Millions Paid in Ransomware Attack or Is it time to review where you stand on privacy and security concerns?

The article appearing below was distributed on June 16th to a private audience of decision makers and business leaders. Should you wish to be included in private distribution in the future, please contact author via method listed in profile.

New York Times, May 8, 2021 –

U.S. pipeline shut down, and things that could go wrong, did go wrong. Colonial Pipeline (privately held corporation) paid $5 million dollars in bitcoin to the hackers in the ransomware attack. Colonial Pipeline in a vaguely worded statement indicated their corporate computer networks were the targets of an attack. “The company said it had shut down the pipeline itself, a precautionary act, apparently for fear that the hackers might have obtained information that would enable them to attack susceptible parts of the pipeline”.

Bloomberg, May 31, 2021 –

“A cyberattack on JBS SA, the largest meat producer globally, forced the shutdown of all its U.S. beef plants, wiping out output from the facilities that supply almost a quarter of American supplies.” Backup servers were not affected, and the company is working to restore systems. President Biden directed his administration to do whatever it can to mitigate the impact. Estimated $14 million paid out in BitCoin according to media reports.

Observations

The shutdown of global enterprises heralds a period of infrastructure risks with financial consequences either by acquiescing to ransomware demands, or incurring large professional fees to identify and correct the shortcomings within enterprise infrastructure that were exposed.

President Biden’s effort to mitigate the impacts represents empty words, since the U.S. and local government infrastructure has been beset by significant breaches over the past number of years with targets such as IRS, Consumer Products Safety Commission, Department of Defense, various state job unemployment services and many government programs to aid businesses during the Covid-19 pandemic. Looking at the current track record, one observes that things have not gotten any better, but much worse, with overall breaches setting new records and exceeding the historic highs set in 2017. With the billions of dollars spent on infrastructure security, shouldn’t the curve be heading downwards?

These reported breaches were carried out against the large enterprises by “A Team” hackers. This will encourage the thousands of “B Team” wannabes to assault the SMB space, which represents approximately 85% of American business. The greatest threat here is these breaches will go unreported and uncorrected for a variety of reasons.

Smaller enterprises do not invest in privacy and security to the degree that is necessary to prevent the disruption and theft. Too many individuals claim expertise in the privacy and security spaces. However, reviewing personal profiles, it becomes apparent that they targeted this space because of need and growth opportunity, only to wreak havoc and confusion along with graduates from educational institutions with credentials but no relevant experience. Was ISACA (Information Systems Audit and Control Association) wrong when they released a study that “has found less than 25% of incumbents are qualified for their cybersecurity roles”? Think about it – 75% of people in cybersecurity roles not qualified to hold the position. Knowing this, SMB investment into something that is viewed as overhead and not revenue enhancing, does not take place for a variety of reasons:

·        Improperly structured or missing security and privacy standards and protocols

·        Inadequately trained and ill-experienced personnel

·        Easier to buy a solution than invest in the proper training

·        Lack of understanding and trust at the Board and Executive Leadership team levels

·        Process not integrated properly within the organization decreasing business resiliency

·        Therefore, ignoring the threat with the assumption that it will happen to someone else, and not “here”, is a viable risk aversion tactic

The following items based on ISO 65000 standards, define the major objectives for developing a resilient and effective security and privacy model:

·        Risk Framework and Enterprise Awareness

·        Executive buy-in and endorsement

·        Corporate Policy and specific procedures

·        Overall Security Framework

·        Risk Assessments and Management Reactions

·        Maturity Model over a period of time

·        Reviews and updates

Every business needing to define the governance and policy standards enterprise-wide, should have, maintain and review the following documents:

·        Risk Management Framework

·        Risk Management Policy

·        Control Self Assessments

·        Business Risk Assessment Template

·        Self-Assessment (3rd Parties) Security and Privacy

·        Business Continuity Plan

·        Privacy Policy

·        Privacy Incident Report

·        Information Security Policy

·        Security Awareness and Acceptable Risk

·        Records Management Policy

·        Records Classification and Retention Schedule

·        Data Classification Standard

·        Transfer, Offsite Storage and Disposal Standard

·        Equipment Return, Reuse and Disposal Standard

·        Payment Card Industry (PCI) and PII Standard

·        Security Incident Management Standard and Procedure

·        Security Incident Report

·        System Development Life Cycle

Opinion

Fractional retention of professional services in the SMB space is not a foreign concept. Many organizations are already using Chief Financial Officers, Human Resource Directors, Project Leaders, and Graphic Web Designers on a when needed or as needed basis.

Fractional Privacy and Security professionals are a little more difficult to introduce into an organization. The resiliency of an organization may be impacted by failures in many places; accounting department and accounting department ERP, infrastructure support and management, senior management roles, sales and sales operations (business RFIRFP risk and response), industry specific experience and knowledge and breadth of experience and years in industry. Privacy and security is an enterprise wide responsibility.

So, when it comes to implementing a more robust security framework, don’t hire the professional who has worked for four different enterprises in four years (with 2 years and 7 months at one employer). Choose wisely, seeking a balance between instant, copious facts via Google, or seasoned wisdom with a proven track record derived from experience in a variety of environments.

Is it easier to run without discipline and direction calling the effort “lean and mean?” Knowledge without experience is reckless, repeating the same mistakes. Your business could be at risk.