false
Catalog
Don't Be a Headline: What to Ask Your CTO About Cy ...
Webinar Recording
Webinar Recording
Back to course
[Please upgrade your browser to play this video content]
Video Transcription
All right, well, thank you for your time today. We'll go ahead and get started. As the headline says, don't be a headline, right? Know what to ask your CTO about cybersecurity. From that perspective, I mean, obviously, you might be a very, very large company, because from an equipment distribution, equipment dealer, you could be a very small organization, you could be a very large multimillion dollar organization. So depending on your structure, from a chief technology officer, that's what that CTO stands for. Just think about like, who's in charge of our IT department? Who's in charge of our infrastructure, the security program within our institution, within the company? These are the questions this presentation was put together to really share what I believe are some really, really key, important impacts to be sure that they're having really good oversight of the technology and the security function, because those are two separate responsibilities, two separate things to be aware of. From an introduction perspective, if I can get my slides to progress, there we go. My name is Seth Sturdivant. I'm a director with BKD Cyber. We're a large accounting and advisory firm, pretty much located across the country. My primary roles and responsibilities at BKD Cyber is to be that proactive. Think of me as like a consultant, an IT auditor, the guy that you always like to see walking in your doors, right? Most of this presentation has been built with the insights and the things that I've seen over 17 years of doing these types of engagements, variety of different industries. I'm going to try to really be very pointed into your industry, into your areas, because you serve a very, very large and significant portion of the country's, I would say, infrastructure. There's a lot of construction, a lot of mining, forestry, power generation, agriculture, the rentals, from an equipment perspective, you're serving various, very significant industries. The impacts of something in your organization can be felt along that supply chain. I think we all know the struggles and the impacts of the supply chain that we've experienced just in the past two years with COVID-19. From the presentation today, I know this is recorded, so I'm going to leave my contact information. If there's anything that I hit throughout the presentation, please jot down questions. If you need clarification, feel free to reach out to me. But ultimately, if these are questions you're asking of your company, again, go back to your head IT person, that CTO, that IT director, that CIO, or that outside third party, right? If you've put this to a managed service provider and they're maintaining your infrastructure, a lot of the questions that I pose today will go to them as well to be sure that you're protected. We're going to have a lot of things to cram into an hour-long discussion. So from a trends and statistics perspective, I think it's very interesting and it's good awareness, but I know sometimes that can be like a fearful, it feels like a fear tactic, but that's not my intent. It's just to really make sure that you have good awareness of where we see the industry in general for a variety of different niches and obviously where you operate heavily, I'll give you some good takeaways. Really focus on the threats and impacts. I think we all know cybersecurity threats and ransomware and phishing and everything else in between are very important and things that we should be made aware of, but it's not something you probably think about day in and day out. So from those of you who are attending, if you're part of the executive team, the C-suite, ownership, these are questions that you absolutely have to get answered because if you don't, a very bad situation is probably right on the horizon. I'm going to leave a lot of best practices for you. And this making sure that, again, that we know where to focus, what questions to ask and make sure we have a good cybersecurity culture within your company. Because if the tone at the top is not set, if the culture is not established, it's going to be really, really difficult to execute some of these things consistently. Obviously we probably won't have any Q&A in this webinar, but we've got a few live attendees. We might see if we've got a question or two throughout, and then we'll try to save time at the end in case we have any additional joining. But like I said, if you're attending this from a recorded webinar perspective, absolutely I'll have my email address and phone number, reach out to me with any questions. So as I try to capture things that I see day in and day out, this is a really good visual for my world. Before the audit, you've never had testing, you've never had assessments, you've never had a cyber risk assessment, ransomware risk assessment, penetration testing, all of those things that I do in my world, before we come in there, you're in pretty bad shape. But maybe you get some things lined out, maybe other companies get some things lined out, and while I'm there, we may find some things, but it looks pretty good. And then we leave, and then it's like, okay, auditors are out the door. Now we can kind of go back to doing what we were doing before. My recommendation is to never, ever do that. Be the center, right? Like make sure that if you establish good programs, if you put good controls in place, if you have really good oversight, that you establish that and you keep that ongoing, because it can't be when you feel that it's convenient, right? Your CTO has to think about the technology, the strategic planning, all the internal operations to be sure that your company is able to transact, right? You're able to fulfill the needs of your customers. Well, technology is the backbone of that. It has to work, but it also has to be extremely, extremely secure. So always keep that in mind. It's a very, very important balance. So again, some top discussion points that you want to have ongoing within your organization, especially with your IT department. These are some of the top discussions that, again, I would say, go back and ask, hey, do we have cybersecurity insurance? Yes or no? If no, why? If yes, be ready for some very challenging underwriting, I guess you would say obligations that have really started to pop up over the past year. It used to be cybersecurity insurance was a safety blanket, like we're not doing what we should. We know that, but we're going to get insurance to really close everything up, and if something hits the fan, we're protected. That is not the case anymore, because a lot of organizations have ignored really good IT controls and security controls, and the cybersecurity insurance carriers have figured out like, hey, we're paying this out, and the underwriting process is not sufficient. We really got to beat this up. So everything that I hit today, they're asking you now in the underwriting process. Do you have an information security program? Are you training your employees? Are you patching on a routine basis? Are you backing up your information and testing it on a periodic basis? That's just a very, very few quick examples of what you have to have in place, in addition to very good multi-factor authentication on things like your web email, things like your domain admins, remote access through VPN. So a lot of these areas are popping up left and right, and you can see the list below. Are we performing ransomware risk assessments? That is a very, very key threat. At the end of this presentation, you will understand just how drastically that environment, that attack vector is changing for ransomware. It's the attack of choice for most cybercriminals. From an onset of COVID the past couple of years, your industry may be a little bit unique in the fact that you may have had servers at a main office or a data center. Now you may be more cloud-centric. If you've moved to Microsoft Azure, if you're using Amazon Web Services, if you're using things in the cloud for payments and invoicing and everything in between, have you done a risk assessment on that? Is it secure? How do you access it? Again, these are great questions to ask your CTO. Business continuity and resilience is the big one, and again, that's interrelated with all the cyber threats. If you were hit today with a very sophisticated form of attack, how resilient, how prepared are you to fight against that, to recover, to triage and respond effectively and recover if you have to? How quickly could you do that? These are questions you want to ask. Patch and vulnerability management. That has come up more, again, in the past two years because most of your workforce could be on site. They could be working remotely. They could be working from home. More of that's probably from your headquarters administration team. Most of you probably have workers in the field on tablets. That may or may not apply, but again, ask those questions. What are we patching? What are we monitoring from a vulnerability perspective and making sure that we close those out effectively? Don't go ask the question, are we patching? The answer is always going to be, yes, we are. Of course we are. Hey, are we aware of vulnerabilities? Absolutely. You want to ask, hey, what vulnerabilities have we not resolved? What patching issues or what's the patch health of our organization? I want to see this information. I want you to answer that question for me. Those are the questions. It's not a yes, no type dialogue. You want to understand. You want to get some detailed information coming from that area. As a CTO, the CIO, they should know this information. They should feel very confident in that or whoever's responsible for it. The last two areas, we'll probably weave in and out of the conversation today, but zero trust basically means that that level of authentication, the level of access any employee has within your company is extremely, extremely limited in the authentication behind, especially if they're logging into critical systems or using remote access. It is very, very difficult to hijack that, to compromise that. That zero trust movement is very, very important. You know the supply chain concerns, right? You're an instrumental part of your supply chain, but what about your specific cybersecurity supply chain, the companies, the applications, the vendors that you've used to keep your company running? Have you thought about the impacts if they get breached, if they get compromised? Because if that happens, how easy is it to get into your systems? If you don't know the answer, that's a question to go back and ask, right? It's a very important question. Okay. So the fun part of the presentation, right? We talk about all these trends, all these statistics, because it's not warm and fuzzy by any means, but I'll try to make it light. I'll try to give you some good observations just to understand where we're moving from a national perspective. So the best report that I could probably give you to show the year over year increases is the FBI's Internet Crime Center report that captures pretty much everything in that electronic, that cyber realm. And it captures great information. It goes well beyond five years, but this is a five-year snapshot, just so you can see the number of complaints in that blue bar, how it's grown over the past five years, as well as everything in the red bar, which is the losses associated with those complaints that have been filed. So as you can tell, over the five-year period, there's been 2.76 million complaints filed and 18.7 billion lost in just five years. Let that sink in for a second. Last year alone, there was a reported 6.9 billion lost in terms of financial-related crime and fraud. This is things like ransomware, business email compromise, denial of service, basically anything that relates into we've lost something or we had to pay something in that regard. So an insane amount of money is going out to these cyber criminals every single year, and we've got to slow them down. I will stop here and just make one quick statement about if you have ever paid a ransom, or if you have the culture and you know your culture, that if you ever were faced, if somebody says, well, let's hope that the ransom is affordable, we'll pay it, and hopefully we can get back to business, that trend will never go away when the mindset is, yeah, we're going to do our best, and if it hits the fan, at least if we pay, we get our data back. That cannot be the theme. That cannot be the culture, because we're fueling tremendous amount of investment into these horrible organizations, organizations that support human trafficking. Think about that. Would you ever pay $10 to any organization, much less millions if you knew they were going to use those funds to actually kidnap a human being and sell them in the black market? I have kids. I have two little girls. I can't even fathom one cent going to somebody's organization to help support that, but yet we're doing this as a nation, really from a global economy perspective, from an organization. We're paying these cyber organizations billions of dollars, and what do you think they're doing with that? They're investing. They're recruiting. They're getting really good people, very bad people, I would say, but they're very intelligent, and they're training, and they're investing in technology. They're just getting better and better. What would your organization look like if you had a billion, just $1 billion of investment into anything you wanted to deploy? Most of you are smiling and rubbing your hands, thinking, oh, my goodness, that would be amazing, right? $6.9 billion went to these organizations. Imagine what they can do with that, okay? The trends to the right here in the graph is all things social engineering. That gross one is everything that encompasses phishing, which is the phishing emails, phishing, which is voice phishing. They're going to call, pretend to be a supplier, pretend to be a vendor, pretend to be something, a local resource. It could be a federal state agency type thing. They're going to try to call, gain some trust, and get you to execute something, share something you're not supposed to. Smishing, I know, these names, right, this always cracked me up, it's things that come through your cell phone, through a text message. Click a link, redirect something, and then farming. They're going to actually manipulate an application and get you to redirect and insert some pretty significant or credentials to get a significant compromise into one of those applications. But look at the growth, okay, of that chart. The bar on the far right that's the light gray is 2017's numbers, 2018's next, 2019, 2020, 2021. That is not your portfolio over the past two years, well, minus the past six months, I guess. That growth is all things social engineering. That tells me they are ramping up those efforts more than we've ever, ever seen before. So many of the issues that have been reported to the FBI from their Internet Crime Center is in regards to that social engineering. 323,000 complaints out of 847 were registered with that, one of those social engineering components. So very, very significant. So understand where we're going from a attack vector perspective. And then to bring that home from a ransomware, I want everybody to realize, and I'm going to repeat some stuff here because I really, really want it to sink in. If you're hit with ransomware, and it's a very sophisticated form, which we're seeing more and more and more of, the average downtime for your organization will be anywhere between 16 to 21 days. And that's just average. It could be three days, it could be 30 plus days. But how many of you could operate anything being completely down from a computing, from a technology perspective for two weeks, much less three? How much lost revenue would you have? How many top clients, top suppliers would just be furious with you because you could not serve them? You could not deliver, you could not provide this equipment. Maybe it was a major, major contract that was about to kick off and then all of a sudden, you were hit with ransomware. Let that sink in. There's some other very spooky and interesting trends here because what we hear from the industry is that if we pay the bad guys, if we give them the money, they're going to give us our data back if the ransomware deploys. They're that professional. Absolutely not. You are given a decryption key if you pay them. That does not mean you're going to get your data back if you put that decryption key back into your systems and decrypt the data that has been locked down. Sometimes you can, sometimes you can't. It's not that simple based on the age of your servers, the capacity, the processing capability of those devices. Sometimes it just ruins the device if they're that old. They're encrypting this information six to seven layers deep sometimes. It's pretty sophisticated what they're doing. Don't view it as, well, if it ever happens, at least we know we can probably pay. Like I said before, hope is not a strategy. You can't hope for a reasonable ransom payout. The averages that we're seeing is anywhere between 170 based on this report up to about 250. That's an average. But sometimes these payouts are in the tens plus millions of dollars. We're going to see some pretty significant payouts over the past probably couple of years. We've seen it be in the millions. We've seen it be in the hundreds of thousands, and then we've seen 40 plus million. So it's just crazy what these payouts are looking like now versus two years ago. Like the city of Atlanta had a $50,000 Bitcoin ransomware payment demand, 50,000. If it happened today, it would be 5 million easily. So it has really, really jumped up. The reason it's jumping up is because they're being so successful and because companies are still not doing their part to be sure they're protected or they're able to respond and identify when something goes wrong quickly or restore. Your backups have to be extremely good and well-protected, air-gapped, and immutable that we're going to hit on shortly. But if they're not, you may have no other recourse than to pay or go out of business or build from scratch. And not many organizations are choosing to do that. But like I said, understand that when you do that, when you're faced with that, when these questions that you're going to pose to your CTO or CIO go unanswered or I don't know or no, we're not doing that, you have to be able to have action after that. Okay, well, what do you need? What investment? Is it a budget? Is it a resource constraint? Do we need to bring in some outside support to help get some of these things in place? Whatever that is, get it done very quickly because you will be part of these statistics if you do not. And by that, I mean that last bullet, right? The number of organizations that are paying increase, that breaks my heart from my seat because this is why we're doing webinars. This is why those in my industry go out and do these proactive assessments and have conversations and do everything we can to educate, to inform, to get these numbers to drop. But unfortunately, we're not there yet. Every year, it's going up and up and up, not the opposite direction. So went from 26% in 2020's data up to 32% from last year. Just very, very frustrating to see that trend. From an internet crime center, again, some ransomware fast facts again. So again, we pointed out the 16 to 21 days, okay? But here's the critical infrastructure sector that's been hit the most by ransomware over the past. This is actually captured from June through the end of the year from the Internet Crime Center report. So 49.2 million was associated with ransomware, and that jumped up 66% versus the previous year. And so most of you probably don't operate in the health care public health space. Obviously, financial services, same thing. IT, same thing. But the critical manufacturing, government contracts, commercial, food and ag, transportation, energy, you operate heavily in those industries in some capacity. So be aware that you're going to be a target. Maybe not the primary, but they're going to look at you from an attack vector. If we can disrupt, if we can impact, they will do everything they can. And sometimes you will be the primary because they know that you might not have a lot of data, but you have a lot of skin in the game. You have a lot of revenue. You have a lot of large, large contracts. So things like ransomware from a disruption will be very, very frustrating for you, and then things like business email compromise, where they're going to try to intercept or get you to pay a fraudulent invoice, get you to send a wire transfer to a new or an altered third party that they created. And a very significant thing here from a ransomware is double extortion. So if they're not able to get ransomware to deploy within your organization, like you've done some good things, but maybe they do have access to some intellectual property. Maybe they have some access to memos or things that can be very, very damaging to you or your customer list. I don't know how significant your customer lists are and what type of information is held within that, but you probably don't want that in the hands of the bad guy. Sometimes they will encrypt your networks, and then encrypt, or excuse me, they will encrypt it, demand that ransom, and then they're going to demand another ransom so they don't notify or release that information to the dark web or to basically just the press. They'll threaten you both times, so they're double dipping. And then sometimes, like I said, if they can't get the ransomware to actually deploy and install, maybe they were able to get something out or access something very sensitive, they're going to demand that payment again, or they're going to release it. So just be aware that some of these interesting themes are popping up, and the growth of ransomware is just unparalleled to anything that we've seen before. So again, we know phishing emails and ransomware threats are increasing. We just saw some really good information and reports that prove that. So what if you combine those? OK, so we get a phishing email. What's the odds of it containing something with ransomware? 78% is what we've determined doing some research, that when you get a phishing email-based ransomware attack, here's the impacts of what that could potentially do to your organization. So at a bare minimum, you're going to probably have some type of impact, and here's the percentages of what those impacts might be. I thought that was really interesting. So of course, I've put some bold on a few things and some red font to just say, yeah, if we do get one of these emails, and they do contain a link to ransomware or something, if we don't have the right controls in place, more than likely that variant, 50% chance or close to 50-50 shot that you're going to have a major infection. You're going to have a major disruption across the board. It's going to take down your network, and it's going to create some major, major downtime, resulting in, like we saw in that previous slide, the average total cost. So all your downtime, lost orders, overtime, paying consultants like me or doing forensics, you're going to be looking at 1.85 was the average total cost and impact, because it's associated with these areas, right? And if you've got a customer data breach in your hands where you're capturing name, address, social, date of birth for some reason, more than likely it's going to be your employees, but may not be as significant as others. But if you have thousands of employees, then yeah, it's pretty significant. So a lot of these things have to be considered. And again, go back and say, hey, do we even know what the impact would be? Do we even know the information residing on our networks? Have we classified that? Have we protected it effectively? If you get a blank stare back, that's not probably a good feeling. These are things to really focus and be aware of and approach in a proactive manner, not reactive. From today on, those of you listening, you are encouraged and challenged to be proactive, not reactive. If you fail to plan, you are planning to fail. I love that statement. I think it was Ben Franklin that had that famous quote. But it is absolutely true. All right. So again, to keep the theme alive, so threats and impacts. We've hit a lot of the specific threats for phishing, specific threats for ransomware, and we're going to dive into a few more of those here shortly. But from an impact perspective, I wanted to be sure that we had a good level set, good summary slide that you can send to your ownership, you can send to your executive team to say, hey, we know we may have to pay something. We know there might be operational components that we'll have to deal with. But reputational hits, some specific regulatory impacts, because there's a lot of privacy stuff coming along the way. There's a lot of executive orders coming out of DC that's going to be very, very painful if you don't do certain things, especially if you operate in some industries where you're expected to have good cybersecurity controls and meet certain expectations that they say. More than likely, it's going to be in that power generation agriculture, maybe, depending on what you're doing and what you're supporting. And then from a mining perspective, for sure. And again, those government construction contracts, they're going to absolutely want to be sure that you've got some things in place, that there's certain sensitive information being transferred back and forth. But just that's a good sample and a good reminder that there's going to be financial loss, operational loss, reputational impacts, and regulatory impacts to all be considered. It's not just a pay the ransom, get back to business. It's never that easy. These threats that we've hit on, they've been around for a long time, like decades. This slide has not changed in my presentations in probably five years. The only thing that I've added to it is supply chain. And that's the cybersecurity, the technology supply chain. Like, maybe you're doing the right thing. Maybe your organization is actually ahead of the curve. You're very secure. But what about the third party vendors that are letting you use an application? You've purchased it. You've licensed it. They're coming in. They're supporting aspects of your business. Are they doing the same that you are? Are they that aware? Are they protecting your information? Are they staying one step ahead? These are impacts that if that goes unanswered, you're going to have a pretty significant headache on your hands in the near future. So we know, again, everything that we read, everything that we saw, that social engineering attacks, specifically through a phishing email, is probably your number one item to really be aware of. Block, educate, keep it out as much as you can. If you do, probably, like most, you have a good firewall. You have good web content filtering. But if you're allowing certain social media, personal email, shopping, online streaming, if you're allowing those to be accessed by your employees, you're not blocking a lot of bad things that can be clicked just from a website perspective. But from our spam filters, things that is blocking the corporate email, keeping out all the junk mail and all the bad stuff, it does a pretty good job. On average, 98% to 99% of the bad, bad emails are blocked, which is very impressive. But the way I think about this and the way you should think about this is like, OK, well, we get tens of thousands, sometimes hundreds of thousands of emails to your company every single day. I know what we do. What about the other 2%? What about the 1% that makes it through? That's education at that point. The employee has to know, like, yeah, this isn't normal. I'm not going to click. I'm not going to open this invoice. I'm not going to follow these instructions. Because if they do click, if they do click on something or do something they're not supposed to, it's going to bring in ransomware. It's going to give that attacker some form of access. Remote access is typically in the form of an advanced persistent threat. They're going to install something that's going to give them a foothold to your network. There's going to be key loggers for reconnaissance. They're going to capture everything. Maybe they just want to watch what's going on and observe for a few months or a few weeks and then figure out, OK, this is where we can really hurt them. This is where we can really intercept some communications right before a big payout goes out. Because with your equipment rentals and how you're selling, I mean, these things are hundreds of thousands of dollars. It's got to be, right? I mean, there could be some that may be smaller. It could be some well, well above that. They're going to try to intercept and time that perfectly to get some payments to be redirected. Most of you probably have already had situations where this has been attempted. Hopefully, they haven't been successful. But if I had to guess, many of you that will be listening to this have already been impacted. So you've got to change those procedures. Anything in accounting, anything in the payment, if they're in the payment process, approval, processing, communication with the bank, you name it, they've got to be very, very well-trained. Because if not, it's going to be a very, very bad headache. The root causes of cyber attacks at the bottom, again, employees weren't trained effectively. When all of these things hit the headlines and all these statistics get researched and we drill down into everything, it really goes back into one, sometimes all of these areas. Somebody wasn't trained effectively. Systems were not kept up to date. They weren't patched. Somebody had way too much administrator-level access or it just went, it should have been two or three and it should have been locked down. Instead, it was 30 or 40 had administrator-level access. So just too many chefs in the kitchen kind of thing, too many people with too much access. And then last but not least, you didn't monitor. Maybe you had some decent security tools in place. Maybe you had a good logging in place, but if nobody's looking at it, what's the benefit of that? Okay, you can do great forensics, but there's no proactive, hey, we know something went wrong. We know within minutes or hours something went wrong, not weeks and months later. So let that sink in and be aware, okay? Go back and ask those questions. Again, this is for more of an impact perspective again, but I wanted you to see kind of where these industries from a total cost perspective and the impacts could be. So again, healthcare, financial services, pharmaceutical technology, they're typically at the top of the list. So again, keep in mind that obviously you may not be in these sectors, but if you're helping or if you have major contracts with organizations in these sectors, especially healthcare, if a new hospital is being built or a new wing is being added on, I mean, I see that left and right. And sometimes you're gonna be part of that. Sometimes they're gonna come to you from an equipment perspective and say, hey, we need A, B, C, and D to help construct this. You could very well be a target in that case, okay? Because they could be compromised. They could be looking at all those communications and they're gonna target that interchange between you and them. Fill in the blank with the rest, right? So if you have major contracts or your support organizations or your top clients are in these sectors, just to be aware that this is the loss they're experiencing. This is how they're being targeted. From a 2021 perspective in that purple and in the blue bar is 2020. So you can see how some of these attacks have shifted. Some have tremendously increased. Others have kind of slightly decreased, but at least it kind of gives you an idea of, hey, from these industries, this is what they're losing every year from attacks. And that just kind of really helps drive the point home for where you have to be very careful for yourselves. And then again, just being aware of your customers that might be targeted as well. As I said before, right? We have to have good monitoring. We have to have good programs in place. How many of you would love to tell your top five customers, hey, yeah, we actually found out we were breached for nine months, but you know what? We figured it out eventually. And then it took us three months to patch it and stop it, but we're good now, okay? This is what that chart's showing you. The average time to identify when something is in your networks. Okay, so a bad criminal, they have access. They are bleeding you dry. They're doing things they're not supposed to. From a global average, that's around 207 days to even just identify a threat actor. 73 days to actually get them off the network, remove the malicious software. Okay, that's just the average. So if you're above that line or below that line is very, very bad numbers. We want to see that to be minutes, maybe hours from an identification. And then again, hours to days from a remediation containment perspective, because you do not want to be in the months. You don't want to be anywhere close to a year like we see in the healthcare and public sector. Very, very, very impactful here. So again, this, I guess you would call it, this is what not to do, okay? You never want to be in this, but again, it's the average, okay? There's some that's much, much worse. There's some that are probably, you know, a lot better than this, but even the financial services, the very bottom, that's just very alarming. That's where we have our money and investments. And granted, they're the best of everybody else, but would you say, hey, we're the best, but it still takes us 177 days to identify breach. Absolutely not, right? Here's another one I want you to think about. So from an email protection, go back and ask your CTO and your CIO, what are we doing to protect our corporate email? Okay, do we have multi-factor? Are we restricting that email access to secure mobile device management applications on our personal devices, or you can only access it in the corporate environment? If you can log on to your email, if you're using Office 365 or G Suite, if you can log on to your email from any device with just an ID and password or an email address and password, you don't have multi-factor authentication. So if you're successfully phished, the cyber criminal now has your email, okay? So think of it from a personal perspective and a corporate email perspective, all the things that could potentially touch that email and be accessed. If it's compromised, if that email is hacked, it has tremendous impact on your personal life and your corporate life. I say the personal, I bring in the personal because typically we are far more concerned with personal than we are with the corporate information, but we've got to view those interchangeably. We've got to view them equally as important, and that definitely helps. So this, again, just for a friendly reminder, because of the impacts of a compromised email where that could lead. So if they compromise somebody in the accounting department, they're gonna know bank relationships, they're gonna be able to change billing, to interject different things, or to be aware of procedures. Think about if they compromise a CFO, the CEO, anybody in the C-suite. Very, very, very detrimental and impactful because more than likely, most of you are not deleting email. So every email you've ever received, every email you've ever sent, every email you've ever deleted is still in that inbox. They have access to it. They can set up rules and delete things coming in and forward things going out without your awareness if just given a few minutes of access to your email. So we've got to be sure that we put up good protections to keep them out of it. On top of that, so phishing is bad. We now have a good summary and a good reminder of just how bad that can be from a compromised inbox, but your C-suite, again, chief, fill in the blank, are 12 times more likely to be the target of this phishing, the social engineering campaign. Are they trained more? If not, why? Simple questions, right? Sometimes that's the ones we see the most exemptions for. CEO says, I don't want to get this training email. I run the company. I got this. I don't need it. And others follow suit. Tone at the top that we hit on before, right? It has to be bought in from everybody. It has to be viewed as very important and they have to be trained more effectively because they will be the target each and every time. So talking about a really, really bad day, we don't want to be some of the companies that are referenced here. The ones that have the asterisk beside it is part of the cybersecurity supply chain. So again, as I referenced before, sometimes you can do everything right, but your applications, your vendors could have a major vulnerability. Log4j was a very, very significant vulnerability that attacked and was present with a lot of Java-based applications. So a lot of your third parties are probably using applications based on Java. Most are. It was a very popular programming language. It's kind of moving away. But Log4j, I know this is something that you may not know, but it's again, it's designed to go back and ask those questions. Did we have this vulnerability in our company? Yes, no. If no, how did you verify that? How did you validate that? If yes, what did we do to patch it? How quickly did we do? How quickly did we patch it, right? Were we compromised? Was any of our vendors compromised? Were they susceptible? Were they vulnerable to this? Go back and ask those questions. That happened in January. Yeah, I was trying to think back as time flies. It's already middle of May. This was early 2022. So again, very fresh and very, very bad situation. It basically allowed a cyber criminal to basically access your systems with no authentication if that vulnerability was present. So you literally left the front door wide open, come and go as you please, if that vulnerability was present. Kaseya is a remote management and monitoring system. So think about if you have an outside managed service provider, if they're doing any type of remote management or monitoring they're using an application like a Kaseya. That application was actually compromised last year on the 4th of July weekend. Yeah, that's brutal, right? It impacted 50 managed service providers and bled into at least 1,500 customers. 70 million in ransomware demands were made. Systems were down for days and weeks. And I mean, obviously we don't know how many paid, but I'm sure several did. That's tremendous, tremendous demands made in that one. CNA Financial Corp is a very large, and again, I know this might not be related to your industry, but I wanted you to see some of the major, major payouts that we're seeing because they are feasible. It's not going to be 25,000 or some case 150 or 250,000. It's going to be millions because they're going to come after you, especially the larger you are. So CNA Financial Corp is a large insurance agency. I forget exactly where they sit in the nation, but I think they're like five or six in the nation. They were hit with ransomware. They were completely, completely down for at least three weeks. No backups, every server, every workstation completely down. They did pay $40 million to get back up and running. Very, very, very impactful. Very significant. JBS, they actually are a very large meat processing company. They process 1 5th of our nation's meat supply. Who would have thought, right? They actually were not completely shut down. They were just having disruption. They were under an active attack. There was threats of data leakage. There was threats of disruption. They paid them $11 million. Truly, just to say, leave me alone. Leave us alone. Walk away. Here's your money. Just stop. Crazy, right? I mean, these things are just kind of baffling. And most of you are probably aware of the colonial pipeline that hit the Southeast last year in June. It did not actually hit the critical infrastructure, the control infrastructure of the pipeline, but there was the fear of that. If it did, major disruptions would have occurred. They actually shut some things down. It was down for at least five days. They paid $4.4 million, the bad guys. Now granted, the US government stepped in and was able to shut that organization down, completely wipe out everything, recoup some of those funds, but that is not a approved or new government-issued program, okay? It's not gonna be offered to most of you, if any of you. And then again, we've seen some major supply chain application issues with Microsoft itself, like with Microsoft Exchange server vulnerabilities that came out December, January of 2019, 20, or 2020, excuse me, in 2021. And then SolarWinds around that same time, some pretty significant application vulnerabilities that bled into some of your organizations. All right, so from a homestretch perspective, I would be remiss if I didn't build in some good best practices. So the way I want you to view this section is go into those discussions and say, okay, Mr. CTO, Mr. CO, or whoever, from some of the government, or excuse me, governance is gonna be within your company. If you have a managed service provider that's responsible for infrastructure, we're about to get to those technical controls here shortly, but the governance, it has to be within, it has to be part of your organization. So think confidentiality, think acceptable use, information security programs, disaster recovery, incident response, do these programs exist? Have you developed them? If that answer is yes, great, are we maintaining them? Because it's not a one and done and put it on the shelf. It has to be a very living document. It has to be very dynamic because the threats change. We just saw major, major increases in all these threats and successes and losses. So what have you done to combat that? Things that you had in place two years ago must change, must get better, must be more robust from a security perspective, because if not, I mean, do you really think you're gonna stop the cyber criminals when they come after you? I mean, they're growing in sophistication, are you? I mean, these are easy questions for me to ask. These are gonna be very difficult questions to be answered, but they have to be brought up. They have to be answered because you have to be aware. You have to be prepared. So every one of these key programs from a governance perspective, I mean, it's one slide, but I cannot stress the importance of these enough. I mean, these are very, very, very important. And again, like I said, if you have no idea where to start, if you have no idea where to go, use me as a sounding board, use somebody in your local region to be sure that you can get some of these answers and get some templates, get a headstart, get something moving and keep that process moving forward. Because if you don't, again, very, very bad situation is gonna be right on the horizon. We talked about the impacts of cyber insurance. It is extremely important to have that. It's extremely difficult to get it. Those of you who have been able to get it and maintain it, again, like we talked about earlier, you saw some of the impacts from your premiums going through the roof, more than likely, your coverage is being cut in half. And then again, that underwriting process is just extremely, extremely significant. So everything else here we have to have established. We've gotta be able to do that great ongoing security awareness training for the phishing emails. If that's not going out on a monthly or quarterly basis to all employees, shame on you, right? We know the major increase of that. So you've gotta train your staff effectively. So using applications like a know before or phishing box or phish me, these are great, great solutions that have great, great training programs, but you can manage and deploy extremely easily. So, and it's very affordable. They're not that much money. And last but not least, obviously it's my world, right? So from a governance perspective, if you don't have these programs, you can still have good controls, but unless you are testing, unless you're doing good cybersecurity risk assessments to find out where you stand from an industry standard perspective, how in the world do you know if you're prepared or not? And you gotta trust and verify. You can't just say, yep, we're good. Yep, we're doing backups. Yep, we're doing patching. Yep, we have good password policies. Yep, we have, fill in the blank, right? Until you have somebody come in and test, you do not know. And I can't tell you how many times that I've walked into organizations or in a planning discussion or a proposal discussion saying, this is just a really warm and fuzzy for ownership and for the board. I believe we're doing great. It's gonna be really clean. You're not gonna find much. And then we walk away with 30 or 40 findings and they're going, wow, we didn't know. It was kind of like the right-hand, left-hand scenario. We thought we were doing things, but we didn't know the definition of good. We had no standard. We didn't even bump it up to something. Those of you who are thinking, it's like, well, that's a good point, but I think we're okay. It's like health. Would you say you're in good health? Well, you might say yes, but your doctor might disagree. Same type of thing with this, right? We have to be able to go in and do assessments to be sure that you're well-protected. Things that we've referenced before, like the risk assessments are great, very straightforward, very easy thing to accomplish. And then moving more into the technical assessments, like the pen testing, vulnerability assessments, these are things that are very eye-opening because I'm a big proponent of good programs, but a cyber criminal can care less if you have a policy. Compliance regulation cares if you have policies because more than likely that leads to good controls, but a cyber criminal can truly, truly care less. They just want to know if they can get access to your systems and get information out or malicious software to deploy. That's all they care about. So if you have poor policies and poor programs, that's going to be very successful for them. So the next two slides, I will not spend a lot of time on this, but just know that I consider these technical controls to be of the utmost importance. So go back and ask these questions, print the two slides off and go back and ask questions. Are we using multi-factor for Office 365 or whatever our email solution is? If we can access it remotely, do we have it on VPN? Do we have it on all remote sessions? Do we have it on our domain admins when they log into the servers and do administrative level changes? Are they using multi-factor to access? If you get nos to any of the questions that you ask, the two quick follow-ups is why and what do you need to get this in place? What is it going to take? Some of these things will require some investment like multi-factor, two-factor, maybe, maybe not. Sometimes it's checking a box. It's really that easy. Sometimes from like a security monitoring perspective, you will have to invest in a good solution, good technology to get that accomplished. But other things that you see here, like having really, really good asset inventories and classifying that information, deploying application whitelisting. So only the applications that you approve install. If it's not, then nothing happens. Even if all the access is there, it doesn't happen because it has not been approved. Removing local admin rights from your employees and their workstations. That has been around for 20 years, but some organizations still have not done that. And then again, like I said, you have good firewalls or maybe you have horrible firewalls. You don't know until you do some good pin testing or good assessments, but say that you have really good firewalls and you've got some decent security monitoring. Are you changing? Are you fine tuning those? Are you beefing it up? Are you tweaking things as things come up? I mean, if you're not changing and moving forward, you're falling behind, especially in this regard. And that cloud-based security that I was talking about is everything from endpoint detection and response. So if you have an antivirus working like are installed on your computers, that is no longer adequate. It has to have endpoint detection and response built into that now. And most of the big providers are doing this. So things like CrowdStrike is phenomenal. Sentinel One is extremely phenomenal. That is one that we've partnered with and we're looking at because of just the amazing way that it can detect things. So Sentinel One and CrowdStrike are two great, great options. Carbon Black is another great option from a endpoint detection response. I've got Sophos here, but WebRoot, I'm not really sure. I had that as a good endpoint protection, but I'm probably going to update that, but Sophos is another good option to look into as well. Again, the second slide here, some other great, great technical controls to be put in place. Always be aware that if you're not encrypting your data, if you're not air gapping your backup, and that's a good point here, I'll stop and clarify what an air gap backup is. If your backups are staying on your network, they are not air gaps. So what happens when ransomware comes in and encrypts everything? Where do you think it's going to go next? Exactly, it's going to go straight to your backups. Your backups need to be on an encrypted hard drive. It needs to be placed in the cloud. It needs to be something off network. Okay, it has to be. That is ransomware prevention 101 from a success perspective. Keep your critical backups completely offline air gaps. And they also have to be immutable. That's one that everybody forgets. Immutability means that it cannot be altered. Once it hits that backup system, there's only one thing that can happen and the data is restored. You can't log in, edit, delete, remove. It's just there until you need to pull it down and recover your systems. If that immutability is not there, the cyber criminals sometimes can gain access to that air gap solution because most of the time from a cloud-based system, if you're lazy or your IT people are lazy, it's just an ID and password to log into. So if they reset the password because they've already compromised your system, they're going to go straight there and delete everything. So make sure that immutability is front and center. So we've hit some really good technical controls, good questions to go back and ask. We've hit those governance, key controls and programs to go back and ask questions on. Ultimately, if they say, well, this is kind of me being funny, but this cannot be your plan, okay? If you're attacked, this is not acceptable. You can't go to the server room and start pulling cables. I'm being silly here. But at the same time, that needs to drive a point home that you cannot react when something happens. You have to have a very, very good plan to approach what happens. Is it a business email compromise? Great, our incident response plan has a very detailed step-by-step procedure that what we need to do, we've thought this out, this is what we do. Ransomware, same thing. A supply chain issue with a vendor, same thing. You've thought through it, you've documented it, okay? You can't just scream and yell and run around like the building's on fire because sometimes that happens. Here's another imagery for you. If you don't have good technical controls, if you're not doing assessments, if you're not monitoring, if you're not training, this is how the cyber criminals see your controls. How many of you would secure your most prized possessions from a personal or your most critical equipment with these types of controls? Nobody would, right? But sometimes when you have default passwords or weak passwords that haven't changed in years, if you don't have multi-factor, if you have out-of-date technology on your infrastructure, it's not being patched, okay? If you allow that to happen, these are your controls, whether you like it or not. So let that sink in. I'll leave you with a few final thoughts. It's easier from my standpoint to say this than for you to accept and move forward with it. I get that, but this is a scary trend that we're seeing. So say you have a really good CTO, CIO, somebody over technology, you've got somebody with a good security mindset and they're asking for resources. They're proposing a budget. Sometimes that budget can be very, very significant. This example, just to be general and straightforward, your CTO, your CISO in this example, your chief information security officer saying, hey, we need a million dollars to invest in our cybersecurity infrastructure. Do you think that's gonna be approved? More than likely not. It'll be a small fraction of that that will be approved. But when a compromise occurs, when a ransomware has been deployed in a million dollar demand, or in this case, 10 times the amount of what that budget was, oftentimes it's approved and paid. That is completely backwards, but we're seeing it over and over and over again. Again, the two examples that we just hit a few slides back in the colonial CEO, when talking about the payment, it was the right thing to do for the country. That was the CEO statement. JBS is CEO of that meat processing company. It was painful to pay, at least he admitted that, but we did the right thing for the customers. So you're telling me paying the bad guys $11 million in JBS's scenario, and then paying $4.4 million was the right thing to do for customers? It's crazy to think that's the mentality, okay? It's the absolute wrong mentality. We have to be proactive. We have to get things in place before the bad situations occur. I kind of touched on this a second ago, but again, I want you to really resonate on this. We have never focused more on our personal wellbeing and personal health than we have in the past two years. Global pandemics will do that, right? We had families and aging parents and just everything in between that caused us to run into a crisis. That caused us to really take a step back and say, am I prepared to get COVID? Am I prepared to get this significant illness because I'm not sure what's gonna happen? Okay? We're thinking about that more and more than we ever have before. I want to challenge you to think about that cybersecurity health of your organization the same way. Okay? The threats have skyrocketed. Are we prepared? Are we healthy enough to defend against an attack? Okay, and I'm a cyber nerd, so I love these like imagery things and the cybersecurity nutritional facts. You've got to be passionate about this, which is why I love having these opportunities to speak and just really pose good things to go back and have sometimes really difficult conversations, but these are conversations that have to be had. You've got to have the right people in the right positions to be aware and passionate about doing the right thing for the company and protecting everything that you've worked so hard to build. Okay? And it's an everyday grind. We have to be very determined. We have to be very, very proactive and innovative sometimes because it's hard to stay ahead of the bad guys when we're not as well-funded and that's extremely frustrating to say out loud because they are extremely well-funded and sometimes we're not even a drop in the bucket compared to some of these organizations and we've got to change that. At the end of the day though, this statement will hold true. This is from a retired FBI director. Security is always too much, right? We always think it's way too much until the day it's not enough. Until the bad day occurs, right? When something hit the fan, somebody clicked the email, it's the wrong day, wrong time, wrong situation and it brought everything down. It brought your company to its knees. We have to be prepared. We have to realize that, excuse me, that this is a investment, this is a conversation that needs to be brought up on a continual basis. Okay? Trust me, when I'm being brought in from a post-breach perspective, hey, something happened, we had a compromised email, we had ransomware, we had fill in the blank. Oftentimes, it could have been prevented so easily with everything that we just went through. A lot of this presentation has been changed and altered and tweaked because of what we've seen in actual case studies, okay? A lot of this is best practice. It's been out there for 15, 20 years and obviously the ransomware stuff, some of the best practices there have really started hitting in the past three to five years because that sophistication has grown. But these things are free. You can go out and grab so many good things to do that most organizations, I don't know if you intend to do this, but it's almost like you're just kind of living under a rock. Hey, if business is good and revenues are climbing, life is good, but your underbelly is way too susceptible to an attack and that could just disrupt and destroy everything. And that's exactly what we're here to try to get you to think about, get you to ask these questions, get that conversation, get that oversight established, make sure you're getting good answers back and that you're staying proactive on a continual basis. Don't do great for three months and then slack off. It's gotta be continual. The best way to kind of stay on top of these threats and to really stay plugged in, everything from an industry report that I pull or big case studies or big things that are to be aware of, you can pretty much find them in these sites. So great, great information sources to use and do some research as you can. And then as I promised before, if there's any questions that you have throughout this presentation, I know you're gonna be able to pause and jot down any questions. I think we're gonna be able to send you the slides and if not, shoot me an email. If anything that I hit today, any of this information, you're like, wow, this is fantastic and I hope you do think that. I would love to have a conversation. I would love for you to help answer this question that I might have, shoot me an email, okay? That is my email address and direct phone number. I don't do this stuff and have fluff pieces and you can never get a hold of me. Like I want you to ask, I wanna stop, I don't like a bad guy, I don't like a bully. I wanna shut those organizations down one step at a time, right? But it takes all of us. It takes those in the security industry from my seat, from an assessment and consultant perspective and it takes organizations and ownership like yourselves to implement, to stop, to change because if we can remove this revenue source from them, we bleed them dry, okay? Not the other way around. So hopefully that was very beneficial. Thank you for your time and listening in. With that, I believe, I think we do have a couple of attendees. Janice, do we have any questions to address? And if not, we'll go ahead and let everybody get back to their day. And I hear nothing. So with that, I appreciate your time. Stay safe out there. And if we can help in any way, please let me know. Take care.
Video Summary
The video transcript provides an overview of key cybersecurity considerations for organizations. The speaker emphasizes the importance of asking the right questions to ensure good oversight of technology and security functions. The speaker also highlights the increasing threats and impacts of cybersecurity breaches, such as phishing emails and ransomware attacks. The transcript provides insights into statistics and trends related to cybercrime and emphasizes the need for organizations to be proactive in their cybersecurity efforts. It also outlines best practices, including the need for governance programs, employee training, technical controls, and proactive assessments. The speaker encourages organizations to be prepared and take cybersecurity seriously to protect against potential breaches. The transcript concludes by providing contact information for further questions and offering assistance in addressing cybersecurity challenges.
Keywords
cybersecurity considerations
technology oversight
security functions
cybersecurity breaches
phishing emails
ransomware attacks
proactive cybersecurity
governance programs
employee training
×
Please select your language
1
English