As new cyberthreats emerge on a daily basis, the ability to track and prepare to face these threats will become instrumental to organizations looking to increase their resilience.
Drew Simons, Founder and Principal Consultant for CIFFA Associate Member Roxville Technology Inc., outlines best practices and processes to implementing cybersecurity in the workplace.
Recently, I met with a client to review the results of an IT Risk Assessment we had conducted. At the end of the review, my client turned to me and said, “but we’re not a bank …”.
This is a sentiment that is often expressed when I speak to clients about cybersecurity. However, it is based on the false assumptions that i) they’re only at risk if they are targeted and ii) they don’t have anything that would be of interest to a cybercriminal.
It is important to realize that businesses don’t need to be a target in order to be at risk. When the Russian military unleashed NotPetya against Ukrainian targets in June of 2017 (Secretary, 2018), companies such as Maersk and TNT Express were not explicit targets. Nor were the thousands of other firms who ranged in size from the smallest to the very large and who, in total, suffered an estimated $10 billion in damages (Greenberg, 2018).
It is also important to consider that there are groups of cybercriminals who are creating internet robots, or bots, that are scouring the internet for weak systems that can be used to generate revenue through ransom, stolen credentials, identity theft, CEO fraud and other malicious activities. These bots are inexpensive (most of the code can be easily purchased) and are good revenue generators. It is forecast that these bots will become increasingly sophisticated with the inclusion of artificial intelligence.
The two largest weaknesses that are exploited, whether through unintended attacks such as NotPetya or by bots, are unpatched systems and weak or stolen passwords.
We use a 5-step process based on the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework that helps our Customer reduce their cybersecurity risk. NIST’s Cybersecurity framework was introduced in 2014 and is designed to “assist organizations to better understand and improve their management of cybersecurity risk”.
This is the way in which we apply the framework with our clients:
The identification of every IT asset (networks, devices, users, applications, data, and policies) being used by the company is a fundamental starting point and yet is often overlooked. In fact, when we first meet with a customer and ask to see this information, we are often given a spreadsheet listing computers that i) is months (or more) out of date, ii) does not include all IT assets, and iii) is missing most of the information that we need to confirm the security of our customer.
We work with our customer to implement tools that sweep the network and confirm that we’ve identified all computing resources, the software running on them, patch levels, related active directory entries, and more. We also identify the cloud-based applications that are being used by our customer by reviewing URL logs from their boundary network device or, if that is not available, we interview staff to get a complete list. One of the more interesting challenges is mobile devices such as smartphones. Even though these are used to access corporate e-mail and documents that may contain sensitive information, they are usually completely overlooked since the devices are frequently not owned by the company. Finally, we work with our clients to review their cybersecurity related policies (including what needs to be done when an attack occurs and the role that each team member, including IT providers, must play) and to inventory locations where sensitive data is stored.
Once we know what needs to be protected, we implement appropriate technical strategies to protect the assets from the potential threats.
To ensure our customer’s systems aren’t exposed through missing patches, we automate patching and we create reports that generate alerts to identify the systems and applications that have not been updated. Often, when we scan a client’s network, we find hundreds and hundreds of applications. We recently scanned a 20 PC network and found 471 installed applications. Needless to say, trying to keep that number of applications patched is virtually impossible. The list of applications needs to be reviewed and all non-business essential apps removed so that the list of applications to be patched is manageable.
To enhance password protection, we implement password rules and, wherever possible, introduce Two Factor Authentication (2FA). 2FA typically involves a code being sent to the user’s phone or hardware ‘key’ prior to allowing access to a system.
Speaking of password protection, there is a website that catalogues stolen e-mail addresses and passwords: https://haveibeenpwned.com/. I recommend that you visit the site, enter your e-mail address, and see if it has been exposed through any of the breaches that the site catalogues. Also go to the password area of the site and check to see if the password you use has been used by others. If it has, make sure you change your password right away!
Other technical strategies include anti-virus and anti-malware applications installed and up-to-date on all systems, a Unified Threat Management device that is configured to close down common weaknesses and protect against: users accidentally going to malicious websites, port scanning by bots looking to penetrate your network, SQL injections, cross site scripting, etc., a full backup system that is regularly tested (most importantly we ensure that the backups are copied to an offsite location so that, should a hacker attack all of our client’s networked systems, they are able to recover), encryption of hard drives (especially on mobile devices like laptops), and SPAM filters.
It’s also important to ensure that staff is well trained on cybersecurity to create what we refer to as a “human firewall”. This training includes regular reviews of the policies that are in place (or developed as part of our engagement) as well as training on topics such as phishing, social engineering, password security, malware, removable media, privacy, and personally identifiable information. We use a combination of online videos, newsletters, and e-mails to train our clients and their team members. My experience has shown that this combination of formats is the most effective in getting the message through.
This step can sometimes be the most difficult. Certainly, the “human firewall” will go a long way in helping staff to identify potential threats. But what about threats that staff can’t see? For this, we rely on tools that monitor security logs on individual computers and network devices. We configure these tools to send alerts when they detect abnormal activity.
Once an event has been discovered, your team must know what to do. The response will largely depend on the threat detected. For example, the receipt of a phishing e-mail will have a very different response than a ransomware attack.
The most important part of this step is to ensure that all of the appropriate resources are engaged as quickly as possible, and that they fully understand their responsibilities. At the onset of an attack is not the time to find out that your trusted IT supplier can’t respond for 48 hours because they have commitments to other customers. Make sure you have response times, based on severity of the incident, included in your contract with penalties for non-performance.
As soon as a threat is detected, it should be logged and all steps taken to mitigate the impact should be documented.
The final step is to return to normal operations. Again, now is not the time to discover that your backups haven’t been working or that they were attached to your network and also encrypted by ransomware. Offsite backups that are regularly tested are the safest.
We recommend that all of our clients carry cybersecurity insurance. You should consider coverage options such as first party coverage to reimburse you for expenses incurred from the cyberattack, third party liability to protect you in the case of a hack of your data that impacts another business, and other coverages that include business interruption, privacy liability, costs of notifying customer, legal expenses, recovering compromised information, and repairing damaged computer systems.
As part of the recovery process, the breach log entries must be finalized, affected parties notified, and, if there is the possibility of significant harm to employees, customer, or others, the Privacy Commissioner must be notified. The Fall 2018 update to Canada’s PIPEDA’s legislation states: “As of November 1, 2018, organizations subject to The Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to: report to the Privacy Commissioner of Canada breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals, notify affected individuals about those breaches, and keep records of all breaches.”
Protecting your organization from cybersecurity risks is an important function in today’s connected environment. Too often I receive calls after the damage has been done: “we’ve been hit by ransomware” or “all of our customers are receiving an e-mail that looks like it is from us but it isn’t”. However, by following the steps laid out in this article, you will be well positioned to defend your firm.
Mr. Simons has over 35 years’ experience in all Facets of Information Technology. Mr. Simons held increasingly senior roles with Bell Canada, Bell-Telic, PC Service Partners (an IBM subsidiary), and others. In 1998 he founded SICON CRM, a consultancy which helps firms increase their profitability through the development of a base of Loyal Customers. In response to numerous requests from Customers for assistance with their IT strategy and security, Mr Simons founded Roxville Technology in 2009. Mr. Simons is also a professor at Seneca College where he teaches courses in Customer Relationship Management (CRM), B2B Sales, and Marketing.
Greenberg, A. (2018, 08 22). The untold story of NotPetya. Retrieved 03 09, 2019, from wired.com: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Secretary, W. P. (2018, 02 15). Statement from the Press Secretary. Retrieved 03 09, 2019, from Statements and Releases: https://www.whitehouse.gov/briefings-statements/statement-press-secretary-25/