Medical Device Cybersecurity Is Real - How To Protect Your Employees

 

Hey Everybody,

We all know that the Cyber Threat Landscape is changing out there in ways that we have never imagined before.  A lot of this has been fueled by the recent wave of Ransomware attacks, mot notably the ones from Solar Winds and the Colonial Gas Pipeline.  But believe it not, the healthcare industry has always been a ripe one for Cyberattackers.

Why is this so?  Well, apart from housing Personal Identifiable Information (PII) datasets in their respective databases, they also store other pieces of confidential data, namely your own Health Records.  If these are compromised in any way, they can be used to launch Identity Theft attacks against you.  But yet, there is still another aspect that is grave risk:  Medical devices.

Just because you have a device that is implanted into you, you may think that you are safe.  But however, this is far from the truth.  Many of these medical devices are connected to others via what is known as the “Internet of Things”, or “IoT for short.  With this huge level of interconnectivity, all the Cyberattacker has to do now is simply find a way in in order to manipulate the medical device you have, in order to cause damage.

For example, your pacemaker could be thrown off of its rhythm, putting your heart in grave danger.  Or the dialysis machine could be played around with, literally shutting your kidneys down.  Does this sound scary enough?  How do you mitigate the risks of this from happening to you?

Listen in to our podcast for answers.  We have the honor and privilege of interviewing Ed Harshberger, a consultant for TechSafe Systems.  He has a vast experience in combatting Cyber threats against Medical Devices and wants to help you out.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB109CCFD2FMAH

How An SMB Can Afford Enterprise Grade Managed Services

 

Hey Everybody,

Ever since COVID19 hit about a year ago and reached its climax, there were many buzzwords that were invented and that are still being thrown about today.  Some of them include “Social Distancing”, the “Remote Workforce”, “Mask Up”, “Essential Company”, “Non-Essential Business”, etc. 

Now with the delta variant coming about, the fears of another modified lockdown are becoming real.  So, it is the latter two in which you hear over and over again.

Essential businesses are those that have to remain open in order to serve the needs of the public in a reasonable way.  These include grocery stores, medical practices, and other such industries, as accounting, financial, and even the legal ones. 

But for these essential types of businesses, it can be difficulty to procure the needed Cybersecurity services because of the higher costs that are involved.

Many Cyber vendors are cognizant of this fact and are trying to make these much-needed services available to these kinds of business.  One of these is known as Christo IT Services, and they focus exclusively on these industries just described. 

One of the founding partners of this company is Christopher Schalleur.  Listen in to see how they help these much-needed businesses.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB10C321FIVJ9M

To The SMB Owner: Why You Need To Worry About Data Privacy

 

There was a time when, who knows how many years ago, we could submit our confidential and private information without any fears and concerns of it being hacked into.  For example, we could give our credit card numbers on the phone in order to make purchases, or even share our Social Security Numbers to our healthcare providers without having to sign 20+ pages of compliance paperwork.

Heck back then, if we asked our PCP to share the results of a medical test with a family member, they would do so gladly, and not have to worry about HIPAA.

But of course, all of that has changed greatly, given the current of the Cyber Threat Landscape, and especially that of the COVID19 pandemic.  For instance, if we want to open up a new brokerage account, there are tons of compliance related paperwork that one must sign before a financial advisor-client relationship can even be cultivated.  The same is true of the healthcare industry. 

For instance, if you have an HMO plan and need a referral from your PCP to see a specialist that doctor will not even see you until you have completed all of the mountains of paperwork.

Not only do we have these headaches to deal with, but we also now have to on the guard all the time to make sure that not only our confidential, but even financial information and data has not been tampered with.

Heck, you could probably even give yourself a full-time job just trying to keep track of all of this.  Now, this is just for the individual.  Just imagine what businesses must go through in this regard.

Not only must they take every step to make sure that the Personal Identifiable Information (PII) datasets of both their employees are safeguarded, but they must make sure that they come into compliance with the statutes and provisions of just about every Data Privacy Law that is out there, especially those of HIPAA, GDPR, HIPAA, etc.

If they don’t follow suit, then the company in question could very well face some serious audits and financial penalties (for example, under the GDPR, it can be as high as 4% of the gross revenue that has been generated).  So, this is what things look like now with Data Privacy.  What does the future for it?  Well according to Gartner here is what it could look like:

*A balance will be struck:

When the COVID19 pandemic hit us hard last year, the rush to WFH transpired.  Employers were in a fast scramble to get everybody situated and in place, and once the dust settled in on that regard, the next major concern was the actual productivity that would occur, and rightfully so.  Because of this, many companies across Corporate America were obsessed with snooping in on what their employees were doing in the name of security, many remote workers felt that their right to privacy was being invaded.  This led to a huge backlash in the level of trust that was fostered before COVID19 hit.  But now as the Remote Workforce looks like that it is now going to be a permanent fixture for the long haul, companies are now starting to realize that they are going to have to strike a balance between trust and not snooping in all of the time on their employee’s devices.  But truth to be told, as long as the individual is still an employee of the said company, there really is no violation of privacy if there employer decides to intrude in to see what they are doing.  After all, they are using company owned equipment and company data.  In this regard, any court of law will side with the employer.  But in the end, there still needs to be that balance in order to make sure that the level of productivity is enhanced so that the company still be viable in these crazy time.

*CX and UX will join forces:

In the world of website creation and design, these are acronyms that simply stand for Privacy User Experience (UX) and Customer Experience  (CX).  There is a lot more technicality that goes into this, but long story short, this is where you want to have your prospect or customer feel comfortable when they visit your website and have an overall, great experience in doing so.  The thinking here is that if they feel this way, they will then have a much a stronger tendency to purchase products and services from your online store.  But now, companies are starting to realize that if they can give the customer or prospect the feeling of security when they visit their website (especially when they submit their information and data), that will even be more of a motivating factor to purchase something.  Just think about it:  If you went to the store of an online merchant and had a great feeling of being secure, wouldn’t that tempt you to buy something?  I certainly would.  So a result of this, businesses are now trying to embed that feeling of data privacy into all of the pages of their respective websites. But on there is a flip side to this:  Have you ever noticed that when you visit a website, there is always this thing about using cookies, and when you fill out the contact form, you agree to abide by the terms of privacy?  Yes, these are sort of annoying, but it will only multiply by at least 10X when the worlds of CX and UX come together.  Although the intent is to make you feel secure, you could very easily get turned off by all of these notices and even go somewhere else as a result.

*The usage of DRAs:

This is an acronym that merely stands for “Data Risk Assessment”.  Really, there is nothing new about this, this is where you can use a template that is provided by NIST or some other government-based compliance entity in which you can conduct your own Risk Assessment.  Essentially, this is where you are taking an inventory of all of your digital assets and ranking them according to their degree of vulnerability of being hacked into, especially when it comes to the PII datasets, as previously described.  This no doubt can be a laborious and very time-consuming process to go through.  But with recent advances in both Artificial Intelligence (AI) and Machine Learning (ML) it is highly anticipated that this kind of risk assessment will become automated.  The advantages to this are that not only can this be done in a matter of minutes, but it can be done on a real time basis as well whenever you want to do it.  By showcasing this, companies can put an extra sense of ease to both customers and prospects that their PII datasets are being well looked after.

My Thoughts On This

Whether we like it or not, data will be constantly around us, whether it is in our personal or professional lives.  The key is in now to successfully manage this huge influx and saturation, but yet also maintain a proactive mindset in protecting our PII. 

As I have stated before, we are all at risk of being hacked into, but the key is how to mitigate those chances of actually happening to you.  Also keep in mind that the GDPR and the CCPA have given consumers a lot of extra power to yield over businesses when it comes to requesting as to how their PII datasets are being used, in what ways, and even if you want them deleted.

Under these new laws, the company must respond back to you within a prescribed time frame.  But the downside here is that your ability to file a lawsuit that could gain traction in a court of law is greatly reduced.  From here on out, the world of Data Privacy is going to be an ever continually evolving one, so stay tuned as I put more stuff on this, especially as new laws are passed with respect to this.

Why Creating Good Cyber Habits Is So Hard & How To Overcome It

 

Many of our habits are ingrained and instilled into us from when we are very young, but keep in mind that habit formation can still transpire even well into our adult hood.

Anybody or anything can shape our behavior towards certain things in life, but the common denominator in all of this that while when New Year’s rolls around, and we promise to break old habits and start new ones, we always go back to the way we were, no matter how much of a best effort that we take. 

Now, I am by no means a psychologist in any way, and I too have been stuck in my ways for a long time. 

I keep thinking to myself I am going to change some old habits of mine and start new ones.  But more than 90% of the time, I go back to my old ways, something of which I am not too proud of too say.  But one of the key things that we have to learn in life is how to keep our personal habits separate from our professional habits.  If you think about this, this is an even harder task to accomplish.

After all, we always want to leave the best impression that we can not only with our supervisors and coworkers, but we also want to do that with our customers as well.  And this is even more true in the world of Cybersecurity.  After all, we do not want to blend in our “bad habits” to what we do as a living every day, as there is too much at stake here.

So, what are some key, good habits that, you the Cybersecurity professional need to maintain at all times while you are on the job?  Here are some key traits to be on the conscience look out for, and try to adopt:

*Keep abreast of the latest frameworks:

Now I realize that this is a tough one to be had.  For instance, there are tons of them out there, a lot oof them from NIST as well as others from the more established Cyber vendors, but you don’t need to stay on top of each and every one of them.  It’s almost impossible unless you have a photographic memory.  So in this case, you should have a serious talk with your CISO and IT Security team and try to figure out which framework your company wants to adopt and make use of going forward.  In this regard, one of the most popular ones to use is that of the MITRE ATT&CK.  The link for this is below:

https://attack.mitre.org/

This framework is about as real world as it can get, as the bulk of this knowledge comes from observations submitted from other Cyber professionals.  So if you choose to use this framework, make sure that you are reviewing it, at least once a week or so to keep on top of any updates that are made to it.

*Keep an eye on what is real:

Let’s face it, burnout in the Cyber industry is quite high right now, and one of the main drivers for this is the jargon which is known as “Alert Fatigue”.  Simply put, this is where the IT Security team is so inundated with all of the information and data that they receive, they let the legitimate warnings and alerts to literally fall through the cracks because they are so exhausted.  What can be done about this?  It is simple, make use of both AI and SIEM tools.  With the former, it can automatically filter out for only the real threats, and with the latter, they are all presented to you in one harmonious dashboard so you do not have to comb through hundreds of screen.  If you don’t have this in place, talk to your CISO about it ASAP, and get it implemented quickly.  This is now a must have given the heightened level of Ransomware attacks that we are seeing these days. 

*Maintain a proactive stance:

This is one of those good habits, that unfortunately takes a long time to build, and usually has to come straight from the top, especially from your CISO.  Not only that, but this takes an enormous conscience effort as well.  But it is important to keep here that you do not have to do this all overnight.  Creating a good habit takes a lot of time to accomplish.  Instead, break it down into bits.  For example, as it relates to Cyber, perhaps engage first in preemptive actions, like conducting a Threat Hunting exercise each week for a certain part of your IT/Network Infrastructure, to make sure that there are no malicious actors lurking around in there, that are moving in a lateral fashion.

*Keep up with the triaging:

This goes back up the second point that I just talked about.  Now that you have the tools (AI and SIEM) to help weed out for the false positives, the next mission for the IT Security team is to triage them into the proper, escalating fashion so that it can be acted upon.  True, you could also automate this process as well, but IMHO, this takes a human eye to do.  Keep in mind that you have to plug in certain rules and permutations into the AI system of what to look out for. It is not yet a perfect science.  So in this instance, these tools may not be able to the proper sort of escalation (meaning, something that is urgent may be marked merely as “important”), thus still requiring human intervention.

My Thoughts On This:

Well there you have it, some key behavioral traits that only you, but the rest of your IT Security team and even CISO have to instill into themselves.  This is an area of human behavior that cannot be pushed off, especially given the Cyber Threat Landscape that we are faced with today.  But as I have mentioned before, starting up a good habit not only takes a lot of time, but a lot of hard work as well.

But don’t take things in one huge gulp, as you will face an even more severe layer of burnout.  Instead, try to adopt these good characteristics a bit at a time, until they become fully ingrained into your and your team.

Tax Time Means Prime Time For The Cyberattacker: 4 Quick Ways For The SMB To Stay Safe

 

Well hey everybody out there, Happy Weekend!!  Guess what!?!?  If you filed for an tax extension, you are going to have to pay next month.   This also happens to be one of the prime seasons for the Cyberattacker to come about from their hiding. 

The reason for this is clear and simple:  In one fell swoop, they can collect a treasure trove of Personal Identifiable Information (PII) datasets from people all over the United States, and in fact even in the entire world, if they have to file taxes here in the United States. 

But now, their tactic has changed.  It is not so much going after individuals, but rather the IRS itself and pretty all of the tax accountants that they can get their hands on.

Why are they doing it this way?  Well, the answer is simple:  Rather than just go after one individual, why not go after an entity that has more PII datasets that can be garnered in one shot, as just described?  Once again, one will never be 100% prone to not being a victim, but the key is in mitigating that risk. 

Although you have the ultimate responsibility to make sure your confidential information and data is safe, the other parties have an equal stake as well, and must be cognizant of the fact also that they need to do their part as well.

So what can be done?  Here are some strategies:

*Your accountant should be implementing training programs:

Yes, this is a subject that has been labored on before who knows how many times, but your accountant should be having regular security awareness training seminars for their employees, if the company is large enough.  If it is not, then your accountant themselves should seek out the needed training so that he or she can be aware of what to look out for.  Once again, it all comes down to Phishing Emails.  As I have written about in the past, to recognizing such things as BEC Attacks, Spear Phishing Attacks, the Fake Invoice Attacks, Social Engineering Attacks, Smishing Attacks, you name it.  The best line of defense in this regard is to simply ignore the call, delete the Email, or the text message.  Of course, if you are expecting to receive something, and you still have doubts, contact your accountant or the IRS first to see if it is legitimate.  Of course, calling the IRS and waiting for hours on end can be an infuriating task, so maybe in this regard, you could even seek the help of reputable Cybersecurity company.  But just first make sure that you your homework on them first.  Everybody wants to help each other, so there should be a minimal charge if any, to help you out.  Actually in this regard, you could even engage a Penetration Testing company to simulate real world Phishing attacks of the types that I have just reviewed, just to see how cognizant your employees are.  Of course, those that fall for the bait, will need more training.  In theory, these Emails should look like Phishing Emails with the IRS logo.  But keep one thing in mind:  That Cybersecurity company who is doing these mock drills for you must be licensed by the IRS in order to use it.  If there is no explicit and written permission, not only will they, but you could also be held liable for using an official government logo without permission.  So in this regard, make sure that the Cybersecurity company does indeed have this permission.

*Make sure that your documents are delivered securely:

Yes, there are still some people who like to do things the old-fashioned way, and still use the snail mail for the receiving and receiving of tax return documents.  But most of us have now gone the digital route, so that we can get our refund even quicker.  But there has to be security on both fronts:  Your accountant should send your stuff through an encrypted Email software package.  Yes, this can be a pain, because you will have to create an account and use a One Time Password (OTP) to access these documents.  Then you, the taxpayer, has to make sure that whatever you send to your accountant is also safe as well.  Hopefully, there will be some layer of encryption in the Email service that you use.  But if you are using a service like Yahoo Mail or Gmail, don’t count it.  If you send stuff with these two, always call your accountant’s office to make sure that they have received all of the attachments.  And also confirm with them that everything looks reasonably OK, in other words, they should also be checking for the integrity of the contents.  In the Cyberworld, there is always that chance your message could be inserted, and fake or altered documents could be inserted instead while your message is in transition to the receiving party.

*Beware of intimidation tactics:

In order to lure taxpayers and accountants and even businesses in general to give up their PII datasets, the Cyberattacker will go to great lengths to claim that they are an authorized representative from the IRS.  Such scams to be on the lookout for include the following:

*A call demanding immediate payment such as using a credit card, debit card, checking account, etc.;

*Demand that any back taxes to be paid also immediately without the benefit of first appealing to a court of law;

*Threaten to physically invade the place of business, and arrest employees, take control of the business license, etc.

The bottom line here is that the IRS, no matter how intimidating that they may get (especially with this those letters), have to stay within certain bounds of the law that they cannot overstep.  For example, they will never call you demanding for payment, nor will they threaten you to come to your business.  All communications is usually done by the snail mail, and there is a process that the IRS must follow before it all comes down to this.  Heck, there is even a taxpayer’s Bill of Rights that they have to abide by, and one of them is your right to go to tax court to fight the IRS if you think that they are in the wrong.  But this brings up yet another key issue:  How do you even know if a snail mail letter you get from the IRS is for real or not?  Yes, this is happening also, and even I was almost duped once.  If you have any doubts, always call the IRS to see if they have actually sent you a letter or not.

*Access to W2 documents:

This is probably the heart and soul of any tax return that is to be prepared.  After all, the gross wages that you have earned and all of the taxes that you have withheld have to reported to the IRS by the end of January.  Likewise, employers are also required by law, to send out W2 forms in the mail to employees no later than by January 31^st.  But in an effort to make things more streamlined and efficient, many companies are now offering for these documents to be offered and accessed on the Internet.  While most of the confidential information is usually X’d out (such as the Social Security Number), this sometimes does not happen.  So, if you do go this route, make sure that the portal you are using to access these documents require at least two forms of authentication (the more, the better), with one of them being at least a One Time Password.  Also, if you are an accountant, make sure that you restrict the access of these documents in your company to only those staff members who absolutely need to have it in order to complete the tax return.  You need to be especially mindful of this if your employees use their Smartphones to access these documents if they work remotely.

My Take On This:

Well, there you have it, some tips for both you and your accountant to keep your tax returns safe so that you can get your refund and enjoy it for whatever you want to use it for.   I personally have known of people and businesses that have fallen for tax scams, and it can take years to recover from it.  It is both a drain financially and mentally.  Avoid all of these nightmares by being proactive now!!!

The 8 Indirect Costs Of A Ransomware Attack

 

Once again, the one story that made pretty much all of the splashes was that of Ransomware.  I wrote a blog about this weekend, in the way how insurance companies are not paying any more claims for ransom payments.

But one thing did strike me as I was posting these stories:  The financial toll that a Ransomware attack has on a business.  In the end, all we keep hearing about is the total dollar volume of the impact.  While this is of course very important, one also has to pay attention to the components that make up this number, and which impact the bottom line to the company.

So, in today’s blog, we are going to review some of these key components, but keep in mind, that this is not at all an inclusive list:

*The cost of your policy:

Just like your car and medical insurance policies, you are either paying a monthly or an annual premium on your Cyber Insurance policies.  It may or may not cover everything, so it is a good idea to take a careful review once again of what is actually covered.  My recommendation would be to get a good lawyer that specializes in this area to help you out.  For example, if there is something that should be covered and is not, they can negotiate on your behalf with the insurance company.  And remember, try to get coverage ASAP.  You won’t be covered after you have been impacted.  So whatever you are paying in premiums for this, you need to include it as an expense, because it is money out of the bottom line.

*Incident Response:

This is yet another cost if you have a dedicated team.  For instance, if your company is large enough, it is quite possible that you have a dedicated team for this specific function.  Then the cost here would be the salary and benefits that you pay these employees.  Or, if you outsourced this to a third party, such as a vCISO and their team, then the cost would the contract on which you have them engaged on.  Whoever you make use of, they need to be proactive and make sure they that there are no threat actors that are lurking on the insides of your business. Of course, they will need the appropriate scanning tools to this, and this also another cost that needs to be taken into consideration as well.

*The legal costs:

No matter what business you are in, you always need to have an attorney on hand.  They could be an in-house counsel, or even somebody that you have outsourced on an as needed basis.  Whatever it is, this is probably one of the biggest expenses that is associated with a Ransomware attack.  For example, if you are hit with one, there is a high probability that you could face some serious lawsuits from the key stakeholders in your company.  Also, you will need legal advice on how to properly report the incident to federal and state authorities so that you mitigate the risk of facing some serious financial penalties.  Also, they can be a great source of advice if you should actually pay the ransom or not.  Remember, there could be legal repercussion in case you do decide to pay up, as I mentioned in the blog from last weekend.

*Dealing with the PR aspects:

Apart from dealing with the downtime you will face with a Ransomware attack, another huge nightmare for most victims is in dealing with the public aftermath.  If you are an SMB owner, then most likely you probably do not have a dedicate Public Relations (PR) expert.  In this case, you will need to hire a reputable PR firm, that can handle all of the external communications for you, especially when it comes to dealing with the media and customers.  And this can also be a huge expense that you need to take into consideration as well.  It may be tempting to go at this on your own, but even the slightest wrong thing said can be taken immediately out of context, and be used against you, thus causing even more financial damage.  So, it is wise to hire a PR agency in this regard.

*Negotiating the ransom:

Yes, believe it or not, there is a group of professionals out there that specialize strictly in negotiating down the ransom, in case you decide to pay up.  These kinds of consultants are not cheap either, or very often bill by the hour.  The one key advantage that they do bring to the table is that they will ensure that your payment is converted accurately over to the appropriate virtual currency (most likely it will be the Bitcoin), and that it is properly received by the Cyberattacker group in question.

My Thoughts On This:

So, here are some of the key costs that you should probably take into consideration when calculating what the true cost of a Ransomware will be, even if you have not become a victim.  There are other key costs as well, which include the following:

*Indirect costs:

These mostly deal with the costs associated with the loss of brand image and existing customers and getting new customers on board.

*Costs of recovery:

This refers primarily to the time it takes to recover and bring back up online your mission critical processes and operations.  Your IT staff may not enough to handle the stress of doing this all on their own, so you may have to yet hire some external contractors to help out.

*The long term:

These are the costs that are associated with bringing your business back up to the state of normalcy like it was before it was impacted by the Ransomware attack.  Important to this is the Business Continuity Plan, which will help to ensure that this will indeed happen.

Keep in mind that as the rest of the year unfolds, unfortunately, Ransomware attacks will still occur, and will happen in ways never thought of before.  Just make sure that you and your IT Security have their guards up at all times. 

Finally more information about the costs of a Ransomware attack can be seen here at this link:

https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf

How To Take A Kindler, Gentler Approach When Vetting Out Cyber Vendors

 

In the business world that we live in today, we have become much more dependent upon other external, third parties to help us get our products and services out on time to our customers.  Gone are the days when everything would be done in house, and really, it is the digital transformation that is happening upon us which has thrusted us into this new way of doing business.

Also, gone are the days when you could simply hire another business.  Given how the Cybersecurity threat landscape has evolved today, one has to be extremely careful when trusting somebody else to your processes and operations.  In fact, this is a huge topic in the Cyber world, and I have even written a few articles about it.

Obviously, you want to scrutinize very carefully with whom you could be potentially working with, but at the same time you don’t want to grill them to the point where they get turned off and simply don’t want to do business with you because of the aggressive stances that you are taking.  There is a kinder, and gentler way to build up those all-important business relationships, and here are a few pointers:

*Hit upon the key components:

When you are vetting out a potential, third party with whom you are interested in working with, there is the strong temptation to give them the proverbial 3^rd degree.  But stay away from that.  There will be a time and place when you will be doing a deeper dive into the way they conduct business, especially from the standpoint of Cybersecurity.  But first, as the title of this subsection implies, focus upon the important things first.  This means getting to know the people at this third party with whom you will be potentially dealing with and understand how they do business with others.  But most importantly, engage conversations with those people who will be handling and processing your confidential data, especially when it comes the Personal Identifiable Information (PII) datasets.  You need to feel comfortable working with them, and they need to feel likewise with you.  Once you have some sort of connections established, then you can do that deeper dive into how they conduct their Cyber practices, and more importantly, what steps they will take to help safeguard your information and data that you will be entrusting them with. 

*You are not alone in this process:

Very often, business owners, especially the SMB ones, tend to feel uncomfortable at first when trying to interview those external, third parties that they want to work with.  This is perfectly understandable, and keep in mind, you can get help with this.  For example, as you engage with conversations, you can have your attorney present, or even have other members of your IT Security team present with you as well. Or you can even create a special advisory board and they can be present as well.  In hindsight, this is probably the better approach to take, as two (or more heads) are better than one in order to gauge how a potential relationship could possibly work. 

*Get a holistic picture of what their infrastructure looks like:

To be honest, the word of Cybersecurity has become extremely complex, and in fact, a very difficult one to deal with.  This is not only triggered by the threat variants that are bombarding businesses on a daily basis, but also now one has to deal with all of the nuances of the data privacy laws such as that of the GDPR and the CCPA.  If you are not compliant, you could face some very serious audits and penalties in the process.  But to make matters even worst, if you hire an external, third party and if they are hit by a security breach that has impacted your PII datasets, you will be held responsible, not them.  So in this regard, once your connections have been solidified enough, you will need to do that deeper dive into what their IT and Network Infrastructures look like.  But yet once again, you need to take a soft and gentle approach into this as well.  After all, you will now be probing into them, and there could be reservations even here as well.  So what are some of the steps that you can take?  Well, one approach would is to use the survey, or questionnaire approach.  Obviously, coming up with something like this from scratch is an extremely difficult task, but there are options out there.  For example, you have what is known as the Cloud Control Matrix, aka CCG.  This a template that you can use to judge just how secure the Cloud based environment is of your potential, third party vendor, especially if you they are going to store your stuff in there.  The link to this is:

https://cloudsecurityalliance.org/research/cloud-controls-matrix/

The other is the Standard Information Gathering template, aka SIG.  This template is broken down into different questionnaire sections which include the following:

*Data storage and encryption;

*IAM;

*Cyber controls;

*Procedures for Incident Response/Disaster Recovery/Business Continuity.

The link for this is:

https://sharedassessments.org/sig/

My Thoughts On This:

So here are some quick tips that you can use to make the vetting process a much friendlier one.  You should avoid taking a hardline stance at all times, because if something goes wrong, you and your third-party vendor will have to work hand in hand together.  By taking the softer and gentler approach, they will in the end be much more conducive to work with you. 

Just like anything else in business, its all about building those relationships, and the even when it comes to vetting out new partners that you need to work with.

8 Cyber Defense Tools That Are Affordable To The SMB

 

For everybody that is an entrepreneur and has their own business, the bottom line of course is to make a profit.  So, the natural tendency is to prospect those customers that meet those goals.  But what about those group of prospects that may not bring you loads of cash immediately, but could serve as long term clients that will bring you in a steady stream on a monthly or annual basis?

This is one of the other questions that has gripped the Cybersecurity industry, and such is the case with the SMB market.  There are many vendors, especially the MSPs that will not touch them, because there is not enough margin to be had with them the first time around.  And in turn, the SMBs feel that their services are too expensive.

Seeing that there is a bridge to be gapped here, there is now a spurt of Cyber companies (just like myself) that see a great opportunity here and want to be partners with the SMBs.  So that is why a couple of months ago, I started a new firm called Technosoft Cyber, LLC. 

The goal here is to serve affordable, enterprise grade Cyber solutions to even the smallest of the small businesses out there.

This is still a work in process, and like all good things, it will take time for this to take fruition.  But in today’s blog, I am going to take some first steps and post about some of the affordable tools that  SMBs can get on their own, so let’s get started:

*Scrapesy:

This is deemed to be one of the better tools out there that will allow you to determine if any of your confidential datasets has been leaked, whether intentionally or not.  In particular, it probes both the Public Internet and even the Dark Web for any signs of Personal Identifiable Information (PII) datasets that could have made their way down there and are now available for sale.

*Blue Pigeon:

This is actually a Penetration Testing Tool, that is used primarily by Red Teams.  As an SMB owner, it is not recommended that you actually take on this kind of exercise on your own; rather you need to engage a company that specializes in this kind of endeavor.  But if you do this, you can always ask the company that you hire if they are using this particular kind of tool.  It has a number of key advantages such as: 

*You can physically scan a target at a very close range, you do not have to be remote;

*It makes use of the Bluetooth File Sharing Protocol in order to allow a flow of network communications that is covert in nature.

*Mushikago:

Attacks on Critical Infrastructure are going to be the norm in the near future.  If you are SMB owner that provides services to a Critical Infrastructure, then you will want to know more about this specific tool. It makes use of both AI and ML tools that will let you extrapolate further what a post attack scenario could like, say for example, if an oil and natural gas pipeline were to be hit.

*Package DNA:

Source code that is poorly written for a Web application is often used as a backdoor by the Cyberattacker in which to launch attacks such as SQL Injection, Cross Site Scripting (XSS), etc.  Very often, open-source APIs are also used, compounding this problem even more.  But with this particular tool, you can test for such vulnerabilities as the source code is being developed, on a modular basis. It can even be used to check for weaknesses found in other third-party libraries that your software development might be using as well.

*Purple Sharp:

Windows has always been a huge target for the Cyberattacker, and with Azure in full swing now, it ahs even become a more prized possession, especially when it comes to heisting the Azure Active Directory. But with this specific tool, you can now defend all of the information and data that you have in Active Directory by making use of what are known as “Playbooks”.  With this, you can get into the mind of the Cyberattacker, and launch simulated attacks in a controlled environment to determine any weaknesses and vulnerabilities.

*Git Wild Hunt:

In an effort to further streamline the coding process, software developers are turning to Cloud based resources in which to store, sandbox, and test their source code before it is released into the production environment.  One such of example of this is the repository known as “Git Hub”. Because of all of the source code that is available on it, this too has become a popular prey for the Cyberattacker.  With this particular tool, you can quickly scan your Git Hub repository to see if it has been hacked into, or if there are any leakages from it.

*Simple Risk:

Are you an SMB owner that is subject to the tenets and provisions of data privacy laws such as that of the GDPR and the CCPA?  No doubt that this can be a very daunting task, but when you use this tool, it will help you greatly simplify (thus its name) all the things that you need to do in order to come into compliance such as the management of control frameworks, NIST based policies, pass audits, and perform other risk prioritization and mitigation tasks.

*Cloud Sniper:

Pretty much all businesses today are moving their On Premises infrastructures to a Cloud based platform, such as the AWS or Microsoft Azure.  Although both of them provide great tools to further enhance your security posture, but the ultimate security responsible is still yours.  The good news is that with this tool, you can not only scan all of the digital assets that you have in the Cloud, but you can trigger automatic responses as well in order to mitigate the risks of any future hacks from happening.

My Thoughts On This:

So, here are some of the top tools that can SMB owner can use at a very affordable price, and in fact, some of them are even free.  But the caveat here is that these are new ones that have just come out into the marketplace, so you may want to test drive them first with a free trial before you decide to use one.

In the end, remember that Cybersecurity does not have to expensive.  Don’t let the vendors trick you into getting something that is way too overpriced and bloated.  Always conduct a search on Google to get more information about any new Cyber related products that you want to use, especially in the way of reviews.

6 Ways In Which Your Attorney Can Be Your Cyber Best Friend

 

Unfortunately, the world of Cybersecurity never takes a breather, and that makes it harder for everybody in the industry to keep up with all that is happening.  This is especially proliferated and even exacerbated by the sheer number of Ransomware attacks that are occurring literally on a daily basis. 

Even as I go through the news headlines every day, the number of attacks that continue to rise is really jaw dropping.  In all honesty, I have never seen anything like this before.  But anyways, if you do ever find yourself to be a victim of such a circumstance, you need all of the people that you can muster up to be on your side to get things moving once again.

Often, the members of the Incident Response (IR) Team come to mind, but there is also one key ally that you cannot forget but is often overlooked:  Your attorney.  While they may not be a Cyber specialist, they can for sure help guide you and your company completely through the legal mess that you may encounter.  So, how do you make your attorney a part of the team in this regard?  Here are some key tips:

*Involve your attorney from the outset:

While there is no need to bring in your attorney on a daily basis for everything you do, at least meet with him or her on a bimonthly or at a minimum, a quarterly basis to keep them informed of what is going on with your Cybersecurity efforts.  That way, not only will they be informed, but they will be able to act quicky to help you out should the need ever arise (which will hopefully never be the case).  Also, by keeping them informed, your attorney will feel that they are a part of your team as well.

*They can help get you get extra resources:

If your company is ever hit by a security breach, obviously your first concern is to bring back your mission critical processes as quickly as possible.  Pretty much everything else seems to fall to the wayside.  Although this is a normal, human reaction, you need to be thinking about the aftereffects of it as well.  This is where once again your attorney can help out.  For example, many law firms also have a dedicated attorney that actually specializes in Cybersecurity.  With that in mind, he or she can help you get a forensics team up and running, in order to discover what really happened.  Also, they will be planning on best to combat the negative publicity that could arise, and also mapping out a strategy to inform law enforcement at the local, state, and federal levels.  He or she will also help you deal with regulators, auditors, and even your insurance company if you file a claim.

*The drafting of legal contracts:

When dealing with the fear and angst with what has happened to you, you will also need to sign contracts with other third-party vendors to help you recover.  Since you may not have a clear head at the time, you could be signing something that you may never even read in its entirety.  But no need to despair.  This is where once again your attorney will be your best friend.  As you are putting out the fires, your attorney will read through all of these kinds of contracts, and even sign off on them, if you have given them the permission to do so.  Depending upon the relationship that you with him or her, they can even help out to vet the third-party contractors that you may need in order to serve your best interests.

*The world of lawsuits:

Unfortunately, after you have been hit with a Ransomware attack, the finger pointing almost starts immediately.  It’s one thing as this happens internally, but externally, it could be a disaster for you.  This is where the lawsuits come in.  Even though you may have taken the best efforts to keep all of the stakeholders (especially your customers) updated of what is going on, there is still a strong probability that could face a lawsuit, or even multiple ones, from either a criminal or civil standpoint (or even both).  This is where one again your attorney can literally become your savior.  The moment the first lawsuits start to come, he or she will be on your defense, in an effort to avoid any costly litigation, by coming to some settlement agreement.  You may not in the end face a lawsuit, but when it comes to this, it is always best to have one, as this is one area you do not want to at it alone.

*Provide advice as to what can be shared:

In the digital world that we live in today, anything can go viral in just a matter of seconds, if it is an explosive enough topic.  This is not where you want to be.  In other words, although you want to be open and honest in all of your communications, especially when it comes to external stakeholders, you want to be very careful in what you say and what you let your employees say.  You need to walk that fine line of not giving out too little or too much information.  For example, you have to be very careful in what is given out, especially when you are conducting your forensics examination.  Obviously, you do not want to let the Cyberattacker who preyed upon you to do it again.  Once again, this is where your attorney can be of great help.  They can provide all of the advice that you would ever need in terms of what should be shared with the public.  And if you don’t feel comfortable publicly talking about this, then you can even ask your attorney to do this as well, or even hire a reputable Public Relations (PR) firm.

*Avoiding the jaws of the data privacy laws:

Before COVID19 hit, the talk of data privacy laws such as those of the GDPR and the CCPA were taking center stage.  But once the pandemic hit, all of this ceased, because the world was dealing with a far worse situation.  But now as the bulk of the population (at least here in the United States) has been vaccinated, and things are returning to some sense of normalcy, the fears of audits and fines are starting to come back.  Depending upon the background that your attorney possesses, he or she can also help you to develop a strategy when it comes to dealing with regulators if you are ever audited.  They may even be able to recommend to you a specialized Cyber compliance team to further assist you in this regard.

My Thoughts On This:

Well, here are some key reasons why you really need to have a good attorney on your Cyber team.  True, it may not be a cheap option, but the expenses here could very well pale in comparison to what the true costs of a security breach could bring you.  Keep in mind also that if you cannot afford a regular attorney, you can even hire one on a virtualized basis as well, for a fixed term and priced contract. 

This is very similar to the vCISO.  But which ever option you choose, try to get an attorney that has a decent Cyber background.  While he or she may not have to have conducted a Pen Testing exercise, they should at least know what it is about in order to give you sound legal advice for both the short and long terms.

5 Social Engineering Attacks The SMB Owner Must Be Aware Of

Just recently, I had a great podcast with one my business partners.  The topic of discussion was the Solar Winds fiasco, and our main points of conversation were about how it happened, what we have learned from it so far, and the best way in which Corporate America can move forward.  I learned a lot more about this Cyberattack than I did before from this conversation. 

For example, I did not fully realize the magnitude or breadth of the attack.  It just was not businesses that were impacted, but also many government agencies (both at the federal and state levels), educational systems, nonprofit organizations, and in fact, even all of the military branches of the United States as well.  But keep in mind that there is still a lot more coming out on this, and the podcast has only touched upon a surface of it.

Based on this, the common theme with Cyberattackers has primarily been to use newer, and of course, much sophisticated and covert threat variants based on the profiles of the existing ones.  Probably the best example of this are the Phishing attacks.  Ransomware, BEC attacks, etc. are not new threat variants of themselves, but rather, they are crafted from the first strand of Phishing that ever occurred. 

This happened way back in the late 1990s, when AOL became the first publicly known company to have been impacted by a massive Phishing attack.  Since then of course, the Cyberattacker has over two decades to finely tune their craft in this regard.  But believe it or not, there is still yet another threat variant out there that is no being used much more heavily, which also dates or even predates back to the era of Phishing.

This is what is known as “Social Engineering”.  Put in simpler terms, these are the techniques that a Cyberattacker uses in order to strike a certain human emotion so that you will give in to what they are seeking.  Typically, they are fear, and a sense of urgency.  Today, Robocalls, Smishing attacks (these are Phishing attacks done via texting to your Smartphone) and even phony snail mail letters are the main vectors that are used. 

After all, why spend time trying to create a digital form of attack when all one has to do is merely pick a phone number, build up some level of rapport with the receiver of the conversation?  Then once this has been established, all the Cyberattacker has to do is just strike upon the right emotion level with the unsuspecting in order to garner the information that they are seeking.

So, you might be asking at this point, what are some of the variants of Social Engineering, just like how they are for Phishing? The following are just a sample to get started with:

*Trust:

In our every day lives, trust is something that all human beings in the end cherish to have.  For example, it’s a great feeling to have when you know your boss or you colleagues can trust you to get the job done.  Heck, this is even particularly true when it comes to dating.  It can take some time for that level of trust to transpire between a man and a woman, but when it does, boy does it feel great!! LOL. This is how the Cyberattacker in this instance works.  At least when it comes to the business setting, they will often call, or even send letters to a lower ranking member of the company, such as the administrative assistant.  They know that people with this job title are very often overworked, and very often feel undervalued.  Thus, in an effort to bridge this gap, the Cyberattacker will literally “smooth talk” this individual by trying to build up a level of trust of them.  As just mentioned, knowing that we have this feeling of trust also makes us that much more vulnerable, and so when the moment is right, the Cyberattacker will use this ploy in order to extract as much confidential information as possible.

*Being Helpful:

Apart from trust, we humans also love it when we know we are being of help to another individual when they are in need.  As a result of this, the number of Robocalls have increased greatly, in which the caller pretends to be someone in need or needs some particular information that you have that will make whatever is affecting them (hypothetically speaking) go away.  But this has been such an overused tactic, that the Cyberattacker will most likely not use this, unless there is a very rare event which occurs, and affects literally the entire human race.  The best example of this is the recent COVID19 pandemic, in which millions of Emails and fake websites were set up asking for money and donations.  In fact, even when you are on Social Media, be extra careful of people asking for money, especially on those “Go Fund Me” pages.  As in everything else in life, only give money to those individuals and entities that you know of and are familiar with.  It is very important to note that sympathy-based attacks is one of the prime threat variants in this regard.

*Fear:

This is the complete opposite of the above two.  When it comes to striking fears into us, one of the biggest pain points are getting those Emails saying that our financial accounts have been compromised, and that we must take action now in order to correct what has happened.  I get these all of the time, most especially from PayPal.  An interesting trend to note is that these kinds of Emails usually don’t come out until the wee hours of the night.  This is when our guard is typically down, and we are often too bleary eyed to take stock of what is really going on, and thus, we become a victim when we log into that phony website.  Another huge fear tactic is that of getting calls and letters from the IRS, which are the snail mail based.  These letters look so real and genuine that it is almost impossible to tell what is fake and what is not.  But keep this cardinal rule in mind:  The IRS, or for that matter, any legitimate financial organization, will never ask for your confidential information.  If you receive any calls or snail mail letters like this, always contact the organization in question to see if they have even sent it in the first place.  Also, if something like this ever happens to you, just take a few minutes to calm down, in order to let the initial feeling of anxiety and fear go away, so that your logical mind will resume control.  In other words, don’t shoot your gun first and then ask why you did later on.

*Optimism:

Heck, given the times that we are in now, who does not want to be hopeful for the future, right?  This is yet another ploy that the Cyberattacker uses ever so cleverly.  By default, humans are built and wired to be trusting of others, from the moment we are in born.  We humans never feel that we could be taken advantage of, because of the way we have been raised.  But this is also one of our greatest vulnerabilities as well.  In fact, making somebody feel optimistic not only about themselves but also their futures as well is one of the best ways for the Cyberattacker to get into their personal information and data.  In fact, this is a ploy that is heavily used in the recruiting and network marketing industries.  There is often the promise of a great job or making millions by simply signing up for a program and paying a considerable sum of money for it.  In the end, all that you are left is with a drained bank account.  The cardinal rule to be remembered here:  It sounds too good to be true, then it probably is.

*Honesty:

As the old saying goes, trust is built upon honesty.  So in an effort to be accepted by others and society as a whole, we always want to be honest.  In fact whenever we lie, there is always that horrible feeling of guilt in the end (well, at least for the most part).  While being honest is a very noble thing, it too is one of our greatest vulnerabilities as well, and this is something that the Cyberattacker will take pure advantage of as well.  Now of course, if a total stranger approaches, our guard will be higher up, and naturally the feeling of being honest may dissipate in order to protect ourselves.  But the Cyberattacker knows how to manipulate the conversation so that innocently, you will give out the right pieces of information.  They very often start this by making some very casual, false statements about you, in an effort that you will unknowingly correct it.  If this kind of conversation comes up, you can always ask the person asking you these questions why they need to know it in the first place.

My Thoughts On This

Well, there you have it, some of the top ways in which a Cyberattacker can get into mind and emotions in order to get what they want.  While there is no software package available out there that can protect you in this regard, your best line of defense is always trust your gut.  But at the same token, don’t live your live like a hermit.  Go out there and enjoy it, but always be careful in what you say and do, but easier said than done, I know this for a fact!!!

The Cyber Importance Of Maintaining Social Media Policies In The Workplace

 

Corporate America is embracing the new hybrid work model.  Obviously, some like it and some don’t, but with whatever we are faced with, we are going to have to deal with it as the American Workforce.

But one thing is for sure:  We have to get used to abiding by a new set of rules, which is that of our employer’s.  One such area where this will be felt is in the Social Media platforms that your company uses for its marketing purposes, and even how you can use company equipment to access your own Social Media accounts.

While we were WFH (and still for the most part), we had certain liberties that we took for granted in this regard.  For example, we could access Facebook and Twitter whenever we wanted, without the fear of our boss looking over our shoulders.  In fact, Social Media has much become like our smartphone:  We love it when we have it, and when we don’t, we feel totally paralyzed.

But for an employer, the fears and angst of how to deal with Social Media for the employees is increasing at great levels.  Since the world has gone digital, anybody can post anything, anywhere, at any time when it is least expected.  So what can a company do to protect themselves in this regard?  Here are some tips that you can follow:

*Set clear and distinct guidelines about posting:

As a company, you probably make extensive use of Social Media for your digital marketing efforts, and rightfully so.  After all, for the most part it is free (unless you are running a PPC campaign) and it is a perfect way to reach out to your customers and prospects about your brand, products, services, and even what is down the pipeline for your company.  But being the owner of your business, you obviously do not have the time to post all of that stuff yourself, so you rely on your marketing team to do that.  But that is where the trust now become implicit and clear.  You have to remind your employees that the stuff which is posted on company Social Media sites can only be used for those purposes – and nothing more than that.  For example, its great to talk about an upcoming trade show that your company will be hosting, but it is totally wrong and unacceptable to post anything else which could be deemed as a smear campaign against your competitors.  Yes, there is the thing called the Freedom of Speech here, but remember, your employees in this regard have to abide by your rules that you set forth.  After all, they are playing on your playground.

*Visting on personal accounts:

In this regard, there needs to be a little bit of flexibility here.  For example, your employees probably get burned out looking at their computer screens and Word/Excel files all morning.  They need to take a break, and see something that will make them feel more relaxed, perhaps like seeing family pictures, getting caught up with a close friend, etc.  But you need to make it clear when and how they can access their personal Social Media accounts.  For instance, it should be restricted to only break times, the lunch hour, and after work.  Also, they should not be allowed to use company issued devices for this, they should only use their own devices, and away from the workplace setting.

*Put all of your policies in writing:

Any and all of your Social Media rules and penalties for not abiding by them need to be written and spelled out very carefully in the employee handbooks.  That is one area, but if you have something like an employee portal or an Intranet of sorts, make sure it is posted there as well in an electronic format.  But keep in mind, you have to be very careful with the language that you use.  You don’t want your employees to feel that Big Brother is watching, or that any privacy rights they may have are being intruded upon.  So, it is wise to have your attorney and/or even a professional human resources consultant look this over before you post it.

*Keep tabs on what is being posted:

Now of course, as an employer, you have no control as to what your employees post on their personal accounts during their break times and after work hours.  But you can keep tab on what is being posted on the company sites.  In this regard, you could probably make use of both AI and ML tools to track for certain keywords, or even the language/syntax of the content that is being posted.  This is not restricted to just during work hours, you also have the right to monitor these sites 24 X 7 X 365.  But the caveat here is that you need warn your employees that they are being watched as they post stuff on company related Social Media sites.  You may even want to hire somebody to keep watch on all of the content that is going up, if you make that much use of Twitter, Facebook, and Linked In.  There is also another reason for doing this:  You will also be able to keep track of any signs lurking about a potential Insider Attack that could be brewing from within the confines of your business.

My Thoughts On This:

There are two other reasons why you need to keep tabs on all of this stuff, and they are as follows:

*It is a known fact that the Cyberattacker is becoming extremely sophisticated and covert in the way that they launch their threat vectors.  As I have written about many times before, they are now taking their own sweet time studying their prey.  This also means scouring all of the Social Media sites that are being used by your employees, for both job related and personal uses.  It is from here that the Cyberattacker will start to build a profile of their victims, find out their weak spots, and dive right in from there.  This is something that you need to remind your employees of on an almost constant basis, and make the point is simple:  They need to be careful of what they post, because if your company is hit by a security breach, they could very well lose their jobs as a result.

*Unfortunately, ever since last January, the use of Social Media sites to fan the flames of racial extremism has become a reality.  Therefore, you really need to keep a very close eye on your company related Social Media sites to make sure that with what is being posted, this will not spark any controversy.  The last thing you would ever want to happen to your business.

Finally, INMO, be selective of the Social Media sites you use for company purposes.  You don’t have to use all of them to get your word out. For me, I just used Linked In, because it is a great platform for Cyber professionals.  Plus, it is very carefully monitored to make sure that only business-related content is posted, and nothing more than that.

Think You Can Use Your Cyber Insurance As Down Payment For A Ransomware Payment? Think Again!!!

 

The one question that I keep getting asked and even asking myself of my podcast guests is what they think the number one Cyber threat is this year.  Hands down, and without a doubt, it has to be Ransomware. 

This threat variant started to get some serious notice back in 2019, but really proliferated right after when the COVD19 pandemic hit the shores of the United States and started to reach its peak.  We saw this with the uptick in domain name in heisting, and the creation of fake and malicious websites, most notably that of the World Health Organization (WHO).

And in 2021, its really make its mark well known now in the healthcare sectors and Critical Infrastructure here in the US, given the recent events of the Colonial Pipeline.  But apart from this, Ransomware has gone to even further extents, which now includes that of even extortion. 

In these tragic cases, the victim company is often threatened that if they do not make payment via some sort of Virtual Currency, they will then make for public all of the Personal Identifiable Information (PII) datasets that they have captured.  But now this comes down to the question, of whether the victim should pay the Cyberattacker or not in order for them to restore mission critical operations.

In the case of the oil pipeline attack, the CEO decided to pay about $4.4 million (worth about 75 Bitcoin) to the Cyberattacker group so that the flow of gas and oil could resume once again, without causing too much more pain at the pump and in the financial markets. 

I have actually addressed this question in previous blogs, and even in articles that I have written for clients in the past.  My fundamental answer, and it still continues to be is:  Do not pay up.

Why?  Well, there are two primary reasons for this: 

*If you pay up, this is only going to fuel the Cyberattacker to come after you again, but this time, causing more havoc, and even demanding more money.  After all, if they could get in once, they pretty much know where all of your vulnerabilities and weaknesses lie at, so they can penetrate you once again quite easily.  Worst yet, they can even stay in for a very long period of time, without you even knowing anything about it.

*If you have maintained a proper and regular cycle of creating backups and have a rock-solid restoration in place, all your IT Security team has to do is discard the infected equipment and get new ones.   Or better yet, if you had your stuff in the Cloud, like the AWS or Microsoft Azure, it all comes down to getting rid of the impacted Virtual Machines (VMs) and Virtual Desktops (VDs) and creating new ones in just a matter of minutes.  From here, you can then restore all of the information and data into them, from the backups that you have created. 

So, in the end, there is no need to pay the Cyberattacker, assuming other “normal” circumstances still exist (I leave this terminology to your own interpretation).  But now, companies not just here in the United States but worldwide may have no choice now. 

Just recently, the global insurance firm, AXA, just announced that it would not reimburse impacted businesses anymore if they have actually paid a ransom and filed a legitimate claim.

One of the primary reasons cited for this decision for this landmark decision is that with giving out such kinds of payouts, the rise of Ransomware attacks is simply going to proliferate at levels even far greater than what we are seeing now.  But this is a catch 22 sort of proposition.  Now, companies will pretty much have no choice now but to further beef up their lines defenses and take Cybersecurity much more seriously.  But what about those companies that have already been proactive in doing this, and through no fault of their own, they still become a victim? 

Shouldn’t they deserve some sort of financial help from their Cyber Insurance Policy?

But it is not just AXA that is trying to stop companies from making Ransomware payments.  Even our own government is taking steps in making sure that this does not happen.  For example, it could be considered a felony under US laws if a company pays out anything to a Cyberattack group that have been put on a watch list by law enforcement agencies worldwide.  This is according to Office of Foreign Assets Control, which is overseen by the Department of Treasury.

This legislative ruling has already started to have some effect, some 1,400 mayors across the United States have pledged that, as long as they continue to remain in office, they will make no Ransomware payments whatsoever. 

But even Ransomware attacks or not, the Cyber Insurance Industry here in the US is already starting to feel the financial strain of other forms of threat variants.  For instance, premiums have increased by a whopping 22%, coming close to the $3 billion mark.

More information about the AXA decision can be seen here:

https://apnews.com/article/europe-france-technology-business-caabb132033ef2aaee9f58902f3e8fba

More information about the Department of Treasury’s decision can be seen here:

https://www.darkreading.com/risk/us-treasury-warns-of-sanctions-violations-for-paying-ransomware-attackers/d/d-id/1339066

My Thoughts On This:

This is a very dicey situation, really with no clear-cut answer that can be figured in a short amount of time.  The truth of the matter is that Cyber Insurance Policies is still a new “thing” out there, and even the insurance companies that carry it are still trying to figure out. 

Worst yet, with the advancements and explosions that take place on a daily basis, it is hard for any one in this line of work to fully determine what can be covered and not.

But Corporate America also has a huge responsibility here as well.  The common line of thinking now seems to be:  “Well, I now have an insurance policy, so who cares if I am hit?  I can just file a claim to cover all costs”. 

Because of this, many in the C-Suite are now becoming lazy in making sure that the right controls are in place to protect their digital assets to the best degree that they can.  In other words, there are many people in the Cyber Insurance Industry who now feel that the C-Suite is shifting this burden to them, and thus is also one of the reasons that as fueled the decision by AXA.

In other words, Corporate America is now viewing their Cyber Insurance Policies as a way to shift their burden of risk reduction to somebody else.  But this line of thinking has to stop here and now.  Nobody is immune from becoming a victim of a Cyberattack, and that is a given.  Heck, it has been cited that even AXA was just recently a victim themselves.  But Cyber Insurance was not created to award sheer negligence and laziness by the C-Suite.

Rather, it was designed to financially assist those businesses that were impacted to restore mission critical operations as quickly as possible, and to also cover the indirect costs down the road even as well.  But this is going under the assumption that the business had done everything right in the first place, and just happened to become a victim. 

As I just mentioned, Cyber Insurance was not designed to be a tool to replace risk reduction mechanisms which is the sole responsibility of the C-Suite and their respective IT Security teams to carry out.

So in this case, should a claim be paid out in the case a company does make a Ransomware payment?  Again, I say no.  But this should be determined on  a case-by-case basis.  It should not be ruled out entirely.  After all, if an organization has done all they can to reduce the possibilities of a breach, why should their employees and customers have to suffer because of this? 

They should not.  But whether a company has taken all steps needed is a whole different issue, as this will require an exhaustive audit and careful study of the forensics analysis reports.

In the end, there will be many more issues like this that will crop up down in the world of Cyber Insurance, and there will be no quick fix to them.  As a result, the C-Suite has to keep in mind that having Cyber Insurance is not the same as having Automobile Insurance, where one call to your insurance company will get you covered in the case of a fender bender. 

Filing a Cyber Insurance claim can be much more complicated than that, and the chances are, that you may not even get a payout on your claim, and best, maybe just a partial one.