as business owners, as executives, we make risk-based decisions every day. We make them in finance, we make them in operations. We need to apply the same kind of model to our IT and security operations.
As IT and security become more and more of our business, we need to put a higher priority on it. To that end, and you can read the studies, there’s a shortage of IT professionals. There’s a shortage of cybersecurity professionals. The government’s having a hard time hiring them, large businesses are having a hard time getting expertise in cybersecurity which puts the small and medium business at the end of the food chain.
One of the things we’ve seen be successful is kind of the fractional model, right? Most small and medium businesses typically do HR as a service or do a fractional CFO kind of model. There are models out there now for chief information and chief information security officers as a service where you can bring in expertise on a fractional basis, on a low monthly cost to help with things like policy writing, compliance, developmental training programs, vendor management, risk assessments. … As I tell people, you don’t need to be the fastest gazelle, but you need to be a lot faster than the rest of the folks out there. If you’re doing the right kinds of things inside your business, it doesn’t need to be expensive.
This is not about, you know, the $500,000 firewall, right? This is about doing the right things to mitigate risk in your business and having a professional that you can rely on just like if you do with an outside counsel, just like you do with a CFO for hire, [that] gives you that peace of mind on the IT and on the IT security front you’re doing the right thing.
Sharma: In 2014, the National Institute of Standards and Technology, under the guidance of the White House, came out with a framework called the NIST Cybersecurity Framework. It was a pretty unique approach to trying to solve the cybersecurity challenge and the puzzle, because we’ve always had some shape of security frameworks around for the last 15, 20 years. ... It’s not just about knowing where your crown jewels are because believe me, that is the biggest challenge.
It doesn’t matter the size of the organization when we walk into a client, a customer situation, and we ask them a simple question: Do you know what your crown jewels are? What are you trying to protect? More often than not the answer we get is everything. Trust me, if you’re trying to protect everything, you would end up protecting nothing because nobody has that birth of resources to try and protect everything. That’s the first area NIST focuses on. ... If I’m a hacker and if I want to get information from your organization, my first priority would be to try to get into your mailbox, because anything that is of importance in your business would’ve flown through your email system at least once.
If I can get access to your CFO’s mailbox, let’s just take an example and believe me, it’s easier to get access to a CFO or CEO’s mailbox sitting from outside than some of the low-level employees because they are not usually good at using strong and complicated passwords. You’re the owner of the company, you can use a not-so-strong password, and nobody is going to question it.
Rein: Chris, the insurance industry is highly focused on the payment card industry and PCI [standards compliance]. Could you say a few words [about] the certification process for a business to become PCI compliant?
O’Neill: Under third-party coverage under the liability, the policy will give you coverage for the payment card. You can add regulatory fines, they’ll pick up the fines for you, and that’s all under third-party. It also will give you media coverage if you slander a competitor. … So [if] you’re on Facebook or LinkedIn and you slander or copyright, that’s a liability coverage that you would have under the third-party coverage.
Under first-party coverage, we talk about social engineering, it’s a huge thing about being tricked. … You have to watch when you buy a cyber liability policy, you’ll see fund-transfer fraud coverage and you’ll think, alright, I have coverage for being deceived. [But] social engineering is the coverage, so make sure when you’re looking at a policy that has social engineering. You’re not going to have a million-dollar limit, you might get $23,000 worth of coverage. But it’s very important. … A big part of it is business income coverage, too.
Say you’re down for two weeks now, you just lost $100,000. Business income coverage is included under that policy, which is huge. Some business income coverage in a fire, it’s huge, so you know it’s excluded under a property policy or general liability. But under cyber, you have business income coverage if it’s a cyberattack. … So, there’s all kinds of coverages, every policy is different, you have to read to make sure your agent goes through it and every company has their different exposure, so just some of the things to think about.