There are
many buzzwords floating about in the world of Cybersecurity today, and of the
biggest ones that has stayed around is “Risk”.
This term applies to all parts of our lives, and people have different
ways of actually defining it.
For example,
in the workplace, it could mean going above and beyond the call of duty to show
your manager what you can do. Or
personally, it could mean doing something is anxiety provoking, but you are
still going to do it to face your fears.
Even in
Cyber, businesses, and heck even the Federal Government have different ways of
defining it. But, I have written a lot
on this topic (in fact, even an entire book), and the way I think of it is
this: “The amount of downtime that a business
can withstand after becoming a victim of a security breach”.
The true
measure of this though, is in the dollar amount. For instance, an SMB could not afford much
downtime, but a much larger one, like a Fortune 100, probably could.
But however you
define Risk, it is certainly catching the attention of Cyber professionals across
all levels. So much so, even the SEC has
now intervened and mandated that publicly traded companies must disclose if
they are a victim of a security breach within a matter of days. The exact text of this can be seen at the link
below:
http://cyberresources.solutions/blogs/SEC.pdf
Under these
new rules, a publicly traded company must report within four days not only if
they have been impacted by a security breach, but also, if there have been any
data leakages that may have occurred has a result. The main intention here is not only to
protect shareholders and employees, but to keep a sense of calm amongst the
financial markets in case something did actually happen. To give you a sense of reality of just how
seriously the Federal Government takes this ruling by the SEC, the following
incidents have been brough into the crosshairs for the Feds:
1)
Clorox:
They
were impacted by a security breach in August of 2023. The damage was far reaching, as it greatly
affected the company’s supply chain. The
cost of the attack has been estimated to be as high as $65 million, which a lot
can be attributed to legal and forensic exam expenses. The worst part of this is that Clorox knew it
had grave vulnerabilities in their IT/Network Infrastructure for many years before
they were impacted. More details on this
can be seen at the link below:
2)
Prudential:
They
were hit with a security breach in February of this year. Fortunately, not much damage was done in the
end, and the good news here is that the company actually reported this in time,
pursuant to the SEC rules of disclosure.
Apparently, the Cyberattacking group was able to penetrate into the IAM
system of Prudential, and from there, was able to exfiltrate over 36,000 PII
datasets. What was unique about this is
that Prudential actually reported this incident before it discovered the loss
of the datasets. More information about this can be seen at the link below:
https://therecord.media/prudential-discloses-new-information-from-february-incident
3)
United
Health:
They
too suffered a massive security breach in February of this year. The source of the attack was attributed to a
nation state actor (such as Russia, China, North Korea, etc.). The impact of this breach was far reaching,
as it impacted over 30 million people who rely upon United Health insurance to
pay for their medical expenses. Even
healthcare professionals were impacted as well.
Right now, the company faces at least 24 separate lawsuits, and costs
that could very well exceed $1.6 billion.
Apparently, although the company did not publicly disclose this, they paid
$22 million to the hacking group in order to get some control back over their IT/Network
Infrastructure. More details about this
can be found at the link below:
My Thoughts
On This:
Apart from
abiding by the tenets and provisions that have been established in the SEC
ruling, as just reviewed, companies need to take a much more proactive stance
to help mitigate the risks of them being impacted by a security breach
Ø
Keep
a constant vigilance: In this regard, make use of a SIEM and other
Generative AI tools that will help monitor all of your log files on a real time
basis. Most importantly, they will be
able to filter through all of the false positives, so that only the real and legitimate
ones are presented to your IT Security team.
Ø
Always
be transparent:
Apart from reporting to the SEC, as a CISO, you must take responsibility for keeping
all of the key stakeholders informed of what is happening. This will save you great pain down the road
if you are also faced with an audit by the GDRP, CCPA, HIPAA, etc.
Ø
Share
your intelligence: The Cyber community is finally starting to
realize that it literally “takes a village” in order to keep the Cyberattacking
groups at bay. But in order for this to
happen, you have to share whatever intelligence you gather with both the private
and public sectors (such as DHS, CISA, the FBI, etc.).
No comments:
Post a Comment