Fathom Cyber’s Jim Goepel was interviewed in an article about the importance of a strong cybersecurity culture and appropriate policies for companies looking to implement a Bring your own Device (“BYOD”) plan. For many companies, BYOD is a boon, helping to cut costs and improving employee morale by allowing employees to use devices they already have and with which they are comfortable. But for many companies, BYOD quickly becomes BYODB…Bring your own Data Breach. Executives must carefully examine the risks and rewards before authorizing a BYOD policy, and they must ensure that appropriate controls are in place to measure, monitor, and assess the effectiveness of those controls. Fathom Cyber’s unique approach to cybersecurity helps ensure not only that the risks and rewards are carefully identified and balanced, but also that they decisions made are properly documented for regulatory, compliance, and litigation defense purposes.
When most people think of cybersecurity, they think about using tools to stop bad actors. It is about find business-intelligent ways to mitigate risks. One popular mitigation technique is cyber insurance. But cyber insurance is undergoing a lot of changes as insurance companies rush to adapt to customer demands and changes in both the way companies conduct business and the corresponding changes in risks. Does your insurance policy cover the way your organization conducts business? Is the value of the coverage appropriate? Is your organization able to prove to the insurance company that it is meeting its obligations under the contract?
As a recent article from Hewlett-Packard Packard alludes to, a well-structured cybersecurity plan takes these and other issues into account. Fathom Cyber can help your organization assess its cybersecurity plan, identify shortcomings, and create a roadmap for addressing those issues that aligns with your organization’s business priorities, including mitigation plans like cyber insurance.
Many companies, including vendors doing cyber risk analysis, tend to focus only on the cost of fines, breach notification, and credit monitoring efforts when defining the cost of a breach. But, according to research by the Ponemon Institute funded by IBM, this only begins to scratch the surface. The average data breach costs the breached company $148 USD per record when other, secondary factors like lost reputation, lost productivity, brand tarnishment, and lost revenue are accounted for. This means that for the “typical” data breach, a company can expect to lose nearly $4 million USD. The costs can vary significantly depending on industry, with healthcare and financial services organizations seeing costs nearly three times average. Ultimately, a poor cybersecurity culture is a fundamental reason why organizations continue to be breached. The CISO of a major bank was interviewed by Ponemon for NBC News, and said “Even though this was not our first data breach, I was surprised to see just how easy it was for the attackers to seize the identity of privileged users. The theft of valid credentials allowed them to bypass perimeter defenses and hunt for vulnerabilities”.
Effective cybersecurity begins with the Board and C-suite. If the organization’s officers and directors are not creating the right culture, employees will not pay appropriate attention to cybersecurity.
The state of Ohio recently enacted legislation which creates an affirmative defense for organizations involved in a data breach. “All” the organization has to do is prove that it has in place a written cybersecurity program that reasonably complies with industry standards. This is a great example of using legislation to create a carrot, rather than just a stick, when it comes to cybersecurity. Of course, there is still a lot of wiggle room in the legislation. For example:
- What qualifies as a written cybersecurity program? This may sound like a silly question, but just how detailed must this cybersecurity program be?
- How often must the program be updated?
- What happens if the organization deviates from the plan?
- What “industry standards” are acceptable?
- Is it acceptable to only be in compliance with a single industry standard (e.g., PCI)?
- What is “reasonable” compliance?
Fathom Cyber has create a unique approach to cybersecurity and data privacy that is based on leading standards, like the NIST Cybersecurity Framework and the Center for Internet Security’s to 20 controls, which means your organization can feel confident it will meet Ohio’s requirements (and those of other states and countries). Using our approach, your organization will create a robust, comprehensive, well-documented cybersecurity program that continuously improves and responds to changes in the organization’s business priorities, risks, threat landscape, and legal and regulatory requirements. The cybersecurity plan also documents deviations from the industry standards, to help demonstrate reasonable compliance.
Contact Fathom Cyber to learn more about how our innovative approach to cybersecurity can help your organization enhance its cybersecurity and data privacy protections while limiting its liability. Fathom Cyber: make cybersecurity and data privacy make sense.
We talk a lot about the growing need for officers and directors to be more hands-on with cybersecurity. We recently came across an interesting case from a few years ago that proves this point. As the article below discusses, in the Wyndham Worldwide case, a shareholder filed suit to compel Wyndham to sue its Officers and Directors for breach of their fiduciary duty. The shareholder lost very early on because Wyndham was able to demonstrate that the Officers and Directors had been on top of cybersecurity issues, including being proactive in addressing shortcomings as recommended by different vendors, and discussing cybersecurity issues at least fourteen times in four years, with the audit committee discussing these topics an additional sixteen times in that same timeframe.
Fathom Cyber gives your organization’s officers, directors, and other executives powerful information to help withstand such a suit.
As the article below indicates, it is critically important that those responsible for cybersecurity in your organization be under a separate reporting structure from those who implement an maintain the equipment. In the article, the Federal Communications Commission, after a year-long review, reversed it’s position that an outage that occurred during 2017 was the result of a cyber attack. Instead, the Office of the Inspector General’s report found that the systems were simply overwhelmed when a television host encouraged viewers to add comments to the FCC’s page. The issue reflected poorly on the prior Chief Information Officer (who was still employed by the FCC at that time), who ran with the cyber attack story. Others in the CIO’s organization disagreed with the conclusion, but didn’t speak up because of fears of retribution.
A well-structured cybersecurity program takes into account these kinds of issues and provides reporting (both automated and people-based) mechanisms to surface these communications issues early, before they become a problem. Fathom Cyber can help your organization create a comprehensive cybersecurity program.
The legal and regulatory worlds surrounding cybersecurity and data privacy have changed a lot in the last two years. When was the last time your organization’s director and officer insurance policy was reviewed? Does your policy provide adequate protection in case of a data breach or cybersecurity issue? Have you stopped to consider not only the domestic (e.g., U.S.) risks, and the potential damages, but also the international risks?
The article below describes the personal liabilities that directors and officers could face when a data breach or cybersecurity incident occurs in India. As the article points out, although the fines may not seem like much (between 100,000 and 500,000 Rupees), they are assessed on the individual officers and directors, and multiple penalties can be assessed depending on the circumstances. This can quickly add up when multiple issues and multiple individuals are involved. It is incumbent upon officers and directors to ensure that their organizations are meeting their cybersecurity and data privacy requirements.
To meet their statutory and ethical obligations, Officers and directors need, at a minimum:
- actionable information about the organization’s efforts to improve the overall cybersecurity and data privacy posture;
- independent validation that the day-to-day policies and procedures are being followed; and
- business-based reporting that demonstrates that the efforts, policies, and procedures are in alignment with the organization’s priorities.
Fathom Cyber helps put this information, and more, at their fingertips. We make cybersecurity and data privacy make sense.
A day in the life of a cybersecurity professional…
We were a bit surprised recently when someone asked why small businesses need to care about cybersecurity. Our answer:
Because the cost of a breach will cripple a company – There was a recent study that showed that 60% of small to mid-size companies are out of business within six months of a cybersecurity incident or data breach. This is due, in part, to lost revenue, reduced brand value, and the cost of notifications and remediation efforts. If the companies aren’t paying proper attention to cybersecurity, their insurance coverage won’t help them, either.
Both data privacy and cybersecurity are bet-the-company issues. If you aren’t familiar with the differences between data privacy and cybersecurity, we previously posted a short discussion of the differences between cybersecurity and data privacy. Although we think it is important to raise awareness about both topics, this particular post will focus on cybersecurity.
Why should a Small Business Care?
As we are out speaking at different sessions, we often hear companies say “we aren’t a target because…” and the next phrase is almost always either “we have nothing of value”, or “we’re too small”. But that isn’t true. Criminal hackers target small businesses for several reasons, including:
- They are easy targets – Most small businesses simply aren’t devoting appropriate resources to even basic cyber hygiene (e.g., ensuring they are meeting even the first five of the CIS Critical Security Controls). This means that most small businesses are doing the equivalent of leaving a big pile of freshly-delivered Amazon boxes sitting outside their door on a Friday night with the building’s lights off. By following a few basic steps (the equivalent of not having packages delivered after hours, leaving lights on, and putting up cameras), companies can significantly cut their risk. Failure to do so leaves them as easy targets.
- They aren’t the ultimate prize – Of course, the fact that they are easy targets doesn’t address the “we have nothing of value” issue. For example, a small business-to-business company probably doesn’t have a lot of credit card, bank account, or personal information about its customers. So these companies assume they don’t have to worry about cybersecurity as much as the bigger companies. However, cyber criminals are targeting companies not only for what they can steal from the company, but also because of the relationships that company has with others. For example, the Target breach from 2014 occurred through an HVAC vendor. The criminals were able to use information gained from the HVAC vendor’s network to ultimately gain access to the Target network. Thus, although the small business may not have a lot of inherently “valuable” information on its own, it can lead to much more valuable prizes for the criminals.
- Their insurance company cares – Insurance companies are becoming more adept at asking cybersecurity-related questions, and finding ways to avoid paying claims. This means that companies that aren’t paying attention to cybersecurity are less likely to get insurance, that those who get insurance are more likely to pay higher rates and are not likely to have the right coverage when a breach occurs.
- Their customers care – If the small company is a business-to-business company, its smaller customers may not yet be asking about cybersecurity, but bigger companies are asking increasingly sophisticated cybersecurity questions. They understand that their vendors are often the weak link in their security, and vendor risk management is a hot-button issue. If a small company wants to start doing business with big companies, or to continue to do business with big companies, it will need to start paying more attention to cybersecurity. Its competitors will. And on the business-to-consumer side, consumers quickly abandon smaller companies that have data breaches.
- Criminals need resources – Although many criminals are searching for valuable data such as credit card information, others are looking for resources. For example, a growing trend is for crypto mining malware to be installed on hacked computers. Crypto mining forms a core to blockchain-based tools like Bitcoin and Etherium. Crypto “miners” perform work for the blockchain tool, and in exchange they are paid a fee when certain conditions are met. Crypto mining is a big business, generating millions of dollars in revenue each year. But crypto mining needs computers to work, and running and maintaining those computers can be expensive. So innovative criminals have taken to hacking into systems and installing mining software without the company’s consent, or even their knowledge. The company will pay the increased electricity, Internet service, cooling, and other costs, and the criminal keeps all the money. Krebs on Security has a somewhat older, but still valid, article about other ways criminals use hacked PC’s, including use as a server for command and control of malware and distributing child pornography. Why would a small business want to make it easy for criminals to set up shop in their company’s office?
As you can see, small businesses must care about cybersecurity if they are to survive. There is never a better time to start than now.
The article below confirms something we at Fathom Cyber see all too often: that executives are given a false sense of security by their IT staff. The data they receive is cherry-picked so only the mitigable threats are shown, and the things the staff isn’t able to handle are swept under the rug. Until a breach occurs.
Executives need better, non biased information coming to them, and in a form that they can understand. Fathom Cyber can help.
The State of Connecticut recently released a Cybersecurity Action Plan. This plan makes it clear that if companies don’t start taking cybersecurity and data privacy more seriously, the state, and even the federal government, will be forced to step in and add even more legislation and regulations. Can your organization quickly identify:
- the kinds of data it holds, whose data it is, and where it is located;
- the customers who are supported by a particular computing resource;
- the internal business processes and functions that are supported by a resource;
- the controls that are in place to limit access to authorized users; and
- the dependencies between the different computing systems?
If not, how can your organization expect to show regulators or shareholders that it is taking cybersecurity and data privacy seriously? The first step in taking cybersecurity seriously is to make cybersecurity make sense. Fathom Cyber can help.