Home   |   Contact Us   |   Sign In   |   Register
Article Library
Blog Home All Blogs
Search all posts for:   

 

View all (795) posts »
 

Why Companies Can’t Wait on Implementing Cybersecurity Measures

Posted By USFN, Wednesday, July 17, 2019
Updated: Tuesday, July 16, 2019

by Kim Bilderback-GSEC, CISSP

Senior Director, National Business Markets East

AT&T Cybersecurity

 



American self-help author Napoleon Hill is credited with saying, “Do not wait: the time will never be ‘just right.’ Start where you stand, and work with whatever tool you may have at your command and better tools will be found as you go along.”

This advice is appropriate when thinking about corpo­rate cybersecurity programs. Too many times, a client has described to me what they’re going to do. Too many times, that same client called seeking assistance with a breach.


One reason for the procrastination is cost, which organiza­tions mistakenly classify as an IT expense. Cybersecurity is actually an important component of a business risk man­agement program. The consequences of a cybersecurity breach are not just something intangible, like loss of brand trust or theft of intellectual property. They’re cold, hard cash out of a firm’s pockets due to individual lawsuits, class action lawsuits, contractual violations, or regulatory fines.

Court ruling after court ruling has made it clear that the time for action is now. Businesses of all sizes are responsible for cybersecurity and accountable for damages when they fail that responsibility. Regulators and governments are increasingly tight­ening the cybersecurity requirements and the penalties for noncompliance.

It’s becoming clearer that custom­ers and business partners, even if they cannot demonstrate monetary impact from a breach, have basis for filing lawsuits for breach damages.

In a May 2019 ruling in United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., et. al, a U.S. District Court ruled that a defense contrac­tor had violated the False Claims Act when it entered into, and invoiced under, U.S. government contracts despite failing to fully satisfy (or oth­erwise disclose the scope of its gaps with) its contracts’ requisite cyberse­curity controls.

Essentially making cybersecurity an even larger business risk, a recent U.S. Supreme Court ruling in Zappos. com v. Stevens confirms customers can sue companies when their data is stolen, even if that data is not used for things like identity theft or making fraudulent charges. The Zappos case will go a long way toward deciding how much liability corporations will have if customer data is exposed, regardless of how it is used.

Think cyber insurance will amelio­rate this risk? Think again. Recently, executives for the snack company Mondelez took some solace in their huge cyber breach knowing that cy­ber insurance would help cover their costs. Or, so they thought.

Mondelez, the victim of a crippling NotPetya malware attack in 2017, learned its insurer, Zurich Insurance, would not cover the attack. Zurich declared Mondelez’s losses collateral damage in a cyberwar and invoked the policy’s “war exclusion” clause. Since the U.S. government assigned responsibility for NotPetya to Rus­sia, all cyber insurers were provided justification to invoke “war exclusion” clauses to not pay claims. The issue is still in the courts.

Consider this analysis by attorneys Karen K. Karabinos, Esq. and Eric R. Mull, Esq. on the implications of Columbia Casualty v. Cottage Health System:


“While the issues surrounding a cyberattack may be complex, com­pliance with the terms and condi­tions of a cyber policy may be as simple as determining if an insured has in place and is following the practices and procedures required under the terms of the policy. As cyber liability and coverage continue to be a growing and ever-changing concern, more and more companies will turn to their insurance carriers for protection. Insureds should be mindful that their failure to answer application questions accurately, their failure to comply with certain practices relating to computer and data security, or their failure to maintain security policies, practices, and procedures may result in the forfeiture of coverage, and in turn, exposure to substantial costs and liability.”


Finally, there is the obligation to prevent risk from insiders. In a re­cent ruling, the UK Court of Appeal upheld a lower court’s decision that the supermarket giant Morrisons is liable for its employees’ misuse of data. In 2015, a former Morrisons employee was convicted of criminal charges for leaking employee pay­roll records. The Court of Appeal’s landmark ruling confirms that Mor­risons is “vicariously liable” for their employee’s criminal misuse of the leaked data.

Morrisons now faces a potential­ly massive payout. The Court of Appeal’s decision paves the way for compensation claims by 5,518 former and current staff members whose personal details were posted on the internet.

What to do? Implementing at least five security essentials is key to cy­bersecurity risk management.

Security Essential 1: IT Asset Dis­covery & Inventory
Think about it. How can you report something stolen if you don’t know what you’ve got in the first place?

Security Essential 2: Vulnerability Scanning
Having inventoried your IT and data assets with asset discovery, you now need to make sure the doors and windows to the assets are shut and locked. That’s what vulnerability scanning does. It scours the perime­ter to make sure all is secure – that known vulnerabilities are patched against.

Security Essential 3: Log Manage­ment & Threat Detection
Log management in cybersecurity is similar to a video camera trained on the front door of a convenience store.

The video camera records the image, date and time of everyone coming into and going out of the store. If the video is monitored indicators of po­tential crime (system compromise) can be detected, an alert sounded, and possible crime averted. Some­one coming through the door, wear­ing a mask, and brandishing a gun could be interpreted as an indicator of potential compromise yielding an alert and proactive crime prevention action taken.

The saved video recordings are a treasure trove of forensic data for the police seeking to investigate after a crime is committed. The video recordings are referenced to identify when a crime occurred, what was stolen and to identify the perpetrator. Absent the video recordings the po­lice would have little hard evidence for investigation. This is exactly what log management and threat detec­tion do for cybersecurity.

Security Essential 4: Security Awareness Training
If the budget allows to manage one cyber risk, this is it. In a 2018 article, cybersecurity expert Michelle Drolet wrote, “The sad truth is that employees are the weakest link in cyber defenses. They are vul­nerable to phishing scams and ran­somware. They also make mistakes. Sometimes they don’t fully under­stand compliance requirements and sensitive data is mishandled.”

“81% of hacking-related breaches over the last year leveraged stolen or weak passwords and 1 in 14 users admitted being tricked into following a link or opening an attachment they shouldn’t have,” said Drolet.

Security Essential 5: Email/Web Filtering
Email alone is the top cybersecurity threat vector. Deploying inexpen­sive technologies that scan emails and monitor web browsing actively detecting and preventing access by known viruses or malicious websites delivers an effective risk manage­ment ROI.

When thinking about implementing cybersecurity measures, it’s import­ant to repeat Napoleon Hill’s warning: “Do not wait.” It may not be a conve­nient moment to implement cyber­security security essentials, but the time is right. Legislation, regulations, and court rulings all show that the consequences of not doing so can have profound risk implications to your business.


Copyright © 2019 USFN. All rights reserved.

 

Summer USFN Report

 

This post has not been tagged.

Share |
Permalink | Comments (0)
 
Membership Software Powered by YourMembership  ::  Legal