Recently, the State of New York has taken steps towards passing the nation’s first cybersecurity regulation which explicitly tells financial organizations in New York what they must do in their security program. You can read an overview of this in the article, “Full Employment for CISOs in New York.”
The main question I have is, does it make sense to legislate the details of a security program versus allowing organizations to build programs that meet the business needs and risk tolerance of their organizations?
Before I answer that question, let me first state that overall, I believe the directives in the regulation generally make sense. In fact, they are practices that most security professionals would have as part of their standard operating procedures. It is a little odd though that they explicitly call out two technology areas – multi-factor authentication and encryption – for inclusion, while staying very high-level on the other security control areas. Again, not that multi-factor authentication and encryption are bad areas to focus on, but why are those included and while other important security controls, such as email security, Web security, anti-virus, identity management, and many other security categories?
Now back to the main question of this blog, is legally requiring specific security practices a good thing? My take is no. However, should regulators consider cybersecurity as part of their supervisory responsibilities? Yes, as part of their view of the organization’s risk management program. Ultimately, organizations are responsible for their own risk management programs and how much risk they can tolerate and how best to mitigate that risk.
Just as regulators don’t direct in detail other aspects of the organization’s business practices, nor should they do it for their cyber risk management practices. There are just too many opportunities for unintended consequences to arise. For example in my experience the more detailed the regulation, it not only becomes overwhelming for the CISO looking to implement, but there’s also a greater chance that the security program turns into a checklist program and not a risk management focused one.
I realize it is a bit cheeky for me to make security resolutions for your security program, but I believe you will find these recommendations to be straightforward and highly actionable. In no particular order:
- If you can’t do it, outsource it. Don’t not do it because you don’t have the expertise or the capital budget to buy or manage the particular security control in question. Now more than ever many security controls can be consumed as services as opposed to being purchased in the form of software or hardware appliances. Increasingly security professionals, just like their cousins in the IT department, can leverage the cloud to get the services they need and save money and time to boot. Security professionals should use 2017 to accelerate their transformation from owning every aspect of the implementation and maintenance of the control to being the strategists and architects of their security controls.
- Plan for an incident response now, well before you need to use it. In this era of near certainty of business impacting security incidents, it’s key to plan now for the variety incidents that will likely hit your business. You know what they are likely to be: ransomware, DDOS attacks, email-borne impersonation attacks, botnet infections, insider threats – malicious, accidental, policy violating, and a handful of others. Work with the relevant functions around your organization, write your incident response plan down and run a table-top exercise or two in 2017. It is much better to do it in theory once or twice before you have to do it for real.
- Make employee security awareness training an everyday affair and not a once a year, video watching boredom fest. While no security program should wholly rely on employees to save them from security incidents, having well-informed and engaged employees greatly helps reduce the risk and mitigate the damage of the inevitable breach. Pushing out a 30-minute video once a year does not. Attacks are dynamic and unpredictable, and so should be the user training. Build informative user messages and tests into the daily operation of your security program. When employees do the right thing, let them know. When they don’t, help them understand why what they did was risky. For example, make it easy for them to report likely spam and other suspicious emails. If you must block something they did, like visiting a sketchy Web site, make sure you tell them why they were blocked and what their options are.
- Evaluate your critical business processes and make sure that they are not completely vulnerable to hacked IT systems or the impersonation of executives or critical partners. Given how easy it is to spoof or hack an organization’s email, it is amazing to see how many business processes are 100% dependent on trusting the content in emails. One needs only to consider the number of fraudulent wire transfers that are generated from simple email requests apparently from executives or business partners to understand the absurdity of fully trusting an email. Please make sure every business process of an importance of yours has automated fraud inspection and out-of-band checks-and-balances that are built-in to the process. Don’t expect your users to be the first and last line of defense.
- I realize this resolution is like requesting three more wishes as your third wish from the Genie (Genies don’t go for that by the way), but I strongly recommend leveraging the SANS 20 Critical Security Controls as a key security framework to benchmark your organization for 2017 and beyond. While there is a lot of depth behind these 20 controls, overall I find this SANS list to be both simple and comprehensive. A great framework to use to frame your security resolutions for 2017 and beyond.
For a quick resource, here’s an eBook from Mimecast outlining five tips to combat email-based attacks.
Last week we launched our first of three videos called “Meet Jim, A Model Employee … and Phishing Target” where Jeremy Piven discusses a major cybersecurity issue hitting organizations on a daily basis. The issue that was covered was phishing attacks that target innocent employees to take action that puts their personal information at risk and would take control of the corporate network. The message seems to be resonating with over 142,000 views within one week.
The second video that we are launching this week called “Ransomware Just Put Katie’s System Into Lockdown” centers around the major issue of ransomware and again, how an innocent employee who is getting hundreds of resumes for her role as an HR recruiter, gets duped to download malware by opening up a resume sent as a Word document. The malware ends up being ransomware and locks-up her machine until she pays a ransom to release her data.
The Federal Bureau of Investigation said ransomware attacks cost victims $209 million in the first three months of the year, which is about $330,000 an incident. And, almost 40 percent of enterprises have been hit by ransomware in the last year.
Here are three things to consider when it comes to ransomware:
- Ransomware cybercrime kits are readily accessible on the black market, enabling non-technical cybercriminals to license and deploy them in the execution of a ransomware campaign.
- Most organizations focus only on prevention, without formulating a “Plan B” to rely on when prevention doesn’t work. Traditional preventive systems, such as AV, are increasingly unable to detect and block the constantly changing flavors of ransomware.
- There is no single “ransomware security product” available. Since no single product can provide adequate protection because of the multifaceted nature of ransomware, and the creativity of the attackers who wield it, protection from ransomware must also be multi-faceted.
So, what happens when ransomware hits an organization? A lot:
- Organizations suffer from crippled productivity.
- Employees are locked out of vital productivity tools like email, calendars and contact lists, as well as other applications and files on affected systems.
- Customers are often impacted because customer-facing operations that are highly dependent on IT are not functional.
- Organizations often succumb to the pressure to pay the ransom to regain access to their applications and data, motivating and financing attackers to expand their ransomware campaigns.
- Data can be lost, damaged or corrupted after an attack, as not all ransomware is bug- free. And, in some cases, the attackers, if not paid in a timely manner, will destroy the decryption keys or some of your data in retribution.
As cybersecurity issues, such as ransomware, continue to be top-of-mind, Mimecast is committed to educating the millions of employees, C-Suite and board members on the impact of not only cyberthreats but also, the fact that employees take an inadvertent active role as a trusted insider to launch an attack against the company.
Telling the story of who your company is, and what you do is a consistent struggle for any business. As the nature of cyberattacks continues to evolve and get more interest beyond IT and Infosec, we here at Mimecast took an approach to conveying the problems organizations face in a way that everyone can understand. In other words….information security has gone mainstream and everyone is talking about it.
Because of this, we're taking a different approach to engaging the market. We're adding personality and a familiar face to convey the passion we have each and every day at solving major cybersecurity issues for global organizations.
That is why we engaged one of my favorite actors - Jeremy Piven a.k.a Mr. Selfridge or Ari Gold.
Working with Jeremy Piven and the production team was a great experience. Jeremy is a true artist with a strong desire for perfection and challenged us to help him convey the problem in a way that everyone can understand. Being that I have worked in the information security industry for over 16 years, I have found that we (the proverbial InfoSec vendors and professionals) overcomplicate the problem organizations face…only to leave the Board of Directors and the C-suite wondering what the true ROI is on their Infosec spend. The challenge was accepted by our team and we came up with an approach and message that everyone can understand within 60 seconds. The commercial project was an amazing and humbling experience that resulted in a three-part video series that will be rolling out over the next several weeks. The first of three video segments begins this week with our Protect Against Malicious Email URL Attacks video.
So you can get a sense of the problem the market is facing and our solution that helps protect against phishing attacks, below is the script of the first video for your reference.
JEREMY PIVEN: This is Jim. Jim is a model employee. So, when Jim gets an e-mail with the subject line "Employee Survey" with instructions to "click here to complete the survey", he eagerly clicks the link to provide his feedback.
JEREMY PIVEN: What Jim doesn't know is that e-mail was actually a phishing scam, and by clicking that URL, he just downloaded a remote access trojan that has given a cybercriminal remote access to his
computer and the corporate network.
JIM: No, no, no, no. . .
JEREMY PIVEN: Phishing scams like these, fooling innocent employees, happen every day and can cost your company thousands.
JEREMY PIVEN: For protection from cyberattacks like these, get Mimecast.
JEREMY PIVEN: Industry leading protection from spear-phishing, impersonation, and ransomware attacks.
JEREMY PIVEN: Mimecast, making email safer for business.
JEREMY PIVEN: It'll be alright.
As information security continues to be top of mind for businesses and continues to go “mainstream,” I challenge the rest of the security industry to commit to educating all businesses and their employees, C-suite and Board of Directors to better understand the impact of cyberattacks. Also, let’s educate them on how to best safeguard against different types of email attacks and the role employees play in launching an attack. I say, challenge accepted.