While hacking, data theft, and corruption dominate the headlines, the threats to businesses posed by cyberattacks stretch far beyond the digital realm. Consumers are increasingly concerned about the security of their information that is held by companies they patronize and are negatively influenced if they believe a business is not adequately protecting data. A PricewaterhouseCoopers survey found that 87 percent of consumers are willing to take their business elsewhere if or when a company has a data breach.

In the wake of highly publicized attacks, business expenditures for cybersecurity reached $123 billion in 2020 according to the research firm Gartner. At the same time, studies conducted by the insurance firm Hiscox found that more than 70 percent of businesses are still unprepared for a cyberattack. The rapid race by businesses of all sizes to leverage technology to improve efficiency and gain competitive advantage has brought with it an unprecedented host of complex threats that most are ill-prepared to protect themselves against.

For centuries, entrepreneurs have had to overcome physical threats such as fire, flood, and theft to avoid being the next shop with a “Going Out of Business” sign in the front window. These risks were largely visible, tangible, local, and not likely to change quickly over time. On the contrary, threats to digital assets are everything that physical risks are not. They are virtual, invisible, global, and rapidly evolving. Mitigation strategies that are effective against a particular computer attack right now might be rendered permanently obsolete in the next few seconds.

While the world’s consumers create a seemingly insatiable demand for connectivity and 24/7-anywhere access to information of all kinds, businesses are racing to stay relevant in an increasingly tech-dominated world. Unfortunately, security is the often-overlooked component of this race forward, falling victim to budget constraints, ignorance, and apathy.

As technology evolves, so do the threats to its security. The first hackers often focused on gaining access to systems just to prove they could. Damage to, or theft of data was rare. Much has changed in just a few short decades. Modern cyberattacks are coordinated, sophisticated, and well-funded operations often run by criminal enterprises or even nation states. The goals of exploiting security weaknesses are largely financial, but also increasingly include corporate or political espionage.

Of all the modern cybersecurity threats, ransomware has rightly dominated the headlines. In the simplest terms, this attack traditionally involved “kidnapping” the victim’s data in place by encrypting it with a password only known to the attacker. The data was technically still on the victim’s systems; however, it was completely inaccessible. The key to unlock the data would ostensibly be provided after the victim paid the demanded ransom. Attackers would indiscriminately attempt to infect millions of computers without regard to the importance of the systems, or the potential victim’s ability or desire to pay the demanded fee. Surviving a traditional ransomware attack was largely a mixed bag. Sometimes victims paid the ransom and regained access to their files, sometimes the ransom was paid, and the key was never provided and, in some cases, even the attackers lost track of how to decrypt the files. For years, mitigation steps for ransomware relied heavily on restoring lost data from backups and eliminating the security gaps that allowed the attack to occur in the first place.

In the past few years, ransomware attacks have evolved into much more sinister and sophisticated attacks. Businesses and government entities are now the preferred targets, with a preference for critical infrastructure and services. The “kidnapping in place” model has also been modified to include the theft of sensitive data and attempts to establish long-term, persistent access to the victim’s computer systems that can be used to conduct further malicious acts. Stolen data is increasingly being used to further extort the victim through threats to release it publicly if the ransom is not paid. This was recently highlighted when the Washington D.C Police Department was attacked by ransomware and the attackers subsequently posted police officers’ personnel records and street-gang intelligence information on the Internet when their demands were not met.

Contrary to the beliefs of some people, ransomware attacks can be prevented, mitigated, and you can recover from them. Like the attacks themselves, cyber protection and prevention mechanisms are rapidly evolving and necessarily must be complex and comprehensive. The need for sophisticated prevention, protection, and response mechanisms places modern cybersecurity outside the reach of traditional information technology departments and do-it-yourself operations.

Ransomware prevention, like all other cybersecurity, requires a multi-faceted approach from numerous disciplines. There is no single tool, software, or procedure that can do it all. The following list highlights a comprehensive methodology for ransomware prevention and preparedness:

• Be proactive. Recovery after an attack is more difficult and expensive than preventive measures

• Engage cybersecurity specialists

• Conduct periodic vulnerability assessments and penetration tests of all networks and systems

• Remediate all known and identified security gaps

• Create, test, and utilize comprehensive disaster recovery and business-continuity plans

• Ceate and test full, offline backups of all critical data

• Create, test, and utilize incident-response plans that address cybersecurity threats

• Establish retainer agreements for cyber-incident response specialists

• Budget appropriately. Security costs are necessary and recurring.

Cyberattacks and risks to data security represent a clear and present danger to the ability of companies of all sizes and sectors to grow and prosper. A single attack against an ill-prepared business can cause crippling recovery costs and damage customer confidence beyond repair. The takeaway from the many entities that have suffered and recovered from cyber incidents in the past is that it does not have to be a death sentence. In the end, those that are proactive, plan, and prepare will be the ones most likely to survive and thrive in this rapidly changing landscape.                                                     

Tony Martino is co-founder and chief operating officer of Anjolen Inc. Contact him at Tony@anjolen.com.

On April 14. 2021, the U.S. Department of Labor (DOL)  issued much-needed guidance concerning best practices for plan sponsors, fiduciaries, record-keepers, participants and beneficiaries pertaining to cybersecurity for retirement plans. 

The DOL’s guidance focuses on three specific topics: hiring service providers, managing cybersecurity risks, and online-security tips for participants to avoid risk of fraud and loss. Although the guidance was couched as “best practices,” it is reasonable to interpret it as creating minimum cybersecurity standards and practices for retirement plans. The guidance specifies the duty of plan fiduciaries to protect plan data against cybersecurity breaches and attacks, and potentially signifies a precursor for the DOL to assess liability for damages stemming from plan data breaches in the future. Although the guidance did not address health and welfare plans, those plans may also wish to consider implementing these measures. 

Here is a summation of some of the key points raised in the guidance, as well as some helpful insights to be considered in connection with the DOL’s recommendations. 

I. Hiring service providers 

Under ERISA, plan fiduciaries must act prudently when selecting and retaining plan-service providers. Since plan-service providers are often relied upon to preserve and secure plan records and participant data, it is essential that fiduciaries ensure that service providers implement strong measures to defend this information against potential cyber threats. When retaining service providers, the DOL recommends that plan sponsors make certain that vendors have sufficient security systems in place to guard against attacks and prevent potential breaches. The DOL offered the following suggested practices when contracting with service providers: 

• Security standards: Review providers’ security standards, practices, and policies. Request audit results verifying the sufficiency of their security systems and compare these results to industry standards. Plan fiduciaries should look for vendors who follow a recognized information security standard that validates its compliance and utilize an independent auditor to verify information security, system/data availability, processing integrity, and data confidentiality. 

• Effectiveness review: Verify the security standards employed by service providers and their validation process to ensure their security practices comply with these requirements and ensure that their audit results reflecting compliance are available for review. 

• Reputation in the industry: Check service providers’ track record in the industry, including any public information related to prior security incidents, as well as any litigation and legal proceedings related to their services. 

• Prior incidents: Consider vendors’ previous security breaches, reviewing all details regarding those incidents and their response to the attacks. 

• Insurance coverage: Review the service providers’ cybersecurity-insurance policies and their scope of coverage to address losses incurred from security breaches or identity thefts. Confirm whether their insurance coverage will cover breaches caused by both their own workforce, as well as external attacks. Consider requiring vendors to maintain additional insurance coverage (i.e., professional liability, errors and omissions liability, cyber liability and privacy breach insurance, and/or fidelity bond or blanket crime coverage). Confirm policy limitations before counting on such coverage for loss protection. 

• Ongoing compliance: Ensure that contracts require vendors to maintain their cybersecurity and information security standards originally agreed to by the parties throughout the term of the contract, and beyond (if applicable). Consider requiring notice in the event of a change in their systems which impacts their ability to meet these criteria, or deviations from their prescribed security standards. 

• Limitation of liability: Address any contractual provisions which seek to limit responsibility or liability of the service provider for cybersecurity breaches. 

• Reporting: Require annual third-party audits to determine compliance with cybersecurity policies and procedures and require access to the results of those reviews. 

• Data usage: Specifically dictate vendors’ obligations to preserve the privacy of all confidential data, prevent any use or disclosure of confidential information without written permission, and incorporate a stringent standard of care to guard against the unauthorized use (or misuse), access, loss, disclosure, or modification of confidential information. 

• Records retention and destruction: Specify vendors’ obligations to comply with all applicable federal, state, and local laws, rules, regulations, directives, and other governmental requirements pertaining to the privacy, confidentiality, or security of confidential information.

• Notice: Include terms requiring vendors to provide notice for any incident or breach, specifying the timeframe for such notice and mandating service providers’ cooperation to investigate and address the cause of the breach. 

II. Cybersecurity best practices 

The DOL has provided this list of best practices for plan record keepers and other service providers to follow: 

• Save a formal, well-documented cybersecurity program; 

• Conduct prudent annual risk assessments; 

• Have a reliable annual third-party audit of security controls; 

• Clearly define and assign information security roles and responsibilities; 

• Have strong access control procedures; 

• Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments; 

• Conduct periodic cybersecurity-awareness training; 

• Implement and manage a secure-system development life-cycle program; 

• Have an effective business-resiliency program addressing business continuity, disaster recovery, and incident response; 

• Encrypt sensitive data, both stored and in transit; 

• Implement strong technical controls in accordance with best security practices; and 

• Appropriately respond to any past cybersecurity incidents. 

III. Online-security tips

The DOL also outlined a number of security tips, reflecting that participants and beneficiaries also play a large role in the security of their plan accounts. The DOL recommends that users utilize strong and unique passwords for their accounts, add multi-factor authentication to log in, and regularly monitor accounts to guard against the risk of fraud and loss. In addition, the DOL suggests that participants and beneficiaries update their contact information with plans and sign up for account activity notifications to ensure they are notified of any unauthorized account activity. Among the other tips offered, the DOL urges users to avoid public Wi-Fi networks, remain mindful of phishing attacks, and use up-to-date antivirus software. 

Retirement-plan precautions

Retirement plans are literal treasure troves for cyber criminals — holding large amounts of fund and personal information concerning participants and beneficiaries. Recognizing this concern, the DOL’s new cybersecurity guidance may provide a glimpse into future enforcement actions and criteria to assess prudence by fiduciaries in the event of a cyberattack. Plans should consider these tips and insights when engaging new service providers to ensure vendors are taking appropriate precautions to safeguard plan data. They may also wish to revisit current contracts with their present vendors to address any areas where their contracts are silent, as well as consider whether additional measures are necessary to ensure the security and confidentiality of plan data. 

Administrators may also wish to review and update their plans’ document and retention policies to reflect this new guidance and review their vendors’ policies to confirm if amendments are warranted — with a particular focus on how vendors handle plan data upon expiration or termination of their agreement. 

Despite recognizing the important role played by participants and beneficiaries in securing their plan accounts, recommendations regarding cybersecurity education were notably absent from this guidance. Nonetheless, plans may wish to consider passing along the DOL’s online-security tips to account holders.      

 Lawrence J. Finnell is a senior counsel in the New York City office of the Syracuse–based law firm of Bond, Schoeneck & King PLLC. Contact him at lfinnell@bsk.com. This article is drawn from the firm’s Employee Benefits Law Information Memo.

A look at recent news headlines continues to show the impact that ransomware has on our everyday life. Whether it be the attack on Colonial Pipeline which set off a potential gas-supply shortage or the attack on JBS, a meat packer, the news keeps coming. Last year in the U.S. alone, more than 100 federal, state, and local governments; 500 health-care centers; 1,600 educational organizations; and thousands of businesses were victims to ransomware. That’s according to “The State of Ransomware in the US: Report and Statistics 2020,” published by Emsisoft Malware Lab in January.

That impact is also felt by small and mid-sized businesses (SMBs) as it was found in 2020 that the average cost of a ransomware event for SMBs totaled $505,827 per incident (including downtime, lost business, rebuilding and upgrades, etc.). The cost is only increasing, especially when you consider lost revenue and reputational harm to your business. According to the Beazley Group, a cyber-liability insurance provider, small and medium businesses are most at risk of ransomware, with more than 62 percent of claims. Beazley also reports that ransomware attacks increased 130 percent in 2020. 

In the past two years, the Cyber Defense Institute has assisted clients with ransomware incidents that ranged in cost from $600,000 to over $10 million right here in Central New York. Many ransomware attacks do not get reported as companies fear reputation loss and bad press. As a result, experts agree that the true number of attacks and cost of those attacks is grossly underestimated.

Ransomware is a type of computer malware that has a specific goal in mind — holding your data hostage until you pay a ransom. Early variants of ransomware would install on a single computer in your network and wreak havoc on your shared files. Today’s variants are using more sophisticated techniques in which they worm their way through your network, sometimes for months without detection, before detonating on as many systems as they can at once. This increases the likelihood you’ll pay the ransom because all your servers and workstations are infected all at once. 

Recommendations

Awareness training. The most-common method of infection from ransomware is still malicious emails. Another common method is so called “drive by downloads” in which a malicious file is downloaded from an infected website. Because of this, end-user security awareness training is one of the key strategies you should be implementing to protect your business from ransomware. This end user-training should include continuous phishing training and at least one hour several times per year of direct computer-based training content. This phishing training should include a system that sends fake phishing emails to your users to give them real-world experience dealing with phishing emails. Weekly security reminders that detail the most-current threats and scams are also highly effective. 

Two-factor authentication for applications and email is another easy win. Stolen credentials allow criminals to steal data and send malicious emails using legitimate email addresses to unsuspecting friends and colleagues. 

Anti-virus/malware software. Another critical component to your anti-ransomware strategy needs to be anti-virus/malware software that can prevent advanced threats such as ransomware. Traditional antivirus is no longer enough and the need for advanced-threat protection is critical. Software that includes endpoint detection and response (EDR) features are commonly used in cases of ransomware to help clean it up and stop it from spreading. For this reason, you should consider a similar product to help protect your environment. It also goes without saying that it is critical that you maintain your subscriptions with your antivirus vendor. There is nothing worse than getting a malware infection because you forgot to renew your antivirus license or update your current product regularly.

Implement a SIEM — Security Information and Event Management System — to provide continuous monitoring of your network 24/7, 365 days a year, which can also be coupled with a dedicated Security Operations Center (SOC) to notify you of incidents. These systems provide real-time alerts of suspicious or malicious activity on your network, enabling a fast response and prevention.

System patches and updates are another key component to reducing the risk of ransomware. Making sure you run your Windows updates on every machine, all the time, keeps your systems protected from the latest vulnerabilities. Don’t forget to keep your firewalls, printers, and other network devices up to date as well. These commonly forgotten devices are also frequently attacked by malicious actors and can lead to ransomware or other harm to your network.

Cyber-liability insurance. When you buy an insurance policy, it should specifically cover ransomware or data-extortion costs. And do not skimp on coverage limits. We recommend a minimum of $1 million for any size of business. 

Develop and practice an incident-response plan. A solid incident-response plan that is documented, known to all involved, and practiced at least once a year will save critical time when responding to an incident. Remember those fire drills in grade school? 

Layer your defenses. This is also known as defense in depth. Develop multiple roadblocks and segment networks wherever possible.

Carefully consider the options before you pay the ransom. This is easy to say when you are in crisis mode, but the research by Sophos and others points to increased costs for those that do pay. Even after paying the ransom, the cost for upfront protection, user training, and a solid backup strategy is the least-expensive way to stay safe and recover if you do get hit.

Backups. Finally, and perhaps the most important protection against the harms of ransomware, is to have excellent backups of your systems. The difference between quickly recovering from ransomware while not paying the ransom is directly correlated to the quality of your backups. A restore from backup can many times be a quick way to give a ransomware extortionist the boot. However, you need to make sure your backup system includes more than one copy of your data. Typically for an SMB this includes a copy in your office and a copy in the cloud. We also recommend keeping backups for at least 90 days as malware sometimes remains dormant for several months before calling out to the ransomware host. There are several other backup tactics that can be implemented depending on your overall IT infrastructure. 

Unfortunately, for most, ransomware is a matter of “when” and not “if.” However, you can reduce the impact it has on your business by taking steps now to better prepare for the inevitable. Ransomware does not have to be a potentially business-killing event if you properly prepare your business now. Doing nothing and ignoring the threat is no longer an option.        

Jim Shea is president of Cyber Defense Institute, Inc. (www.cyberd.us), a Syracuse–based, regional cybersecurity consulting and training firm specializing in cybersecurity regulatory compliance, cyber risk management, and cybersecurity assessments. Contact Shea at jrshea@cyberd.us. Brandon Finton is the senior security engineer at Cyber Defense Institute. Contact him at bfinton@cyberd.us.