At the end of 2019, news of a distant epidemic started making headlines. Within a few short weeks, it spread throughout the world. To help prevent further spread of the virus, many were encouraged to work from home.
For most organizations, having workers connect remotely via the Internet, on a casual basis or for support reasons, had been technically viable. Few organizations, however, were equipped with enough capacity to handle the increased volume required for workers connecting from home due to Covid-19. At that time, many organizations did not use multi-factor authentication (MFA) for external connectivity. An often-used “short-term” solution to this problem was to open Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC) ports as a temporary measure to accommodate the need for additional remote desktop sessions.
With these measures being implemented so quickly, many organizations increased their risk of exposure to cyberattacks. Cybercriminals did not fail to notice the massive opportunity. A cybercrime boom was born, complete with a surge in “Ransomware as a Service” (RaaS) attacks, a variation on the “Software as a Service” (SaaS) business model. The 2021 FBI Internet Crime Report shows that between 2019 and 2020 alone, the number of cybersecurity complaints increased by almost 70%.
Today, cybercrimes openly reported in the news are no longer unusual events. What has changed however is that such attacks tend to affect a larger number of individuals, stranding airline passengers, causing gasoline shortages, leaking banking customers data, crippling hospitals and more. The damage is real, it is visible. It is far-reaching. It affects people’s lives. This is not a “victimless crime”.
In this article, we will be investigating:
- Cyberattack response stakeholder roles and processes
- The impact cyberattacks have on organizations and people
- Risk mitigation investments, points of references and trends
Part 1: Cyberattack Stakeholders & Responses
The chart below shows how quickly digital transactions have changed our lives. As a result, the amount of data we share personally with organizations has increased and the value of that data has increased significantly as well.
Despite its increased value, data, stored locally, on the Cloud or in movement, may not be adequately protected and remains vulnerable to cybercriminals. With this in mind, businesses and organizations should ensure that it is backed up, protected and constantly monitored for possible corruption.
The target, in any cyberattack, is data. At first glance, a cyberattack may appear to be a technical issue, with technical solutions. There are in fact three key additional implications and technical recovery is only part of that set. Here is the bigger picture:
1. Legal Considerations:
- In Canada, the Personal Information Protection and Electronic Document Act (PIPEDA), mandates reporting breaches where personal information may put individuals at risk.
- As custodian of sensitive client information, a company or organization that is hacked or breached via cyberattack may be subject to lawsuits from customers, joint-venture partners and other outside stakeholders who were counting on their data to be properly secured.
2. Insurance considerations:
- Data, in digital form, has become so integral to most company functions that it is now considered an asset.
- Companies, organizations, protect their assets against risk with insurance policies. Buildings and vehicles come to mind. Data, either in motion (think of e-commerce, process control systems) or in storage (think of HR personnel information), is also a working asset which warrants protection.
- Insurance companies assess the risk and charge premiums for individual types of coverage. Insurance policies aimed at protecting data from the risk of cyberattacks are one of those.
- If a company has a cyber insurance policy at the time of an attack, the logical next step is to claim that incident against the policy. Working with insurers will give access to expert professional resources. With those additional resources, they can then get back online faster, reduce the risk of legal issues and in some cases handle Press Relations around the incident.
3. Cost Considerations:
- The cost of the ransom payment, if ransomware or data extraction is involved
- Business interruption implications – in 2021, the average time from encryption to full system recovery is one month (see link)
- The cost of recovering data and systems – the technical recovery we described earlier on
- The time it takes to rebuild existing client relationships
- The additional cost of convincing new customers to do business, after a successful cyberattack
Imagine being an IT manager, coming to work on a Monday morning. The first thing you find out is that all the systems you are responsible for are no longer operational. One of the server console screens shows a note describing the terms of a ransom. What’s next?
Business is halted. The phones are ringing. There is a sense of urgency to get things fixed quickly. Cyberattack recovery is intricate by nature. Data may be encrypted, it may be compromised and backup data may also be affected. Data may have been extracted by the hackers. Applications may no longer be operational. Operating systems may be impacted or modified with back-door access points. HR and personnel data, such as SIN or bank account numbers, may be at risk.
On minute one, there is no estimated time for recovery. Understanding the extent of the damage takes time. This is a high-stress situation. Sensitive data may have been stolen, leaked, destroyed, altered, or made unusable on your watch.
What type of attacks are we talking about? How do hackers get started? What type of damage do they cause? The following graph provides an overview of entry points and attack methods:
In this scenario, we made the assumption that the affected organization has cyber insurance coverage. Once past the initial shock, as the IT manager, you will lead that first phone call to the insurer. The following paragraphs will describe what you may be able to expect past that point. As a start, the insurance company will recommend using two distinct services:
1. The immediate technical emergency is a prime concern. A recommendation will be made to hire trusted a third-party cybersecurity consulting company, with one or more of the following capabilities, depending on the specific requirements:
- Data and system recovery experts
- Ransomware negotiation experience
- Digital forensic experts
- Cybersecurity specialists
Trust, experience and proven competence are key factors in this choice.
2. To coordinate the recovery, which is almost invariably complex, a breach coach will be assigned. The breach coach is almost always a lawyer. This is to address the foreseeable legal issues to come, after a cyberattack, in effect providing both the coaching advice and the legal counsel.
One of the most common risks resulting from a cyberattack is that Personal Identifiable Information (PII) or Personal Health Information (PHI) may be divulged. In addition, confidential corporate data, such as patents or confidential company information may also be at risk. The role of the breach coach is to guide the organization in identifying the requirements related to data privacy and help advise on retaining competent, trusted third-party providers to help control and contain post-attack damage. These include:
- Hiring credit monitoring services
- Advising on Public Relations strategies and specialists
- Ensuring post-breach obligations are satisfied for each of the jurisdictions that the company operates in.
- In many cases, advise on the decision of what technical recovery service (mentioned in point 1 above) companies may be used.
The cybersecurity provider appointed to perform the immediate data and system recovery services will carry out the first evaluation of the work to be done and provide a Statement of Work (SoW) to the insurance company. If this is approved, the recovery work will go ahead, under the guidance of the breach coach.
Post-cyberattack recovery tasks typically fall into one of three categories:
1. Ransomware negotiations (if a ransom is involved)
- Evidence collection
- Ransomware negotiation, with the aim of reducing the ransom and still getting the decryption key
- Decryption and data recovery
2. Forensics (if data has been exfiltrated)
- Evidence collection
- The root-cause investigation, compromise assessment
3. Post-breach remediation
- Post-breach evidence collection
- Help and remediation for
- Decrypting data
- Network vulnerability review
- Active Directory/Domain Controller
- Hypervisor infrastructure
- Email systems vulnerability review
- Server rebuild
- Backup rebuild
- Cloud solution security
- Dark web search
The scenario above involves an insurance company, a breach coach and an outsourced technical consulting service. Not all companies are insured, nor will they necessarily have access to all these specific resources. Experience shows, however, that having access to a team of experts, who deal with these issues every day, makes recovery significantly less stressful and increases the chances of a faster recovery. Other elements that invariably help in such circumstances are a well-structured, well-practiced disaster recovery plan (DRP), business continuity plan (BCP) and an up-to-date Configuration Management Database (CMDB).
Part 2: The Impact: What is the true cost of a Cyberattack?
Cyberattack recovery is both time-consuming and expensive. In Canada, the average cost of a ransomware attack was USD$1,249,701 in 2021. Source: Emsisoft (see link). There are many aspects and possible damages to consider, understand and remediate. Let’s look at a real-world example: the situation of the City of Saint John, the provincial capital of New Brunswick, population 70K. In November 2020, this municipal government organization was victim of a phishing cyberattack. Note the cost of remediation: nearly $3M.
Phishing email – followed by
In this case, we have a public organization with a business email compromise (BEC) situation, no ransomware, the entire cost was spent on recovery services and equipment rebuilding. Realistically, this situation could have been much worse. Over and above ransoms, lack of preparation, poor backup practices and leaks of confidential data can add to the cost.
Cyberattacks are pernicious in nature. While the immediate visible impact is significant, there may be further, long-lasting damage. To quantify the full effect of cyberattacks, Oxford University researchers have identified no less than 57 individual adverse effects, split into 5 broad categories. The initial cost of not being able to function as a business is just the beginning. Not all specific effects listed below will be experienced by all organizations. Damage extent however will be in inversely proportion to preparedness.
Part 3: Cybersecurity Risk Mitigation Investment: How much is enough?
In California, the Security Breach and Information Act was implemented in 2003. This is the earliest cybersecurity-specific law of its type to be implemented. Many states and many countries have followed suit, implementing their own, Canada’s Personal Information Protection and Electronic Documents Act PIPEDA and Europe’s General Data Protection Regulation GDPR are examples of those.
These laws are not designed to dictate the use of specific technologies, but rather provide measures for “data protection requirements”.
When evaluating what the “right amount” of investment in cybersecurity may be, understanding how well those measures are met is one of the ways to gauge what may be required.
There are three points to examine, with the aim of achieving a “reasonable” or “adequate” security balance:
- The basic need to meet the internal security goals, corporate data protection and business continuity
- The need to meet external legal obligations imposed by privacy laws, such as PIPEDA or GDPR.
- The need to balance costs of security and insurance requirements, against the value of the data and the effort required to access that same data.
When considering mitigating the risk of cyberattack, organizations have the following options:
- Accept the risk -> not a desirable position
- Avoid the risk -> not a realistic position
- Transfer the risk -> get cybersecurity insurance coverage and hope that they will absorb the cost if the risk is realized
- Reduce the risk -> get outside cybersecurity help from a specialized outsource company to harden the IT infrastructure
- Hedge against the risk -> Reduce and transfer the risk, by implementing both (3) and (4) – the “belt and suspenders” approach
The graphs below show a clear correlation between the global increased cost of cyberattacks and cyber insurance premiums. For many organizations, transferring the risk with cybersecurity insurance coverage may soon be conditional to show that every effort has been made to harden against cyber-attacks.
|Amount of monetary damage caused by reported cybercrime to the FBI Internet Crime Complaint Center (IC3) from 2001 to 2020 (in million U.S. dollars)
Note :2010 figure not available from IC3
|Premium Change for Cyber Insurance Coverage, Q4 2016 – Q4 2021
An investment in reducing cyber risk has both short and long-term benefits:
- In the short-term:
- The cost of prevention is invariably cheaper than the cost of recovering from a cyberattack.
- Being prepared is being ready. Industry-standard cybersecurity measures are now becoming a prerequisite to being eligible for cyber insurance coverage.
- In the long-term:
- Reducing the chance of an attack being successful.
- Proactively protecting data improves the safety of information related to individuals such as personnel, clients, Personally Identifiable Information (PII), Protected Health Information (PHI) data and any other sensitive information.
- Customers have greater confidence in a supplier who invests in data security.
- Some cybersecurity providers offer warranties in the event of a network breach, for customers covered under their managed monitoring services.
The aim is to ensure the data in custody would be reasonably safe from attacks while remaining functional and usable. There must be a balance. Over-securing could either make the data unusable or simply cost more than the value being protected.
In 1736, Benjamin Franklin helped create the “Union Fire Company” in Philadelphia. This became a model for subsequent modern municipal fire departments. On the topic of urban fire damage potential, he was famously quoted as advising that “An ounce of prevention is worth a pound of cure.”
Using the fire analogy, arson attack methods have not changed much for centuries. By comparison, cyberattacks constantly morph and evolve. They are moving targets. Defending against them is a continuous challenge, forcing every Internet-facing entity to continuously anticipate and adapt. Successful or not, instances of cyberattacks are increasingly common. In the past, companies who fell victim to such attacks experienced some measure of “shame” for having to admit that they had been hacked. The new reality is that for most organizations, the current outlook on cyberattacks is closer to “will we be prepared when it happens?”.
Cyberattacks may never totally be eradicated. The key question is: How should a company or organization plan their cybersecurity protection? Security in layers, including but not limited to the following elements is a good start:
- Top-level sponsorship for cybersecurity initiatives is number one
- People – setting up security training, phishing simulations, tabletop exercises to walk through security exposure scenarios
- Processes – implementing a disaster recovery plan, complete with yearly disaster recovery practices, reviews and updates
- Technologies – firewalls, Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), User and Entity Behavior Analytics (UEBA), email protection, network segmentation, zero-trust security structures, Multi-Factor Authentication (MFA) and automated monitoring
- Recurring security audits, penetration test exercises, network, and infrastructure reviews, using outside, independent specialized vendors
In the not-so-distant future, a consistent focus on prevention – reasonable cybersecurity protection – as opposed to remediation, will likely become the default practice. If not fewer attacks, this should lead to fewer successful attacks.
One could be tempted to read the article above as an elaborate promotion for cybersecurity, legal and insurance services. The reality is that it aims to educate. In doing so, it illustrates that Mr Franklin’s 1736 observations still stand today: preventing is less expensive than cure.
References & Abbreviations:
- BCP – Business continuity plan – a plan describing a system of prevention and recovery procedures, in case of operational threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.
- BEC – Business Email Compromise – a scam targeting companies which have foreign suppliers and use wire transfers. BEC relies heavily on social engineering.
- CMDB – Configuration Management Database – an ITIL term for a database used by an organization to store information about hardware and software assets.
- Cryptojacking – the act of hijacking a computer to mine cryptocurrencies against the user’s will, through websites, typically while the user is unaware. Cryptocurrencies mined the most often are privacy coins, with hidden transaction histories–such as Monero and Zcash.
- DRP – Disaster Recovery Plan – a documented, structured approach that describes how an organization can quickly resume work after an unplanned incident. A DRP is an essential part of a business continuity plan (BCP).
- eDiscovery – the discovery, in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format.
- EDR – Endpoint Detection and Response – a cybersecurity technology that continually monitors an “endpoint” (e.g. mobile phone, laptop, Internet-of-Things device) to mitigate malicious cyber threats.
- GDPR – General Data Protection Regulation – The European Union EU law on data protection and privacy
- ITIL – Information Technology Infrastructure Library – a set of detailed practices for IT activities such as IT service management (ITSM) and IT asset management (ITAM) that focus on aligning IT services with the needs of the business.
- MFA – Multi-Factor Authentication
- PHI – Protected Health Information – interpreted rather broadly and includes any part of a patient’s medical record or payment history.
- PII – Personally Identifiable Information – any information related to an identifiable person.
- PIPEDA – Personal Information Protection and Electronic Documents Act – the Canadian law relating to data privacy.
- RaaS – Ransomware as a Service – a business model used by tech-savvy criminals selling or renting working ransomware technology to other cybercriminals.
- SIEM – Security Information and Event Management systems – a specialized software system providing real-time analysis of security alerts generated by several combined sources, including applications and network services.
- Social Engineering – the psychological manipulation of people into performing actions or divulging confidential information.
- UEBA – User and Entity Behavior Analytics – is software which uses AI, and learns normal user conduct patterns. It subsequently can trigger alarms if deviations from “normal” behavior in real-time.
- VNC – Virtual Network Computing – a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer.
If you have any questions regarding the subject matter in this article please do fill in the contact form below and one of our dedicated team will get in couch to help.