Top 5 lessons learnt from a victim of a brute-force cyber attack (You can ignore at your own peril!)
Even with a plethora of cyber attacks and related news articles inundating our inboxes and twitter feeds, we still see firms and business owners not spending enough time on cybersecurity matters.
The reasons range from sheer confusion due to information overload to simply not investing enough time discovering and addressing vulnerabilities in information security practices specific to their industry.
To re-iterate the point here, making cybersecurity an important operational priority can make all the difference in keeping you cyber safe, not running afoul with the regulatory authorities and ultimately keeping you out of the newspaper.
While remember that there isn’t a cure, cyber security preparation is all about instituting control measures. To use a crude analogy, control measures could be very much like getting ADT security for your house or placing a “Beware of dog” sign on your side fence (even if you don’t own a dog) to create a deterrent against break-in’s (PLEASE NOTE: I would not advocate any business to take a chance and bluff because a hacker can easily figure out if any vulnerabilities exist within a few clicks).
Another, trend we see is businesses feeling a false sense of security after passing an IT compliance audit. Remember…
Cybersecurity needs to be a 24/7 activity and it matters more than cyber compliance.
So, even if your firm passed an audit recently, your next cyber attack could be just days away. Remember the statistic : 80% of accidents happen within 5 miles of home.
We recently spoke to a firm that contacted us after they became a victim of a cyber attack. Here is what we learnt - 2 out of 15 computers were not updated to the latest operating system (OS). So, what’s the big deal there?! Well, one device happened to be the conference room laptop accessible from a guest WiFi network with weak passwords and an attacker simply used brute-force techniques to gain control of that machine. Over time, elevated administrative permissions and gained access to the firm’s shared drive. The attacker then proceeded to take control of some client data stored on the shared drive and left a ransom note on a splash page for the employees of the firm to find when they tried to access the client data on the compromised shared drive. Could happen to anyone, right?!
Now, for the aftermath. First of, the firm’s head of operations only discovered this clever plot after a few days. Please keep in mind, this firm is NOT some big corporation like Target or a Sony but a growing small business trying to do good by their clients (Good Ol’ Main St. America). The firm did not have any written procedures of their information security process. No disaster recovery plan or any sophisticated cyber threat monitoring system. Two years from the last vulnerability assessment and just weeks after a Broker-Dealer cybersecurity audit. So, after the panic had finally died down and the client informed, the firm decided to change some things around. The firm did have cybersecurity insurance but when they read the fine print (much to their dismay, I might add) found that they hit many of the exclusions listed in the policy. Now, the blame game begins… The good news was that the business was lucky to survive this incident because had the attacker decided to impersonate a client and fraudulently transfer funds, the firm would more than likely have shut down. All diplomacy aside,
Would you trust your money with a wealth management firm that can’t manage it’s own assets?
Here are the top 5 things to learn from their experience. Feel free to ignore at your own risk!
1. Procrastination could cost you your business.
Make sure to spend enough time exploring vulnerabilities in your information security process and infrastructure technology (IT) workflow. In order to get an objective opinion on the state of affairs, a firm would be best advised to hire an expert to come in and do this. Make sure you get specific recommendations to fix any items discovered as part of the security assessment. It is good to find problems but problems with no solutions are pointless.
2. No written cybersecurity policy or disaster recovery plan.
Make sure your firm has a written cybersecurity policy as well as a disaster recovery plan. While it pays to be pro-active on cybersecurity and hope for the best, it’s smart to plan for the worst and prepare a detailed disaster recovery plan. Now, its great to have a nice written policy but if no one follow’s it or, if you are unable to enforce it, the whole activity is meaningless. Spend some time to institute a process to re-visit your cybersecurity policy, train your staff and research tools that could be used to automate your cybersecurity enforcement process. (Tip: Check out www.entreda.com)
3. Guard administrative privileges to your networks and IT assets like treasure.
Even if you purchased super-sophisticated authentication and authorization tools, or your IT person sold you on using an Windows Active Directory (AD) framework, please make sure to audit your group policy settings as well as user privileges.
Whether you are an organization with 10 employees or 10,000 employees, it is important to limit administrative access to those employees that really need it. The default should NOT be to grant administrative privileges to every employee but quite the opposite. Invest in audit and monitoring tools. The $50 per month you end up spending here would be a pittance compared to what you will spend defending yourself against regulatory action or client law suits.
4. Coulda, woulda, shoulda.
This is the part I hate the most. You had an opportunity to address an issue but you chose not to and soon after you wished you hadn’t. I am sure this happens to all of us in life. Well, when it comes to cybersecurity, this could be disastrous! Don’t let that happen. It is better to invest in some tools right at the on set and institute a pro-active cybersecurity monitoring and remediation system because once again, the extra dollars spent here could go a long way in deterring a cyber attack. Also, who knows … if you manage money, you might even pick up a new client that happens to be in the cybersecurity space because the client is highly impressed with your pro-active cybersecurity posture!! (Why not?!)
5. Increase coverage.
You might want to revisit your limits on cybersecurity insurance and please read the fine print and exclusions. For more on this topic, please refer to my earlier blog post on cybersecurity insurance exclusions. (You can find it here, https://www.linkedin.com/pulse/thinking-cyber-insurance-watch-out-5-exclusions-sid-yenamandra).