More locally, in May, hackers demanding ransom broke into computer systems at Scripps Health. To contain the intrusion, IT staff shut down computer systems. The organization brought in computer experts to recover and contacted federal law enforcement. Scripps employees soldiered through the event, though access to electronic medical records was restricted, according to an account of the incident by senior management. On June 1, the organization announced its systems had been restored, but memories of the event remain fresh.
If San Diego business leaders hadn’t paid attention to cybersecurity before, they are paying attention now.
Many executives are wondering what to do to improve their cybersecurity and cyber hygiene.
The good news is that San Diego has resources to help executives working to shore up their cyber defenses.
Indeed, the region has a robust cybersecurity community, which takes in 24,349 employees (see accompanying story). Several leaders of that community took time to share thoughts with the San Diego Business Journal about how their peers in other vertical markets might get in front of the cybersecurity challenge.
“Security should not be an afterthought,” said Brad Taylor, CEO of Proficio, a cybersecurity company based in Carlsbad with a worldwide footprint. “It should be designed in as part of the plan from the beginning.” Also, he said, it should follow industry best practices consistently.
Company leaders need to understand that information security is a business risk issue. In other words, it’s a management problem, not an information technology problem, said Peter Bybee, president and CEO of Security on Demand. The business, based in Scripps Ranch, provides cyber-threat detection services.
Leaders of organizations “must consider cybersecurity as a strategic imperative,” said Omer Meisel, assistant special agent in charge with the San Diego FBI Cyber Program.
The Threat Landscape
Companies today face multiple threats, which exploit multiple vulnerabilities.
In a survey of 524 international companies, most of them with 500 employees or more, IBM found that the root cause of more than half of data breaches (52%) was malicious attack. Human error was the overall, root cause of 23% of data breaches while system glitches accounted for 25%.
The 2020 Cost of a Data Breach Report was researched by the Ponemon Institute.
Of the malicious data breaches, more than half (53%) were financially motivated, according to the research. Roughly 1 in 8 of the breaches (13%) involved nation state actors. Another 13% involved hacktivists. The remaining 12% had unknown threat actors.
In addition to hacking, the FBI lists ransomware, malware and phishing among the most prevalent cybersecurity threats. The latter involves scammers sending a message to trick a victim into giving up passwords, Social Security numbers or other valuable personal information. Businesses also face threats from insiders — people within the organization. The FBI Internet Crime Complaint center produces an annual report on the threats, available at www.ic3.gov.
The Human Element
Most cybersecurity breaches have a human in the loop, said Easterly. Therefore, any sort of cybersecurity effort can’t go too far without involving an organization’s workforce.
People are a hacker’s easiest access point to a system, said two representatives from CBIZ, which offers insurance, accounting, other business services and consulting. Tiffany Garcia and Ray Gandy said that employees must understand their roles in protecting personal and business critical data. Cybersecurity is a team effort.
“Our security consciences should be weaved into our daily activities: opening emails, paying invoices, visiting websites,” said a statement from Garcia, director and national cybersecurity practice leader for CBIZ and Gandy, director and leader of the IT risk and assurance practice at CBIZ MHM.
Leadership must lead by example, modeling cyber hygiene best practices, he said.
Sautter leads Booz Allen’s work in network engineering, information technology infrastructure, cybersecurity, and systems engineering on the West Coast. The business is one of San Diego’s larger defense contractors.
A Full-Time Effort
Eric Basu, CEO of Sentek Global, says his No. 1 cybersecurity recommendation for businesses has to do with staffing.
Multifactor authentication for all remote access to a computer network is a must, said Chris Reese of Lockton. That includes access to email. As an insurance brokerage, Lockton does not work in cybersecurity per se, but it deals with its consequences every day.
Multifactor authentication requires a person to present two pieces of evidence — their credentials — when logging into an account. Credentials fall into any of three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). The definition comes from NIST, the National Institute of Standards and Technology, part of the U.S. Department of Commerce. Credentials must come from two different categories to enhance security — so entering two different passwords would not be considered multi-factor.
Basu said businesses and individuals should enable two-factor security (or 2FA) or multifactor security (MFA) on any account they don’t want to have compromised. 2FA means that when logging into an account from an unknown device, a computer user will be prompted for a text message sent to their mobile device or a code provided by a synchronized application on a mobile device.
Lack of 2FA or MFA can drive a company’s insurance premiums up, or can cause insurance carriers to deny coverage.
The Rise of Ransomware
Ransomware attacks are very much in the news. Here a hacker blocks access to a company’s data by encrypting it. The hacker will then offer to return the data if the victim pays a ransom.
Some observers say it is possible to get out in front of a ransomware attack, with proper detective work.
ESET’s Anscombe said a ransom demand often comes some time after a hacker has first broken into a system, via a hardware or software vulnerability, or through compromised credentials (such as a stolen password).
“Ransomware attacks are now often the end phase to a broader attack,” he said. “… The bad actor will map the network and gather information, identify sensitive data assets, exfiltrate the data, disable security systems where possible, and only then execute the ransomware attack.” If the victim refuses to pay, the victim needs to recover the internal systems that were affected. That victim might also find stolen data published or sold on the dark web.
“The good news is that attacks don’t happen immediately, so there’s an opportunity to catch and prevent them,” said Proficio’s Taylor. “You typically have several days or even weeks to detect the bad actors before too much damage is done and most existing security products can prevent or detect these attacks — as long as you keep your security devices updated and most importantly have strong threat detection use cases, active monitoring and effective response in place.”
So, where to begin?
The nonprofit Center for Internet Security has a list of 18 controls that a business can implement in numerical order. “This provides a nice roadmap for a company just getting started,” Simpson said. The list is available at https://www.cisecurity.org/controls/v8/.
A good early step is to build a process to securely back up data. “There are many low-cost cloud solutions,” Simpson said. A company should also implement protection (that is, anti-virus/malware and firewall) on its endpoints (computers).
Lockton’s Reese said another action that a person can take immediately is to rotate all passwords for business and personal accounts.
A good early step toward meeting cybersecurity challenges is to get outside help.
Cybersecurity threats are very dynamic, said Anfuso of La Jolla Logic. Therefore, engaging with outside consulting support can ensure that a business has access to the most up-to-date knowledge, skills and expertise.
Smaller companies can consult their legal, accounting or insurance counsel for names of professionals who can help them. Other resources include economic development corporations, chambers of commerce or the Cyber Center of Excellence.
Many of the people consulted for this story recommended getting references for vendors.
“While it may be preferable that the partner has experience in your industry sector, this may not always be possible,” said ESET’s Anscombe.
Many companies hire a fractional Chief Information Security Officer, or CISO, and find that model affordable, said Bybee.
The Federal Perspective
One other imperative is to establish a relationship with law enforcement, including the FBI.
Local law enforcement, the FBI and the Secret Service encourage outreach before a crisis to develop relationships, said Easterly of the Cyber Center of Excellence. The FBI’s Meisel said establishing a partnership is “essential” to protecting a company’s network and helping the government keep the nation secure.
Existing law puts the FBI in a unique position to collect both investigative information and intelligence regarding cyber matters, he said. “What may seem like insignificant activity to a company may be a missing puzzle piece needed to deter a larger scale intrusion/attack. Providing information to the FBI and its partners on suspicious activity occurring on company networks, may help the FBI connect the dots regarding cyber threats.”
Businesses that work for the federal government, including members of San Diego’s defense contracting community, have to think about federal standards when considering cybersecurity.
Those who want to do business with the Defense Department and want to know how to protect the government’s information within their non-federal information systems “should consider establishing relationships with like businesses through local chapters of defense focused associations,” said Compton. “They can help you understand the government’s requirements and provide recommendations on finding the right vendors to help you meet your needs.”
He did not mention associations by name. However, two examples with San Diego chapters are NDIA, the National Defense Industrial Association, and AFCEA International, the Armed Forces Communications and Electronics Association.
The Work at Home Phenomenon
With the coming of the coronavirus in 2020, many people starting working at home. That caused many unsecured gaps, said Easterly.
“We are now operating in a new world where remote work is more commonplace,” said Darren Bennett, chief information security officer with the San Diego city government. “You must ensure that connections from remote environments are secure and trusted.” A few solutions for this, he said, are utilizing virtualization, using hard disk encryption and issuing company laptops for remote work via a virtual private network. “Also, using a virtual desktop infrastructure (VDI) can help by allowing employees to access corporate resources from almost anywhere while still controlling the exposure of the data and systems.”
Remote work will remain a challenge to business, in terms of time and money. In IBM’s international survey, 76% of respondents said they felt remote work would increase the time it takes to identify or contain a data breach while 70% said remote work would increase the cost of a data breach.
Taking the Temperature
Whether employees are working in the office or at home, the dynamic nature of cyber threats means businesses must continually review their cybersecurity posture.
Threats evolve, said Easterly. Therefore “cybersecurity is not a set and forget exercise.”
Many of the experts consulted for this article recommend in-depth annual cybersecurity reviews. Reese, of Lockton, recommends it twice a year, then developing a roadmap on actionable items based on that review. “Prioritize the actionable items based upon their potential impact to the company,” she said.
Booz Allen’s Sautter said companies ought to review their cyber posture in real time ideally, and daily at a minimum.
“Staying on top of the ever-changing threat landscape mandates continuous monitoring of systems,” he said. “Real time updates are critically important when working with the government. In their capability model for cybersecurity, organizations must prove they have the mandated security in order to win contracts.”
In the years ahead, many businesses will fall victim to a cyber breach. It is not a matter of if it will happen, but when, said the FBI’s Meisel.
“There are a lot of moving parts for CIRT,” Bybee said, referring to a Computer Incident Response Team. “You should get consulting services to help you get this structure in place, rather than stealing a template off the internet, and calling it done.”
Easterly said a good incident response plan “should be a living document.” It should offer a course of action for all significant incidents to help IT staff stop, contain, eradicate, and recover from an incident.
Such a plan should include an enterprise-wide risk assessment to identify and address vulnerabilities. It should name key team members and stakeholders, spelling out their responsibilities. It should include a business continuity plan. And it should list critical network and data recovery processes.
It should also contain a communications plan, considering interaction with law enforcement and the roles of legal counsel and public relations counsel.
Businesses might review the Federal Trade Commission’s recommendations on its website, Basu said. These can be found at https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business.
An incident event log can help business leaders keep track of all steps taken during and after a cybersecurity incident, said Easterly. There are several benefits. The account will support a company’s legal team and law enforcement both during and after threat detection. It can also help a company gauge the efficacy of its response and glean lessons.
“The secret to a good incident response plan is practice,” said Sautter. “There’s no ‘one size fits all’ plan that will work for every organization. That’s why it’s important to regularly test and update your plan. What works today may not work a year from now, especially as technological innovation accelerates.”
Given the importance of information security to the local business community, the San Diego Business Journal will host a panel discussion on best practices in cybersecurity. A recap of the event, "Understanding the Post Pandemic Cyber Threat Landscape," will be published in late July, and the event will be available for viewing on sdbj.com.
Look to the San Diego Business Journal for ongoing coverage of cybersecurity and how San Diego’s cybersecurity community is responding to the challenge.