Technology

Risk, Ransom, Threats, and Awareness?

October is Cybersecurity Awareness Month… and it also means there are only 9 business weeks left this year.  2019 has been a challenging year for many organizations with new emerging threats, specifically those focused on hardware and Internet of Things (IoT) devices. This year also saw a strong reemergence of the risk of business disruption from ransomware and wire fraud.  

The top three most common questions our cybersecurity team has fielded this year include: 

• “How do we prevent being a victim to ransomware?” 

• “What should we be focused on and investing in, related to cybersecurity” 
• “We’re being subject to <insert compliance framework here>, and we’re not ready, what should we do?” 

As our first of a four–part series of blogs enclosed are some helpful hints and stats related to our current state of cybersecurity, as well as answers to many of these burning questions.  

Current State Awareness: 

The 2019 Verizon Data Breach Investigation Report (DBIR) revealed some startling trends in cybersecurity threats. 

• Attacks by organized crime dropped, but new threats emerged from sophisticated state-run attackers and from insider breaches. 
• The top three most impacted industries for cyberattacks in 2018 were Public Sector organizations, Media and Entertainment, and Financial Services. 

Research from IBM found that the overall average cost of a data breach in 2018 was estimated at $3.9 million. 

Phishing is still the number one initial point of compromise in 2019, even with an increase in training. Threat actors are introducing more complexity in their scams that make them harder to recognize. 

Ransomware: 

In 2019 we saw a sharp increase in ransomware attacks. 75% of the companies impacted this year were running up-to-date anti-virus software. This is because many of these attacks leverage tools and methods that are native to the operating system, and the initial point of compromise is typically tailored to the victim.  

This means that even with the latest definition files, without a behavioral–based detection solution such as a Managed Endpoint Detection and Response (MDR) or Network Detection and Response (NDR) solution in place many of these threats go unnoticed until it’s too late. 

So what is a company to do? In addition to evaluating the controls you have in place, focusing on developing and periodically testing your incident response and digital backups is key to ensuring the associated business impact of an incident is limited. 34% of companies impacted took a week or longer to recover from the incident, so prevention before you are busy is key. 

Understanding Compliance and Risk: 

2019 has seen another sharp increase in cybersecurity focused regulation and compliance requirements. Regardless of industry, companies operating in states such as New York, California, Arizona, and even Colorado are being regulated to step up their cybersecurity game. 

Many organizations struggle with understanding where to start, mostly due to the lack of a risk assessment and or formal level of risk tolerance having been established within the organization. The value of understanding what risks your organization is willing to accept provides a critical “north star” for your budget and goals, and therefore how you build the team you need to execute (FTEs or partners). 

For example, if a lender does the majority of their business in New York, California, Texas, and Ohio, focus on the NYDFS.NYCRR.500 controls should be a priority. This includes a focus on endpoint encryption, solid policies and procedures, and having trusted cybersecurity resources.  

However, if a company is running Windows 7 and other older IT equipment, focus should be on migrating and or replacing these systems to Windows 10 as to avoid running unsupported end-of-life software that is no longer receiving security updates from Microsoft. 

Management needs to understand the likelihood and impact of a risk so that they can allocate the limited amount of resources to the most impactful risks. Many times, this requires insight from a trusted advisor, but the value in this exercise can be extremely liberating.   

Conclusion: 

Cybersecurity continues to evolve and change, at a frequency that leaves many feeling helpless. While there is no formal destination, understanding the overall threat landscape, and which risks should be a priority for your firm are critical to moving the cybersecurity needle. This October, focus on the trends and educational resources that vendors and other resources provide, as we move into budget season for 2020 this can help provide you with a “north star.” 

Our cybersecurity team has the experience and cutting-edge knowledge to dig into how these trends might be affecting your business. We solve cybersecurity problems from the server to the cloud. Contact us to get your cybersecurity road map. 

Having held executive positions at firms of all sizes, the Richey May Technology Services team is able to provide practice executive advice to solve most difficult technology, cloud, and cybersecurity problems.