10

must-have

components in your disaster recovery plan

Read this if you are responsible for cybersecurity or are a member of a board of directors for a company or a nonprofit organization.

I recently joined the board of directors of a local nonprofit organization that addresses homelessness and food insecurity in our community. While it is a larger, well-established organization, it still needed cybersecurity support. For me, it is a meaningful way to give back using my expertise while improving the risk posture and security practices of the organization. In my opinion, the most critical area any board of directors should be addressing, along with establishing and mitigating risk, is incident preparedness. The board should require and receive reports on incident management programs, and if they are in place, they should be tested on a frequent basis. 

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies and nonprofit organizations in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

For nonprofit boards, having an expert with cybersecurity skills as a board member may bring in needed guidance and expertise to an organization that may have limited resources, but is impacted by cybersecurity risks. It can be a valuable way to bring in advisory and oversight where it may be needed.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cybersecurity risks for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.

General

• What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
• Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
• Has the cyber risk management plan been tested?
• Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
• Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
• What percentage of our IT budget is dedicated to cybersecurity?
• Does that allocation conform to industry standards?
• Is it adequate based on our threat profile?
• What are the stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
• What is the interaction model between senior management and the board for communications regarding cybersecurity?
• Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

• How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
• Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
• Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

• Does the board play an active part in determining an organization’s cybersecurity strategy?
• What are the key elements of a good cybersecurity strategy?
• Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
• How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
• How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

• What are the potential cyber threats to the organization?
• Who is responsible for management oversight of cyber risk?
• Has a formal cyber assessment been performed? Does it need to be updated?
• Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
• What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
• Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

• Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology, and are those individuals empowered to carry out those responsibilities?
• Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
• Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others make it a direct or “dotted line” reporting to the CEO.)
• Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

• Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
• What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
• How effective are the organization’s risk management activities and controls identified in the assessment?
• Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
• Are there controls in place to ensure adequate, accurate, and timely reporting of cybersecurity-related content?
• How does the company remain apprised of laws and regulations and ensure compliance?
• What cloud services does our organization use and how risky are they?
• How are we protecting sensitive data? Do we know what types of data the organization maintains? 

Threat intelligence and collaboration

• What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
• Does our organization share threat intelligence with law enforcement?
• What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
• What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

• Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
• How regularly should a board obtain IT metric information?
• Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
• How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

• How does management validate the type and volume of cyber-attacks?
• Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
• How does an incident response and recovery plan fit into the overall cybersecurity strategy?
• Is the board’s response role clearly defined?
• Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
• Is there a culture of cyber awareness and reporting at all levels of the company?
• Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

• How does the board remain current on cybersecurity developments in the market and the regulatory environment?
• Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
• Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
• Are directors provided with educational opportunities in this area?
• Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

• Has oversight of cybersecurity reporting been defined for management and the board?
• Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise, and its oversight of cybersecurity risk being included within the financial statement and proxy disclosures?
• Does the company have a mechanism for timely reporting of material cybersecurity incidents?
• Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

While ransomware may not necessarily be a new topic, especially for those working in the information technology or security fields, it still is an important one to keep top of mind, particularly as ransomware attacks continue to be both effective and damaging. As we move forward, it may be helpful to first take a look back to learn from those who have fallen victim to ransomware:

• A 2022 Sophos study revealed 66% of participating organizations were attacked by ransomware.
• The same study reported the average ransom payment was $812,360, a number 4.8 times higher than it was in 2020.
• In 2021, the FBI’s Internet Crime Complaint Center (IC3) received 3,729 complaints identified as ransomware with adjusted losses of more than $49.2 million. 
• A 2022 Verizon report indicates that ransomware breaches have increased by almost 13% in one year, “an increase as large as the last five years combined.”

The ransomware threat is here to stay and we expect to see a continued increase in activity as attackers are finding ransomware attacks an effective and profitable venture. Despite the scary facts above, there are some tangible actions you can take to better protect your organization from ransomware.

IC3 and Verizon reports indicate that the top three methods of an initial ransomware attack are:

1. Phishing emails
2. Exploitation of desktop sharing software
3. Exploitation of software vulnerabilities

Let’s review these three popular attack methods and identify the steps that you can take to help protect against each of them.Most people today have at least one, if not more, email addresses. Email is a common attack route because the attacker can exploit human nature’s quick instinctual reactions. By fabricating an urgent, concerning, or stressful situation, an attacker can trick users into performing actions to compromise the security of their accounts and/or devices. In most ransomware cases, the attacker tries to get users to download malicious files or disclose credentials.

This category of software can include proprietary tools, as well as the remote desktop connection application that comes standard with the Windows operating system. While these remote access tools are typically used by IT departments for operational, maintenance, and support activities, they also create a potential entry point for attackers. Credentials obtained from various sources such as phishing (the email method above) or the unauthorized exchange of information (typically stolen from previous breaches), can be used with these remote access tools to gain control of a device. At that point, an attacker is free to gather information or deploy malicious payloads such as ransomware.

Organizations rely on a wide arrange of software to support business operations and manage data. The increasing popularity of cloud-based services and distributed working environments means that more applications and services are exposed to the internet, where anyone can see them. While increased accessibility to software and services can be beneficial to business operations, it can also be detrimental to security operations, as potential weaknesses and vulnerabilities can be identified and exploited by attackers.

These are the basic steps you should be taking in order to help protect your organization against ransomware attacks. First and foremost, ransomware should be identified as a real risk to your organization. Attackers can use email, remote access tools, and vulnerable software as an entry point to deploy ransomware, and deploying the tools and practices discussed in this article can help protect your assets from attackers.

No matter where you are on your security journey, there are things you should be doing to help reduce risk related to cyber-attacks. To learn more, or for help understanding how to improve your organization’s security controls to help prevent and recover from ransomware, please contact our cybersecurity experts. We’re here to help. 

Read this if you are concerned about cybersecurity.

A glance at the current cybersecurity landscape

Cybersecurity has become a priority for organizations of all types. From small to large businesses, and government agencies to non-profits, leaders must consider an increasing number of cyber threats, risks, and vulnerabilities. The cost of handling a cyber incident can be alarming, and so nearly every cybersecurity-related decision must be measured against its effect on the organization’s cyber risk profile. 

Many leaders manage cyber threats by implementing the best controls and systems their budget will allow in order to mitigate cyber risks and improve their overall cybersecurity posture—this is wise. But regardless of how diligent an organization is, there is always the possibility that a zero-day vulnerability is exploited by a threat actor or that an employee falls victim to a social engineering attack.



Unaddressed gaps in an organization’s cybersecurity controls—which have become increasingly evident during the COVID-19 pandemic—are making it easier for threat actors to target and carry out cyberattacks. These attacks are increasing in frequency and complexity and organizations of all sizes in all industries are being targeted.

Instead of accepting the potential financial risks associated with cyberattacks, many organizations are beginning to consider a more pragmatic approach, similarly to how they address other organizational risks and uncertainties: they transfer some of the financial risk to an insurance company (at a cost of course). In the event of a cyberattack reputational or operational risk still resides within the organization, it can be helpful to use cybersecurity insurance to help with the financial impacts of cyberattacks. 

What is cybersecurity insurance and why is it important?

Cybersecurity insurance, also called cyber insurance or cyber liability insurance, is a type of insurance policy that provides organizations with a combination of coverage options to help protect against the financial losses caused by cyber incidents like data breaches, ransomware, and other cyberattacks. Cybersecurity insurance coverage works just like other insurance policies that cover financial losses in the event of physical risks and natural disasters.

Cybersecurity insurance policies can cover financial costs associated with legal fees and expenses, notifying customers about a data breach, restoring personal identities of affected customers, recovering compromised data, repairing damaged computer systems, as well as other potential costs. Financial assistance with notification to those impacted by a breach is getting increasingly more important because more and more states are requiring organizations to notify customers of a data breach involving personally identifiable information (PII) in a timely manner—a process that has proven to be very expensive. For example, the California Consumer Privacy Act (CCPA) requires organizations to notify all California residents who were affected by a data breach without unreasonable delay. Other states have enacted similar requirements. 

A cybersecurity insurance policy can be a valuable component of an organization’s cyber risk management program, as it is designed to improve the organization’s cyber risk profile—at least in terms of financial risk. However, a cybersecurity insurance policy should only be considered after an effective cybersecurity strategy, with sufficient cybersecurity controls in place, has been implemented. In other words, cybersecurity insurance should complement an organization’s existing cybersecurity processes and technologies to help reduce the financial burden of a potential cyberattack, but it should not be the only strategy that is implemented by an organization. 

Who should buy cybersecurity insurance?

All organizations that create, store, and manage electronic data online, such as PII, protected health information (PHI), and personally identifiable financial information (PIFI), can benefit from cybersecurity insurance; however, enterprise risk management drives cybersecurity decisions, and that includes whether to purchase cybersecurity insurance or not.

Due to the increasing number of cyberattacks over the last few years, the cybersecurity insurance market is evolving and becoming more complex, and many organizations are choosing to forgo this type of insurance because of increasing costs. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) is encouraging organizations to focus on improving their cybersecurity controls first, in order to receive cybersecurity insurance coverage at more affordable rates.

Even before the COVID-19 pandemic, insurance companies had been tightening requirements for coverage and asking for more evidence that organizations are doing their due diligence to mitigate against cyberattacks. Whether it is detailing backup procedures or answering questions on specific security controls or systems in place, organizations looking for cybersecurity insurance can expect a more rigorous underwriting process going forward—the days of simple questionnaires are over. 

How to lower cybersecurity insurance costs

Fortunately, for organizations interested in purchasing cybersecurity insurance, there are ways to decrease premium costs. This includes implementing strong identity security controls and following industry best practices to protect against phishing and credential theft, ransomware, data breaches, and other cyber risks. More specifically, this includes implementing a robust cybersecurity strategy comprised of layered security controls. Examples of cybersecurity controls and best practices that insurance companies look for are included in the table below. By demonstrating that these controls are implemented and best practices are followed, an organization can significantly reduce their cybersecurity insurance premiums. 

Conclusion

Organizations can accept the risk of financial loss from a cyberattack, avoid risky endeavors, implement cybersecurity controls and systems, and adhere to industry best practices, but some risk of a cyberattack will remain. 

The most important step an organization can take to help prevent cybersecurity attacks or mitigate the impact of a cyber incident is to focus on improving cybersecurity controls, processes, and technologies. By doing so, the organization is not only reducing potential risks, but also positioning itself to purchase cybersecurity insurance coverage at more affordable rates. While each insurance company’s evaluation process varies, there are certain security controls that are almost always required for an organization to acquire cybersecurity insurance coverage. This often involves Identity and Access Management (IAM) controls and best practices in alignment with industry standards put forth by the Center for Internet Security (CIS), CISA, and others.

For organizations looking to address the financial costs associated with cyber risk, they should look to an insurance company to understand if the cost of insurance and coverage received would complement their existing cybersecurity risk management program. However, in the event of a cyberattack, it is critical the organization understands that other risks such as reputational and operational risk will always remain, regardless of the insurance coverage.

If your organization is interested in purchasing cybersecurity insurance, the following link provides more information and general tips on what your cybersecurity insurance policy should include: Cyber Insurance | Federal Trade Commission.

Below are some helpful takeaways from recent breach reports to consider: 

Sources:
Cyber Readiness Report 2022 | Hiscox
Cost of a data breach 2022 | IBM
2022 Data Breach Investigations Report | Verizon

Read this if you are responsible for cybersecurity at your organization.

Cybersecurity threats aren’t just increasing in number—they’re also becoming more dangerous and expensive. Cyberattacks affect organizations around the globe, but the most expensive attacks occur in the US, where the average cost of a data breach is $9.44 million, according to IBM’s 2022 Cost of a Data Breach Report. The same report shows that the cost of a breach is $10.10 million in the healthcare industry, $5.97 million in the financial industry, $5.01 million in the pharmaceuticals industry, and $4.97 million in the technology industry.

Cyber threat actors are a serious danger to your company, and your customers, stakeholders, and shareholders know this. They expect you to be prepared to defend against and manage cybersecurity threats. How can you demonstrate your cybersecurity controls are up to par? By obtaining a SOC for cybersecurity report.

What is a SOC for cybersecurity report?

It provides an independent assessment of an organization’s cybersecurity risk management program. Specifically, it determines how effectively the organization’s internal controls monitor, prevent, and address cybersecurity threats.

What’s included in a SOC for cybersecurity report?

The report is made up of three key components:

1. Management’s description of their cybersecurity risk management program, aligned with a control framework (more on that below) and 19 description criteria laid out by the AICPA.
2. Management’s assertion that controls are effective to achieve cybersecurity objectives.
3. Service auditor’s opinion on both management’s description and management’s assertion.

Why should you consider a SOC for cybersecurity report?

A SOC for cybersecurity report offers several important benefits for your organization, which include:

• Align with evolving regulatory requirements. The cybersecurity regulatory environment is constantly evolving. In particular, the SEC’s cybersecurity guidelines are becoming stricter over time. A SOC for cybersecurity report can demonstrate you’re aligned with these guidelines. If you’re a public company or are considering going public in the future, you need to be prepared to meet not just the SEC’s guidelines of today, but their evolved guidelines in the future.
• Keep your board of directors informed. Your board is responsible for ensuring the business is effectively addressing and mitigating risks—and that includes cyber risk. A SOC for cybersecurity report offers your board a clear and practical illustration of your organization’s cybersecurity risk management controls.
• Attract and retain more customers. It’s becoming increasingly common for companies to require that their vendors have a SOC for cybersecurity report. Even for companies that don’t require such a report, it’s important to know their vendors are keeping their data safe. Having this report differentiates you from vendors who have not prepared one.
• Improve your cybersecurity posture. A SOC for cybersecurity report can identify current gaps in your cybersecurity risk management program. Once you’ve addressed these gaps, you can show your customers, stakeholders, and shareholders that you’re continuously improving and evolving your cybersecurity risk management approach.

How do I prepare for my SOC for cybersecurity assessment?

There are several steps you should take to prepare for your assessment.

1. Choose your control framework. You have several options, including the NIST Cybersecurity Framework, ISO 27002, and the Secure Controls Framework (SCF). There are multiple online resources to help you choose the framework that’s right for your organization.
2. Determine who your key internal stakeholders are for your cybersecurity risk management program. You’ll need to select a point person to be responsible for ensuring the independent services auditor has all the documentation they need to complete their assessment and act as liaison across internal and external stakeholders.
3. Collect all cybersecurity-related documentation in one location. Make sure you have an organizational system that makes sense to your point person so it’s easy for them to pull the appropriate materials to give to the independent services auditor.
4. Conduct a readiness assessment. You can work with an independent services auditor to conduct such an assessment which will identify gaps you can address before performing the attestation.
5. Select an independent services auditor to perform the attestation. SOC for cybersecurity services are provided by independent CPAs approved by the AICPA. Ideally, you’ll want to select a firm that is experienced in your industry, has a diverse and robust team of cybersecurity professionals, and is accessible when and where you need them.

As always, if you have questions about your specific situation or would like more information about SOC for cybersecurity services, please contact our IT security experts. We’re here to help.

Read this if you have a cybersecurity program.

This week President Joe Biden warned Americans about intelligence that indicated Russia may be preparing to conduct cyberattacks on our private sector businesses and infrastructure as retaliation for sanctions applied to the Russian government (and the oligarchs) as punishment for the invasion of Ukraine. Though there is no specific threat at this time, President Biden’s warning has been an ongoing message since the invasion began. There is no need to panic, but this is a great time to re-visit your current security controls. Focusing on basic IT controls goes can make a big difference in the event of an attack, as hackers tend to go after the easy, low hanging fruit. 

1. Access controls
   Review and understand how all access to your networks is obtained by on-site employees, remote employees, and vendors and guests. Make sure that users are maintaining strong passwords and that no user is connecting remotely to any of your systems without some form of multi-factor authentication (MFA). MFA can come in the form of a token (in hand or built-in) or as one of those numerical codes you have delivered to your phone or email. Poor access controls are simply the difference between leaving your house unlocked versus locked when you leave to go somewhere. 
2. Patching
   One of the most common audit findings we have to date and one of the biggest reasons behind successful attacks is related to unpatched systems. Software patches are issued by software providers to address vulnerabilities in systems that act as an unlocked door to a hacker, and allow hackers to leverage the vulnerability as a way to get into your systems. Ensuring your organization has a robust patch management program in place and that systems are up-to-date on needed patches is critical to your security operations. Think of an unpatched system like a car with a broken window—sure the door is locked, but any thief can reach through the broken window and unlock the car. 
3. Logging 
   Account activity, network traffic, system changes—these are all things that can be easily logged and with the right tools, configured to alert you to suspicious activity. Logging that is done correctly can alert management to suspicious activity occurring on your network and notifies your security team to investigate the issue. Consider logging and alerting like your home’s security camera. It may alert you to the activity outside, but someone still needs to review the footage and react to it to mitigate the threat.  
4. Test backups and more
   Making sure that your systems are successful backed up and kept separate from your production systems is a control we are all familiar with. Organizations should do more than just make sure their backups are performed nightly and maintained, but need to make sure that those data backups can be restored back to a useable state on a regular basis. More so than backups, we also often hear in the work we do that our client’s test only parts of their disaster recovery and failover plans—but have never tested a full-scale fail-over to their backup systems to determine if the failover would be successful in the event of an event or disaster. Organizations shouldn’t be scared to do a full-scale failover test, because when the time comes, you may not have the option to do a partial failover and just hope that it occurs successfully. Not testing your backups is like not test driving a car before you buy it. Sure it looks nice in the lot, but does it actually run? 
5. Incident Management Plan 
   We often review Incident Management Plans as part of the work we do, and often note that the plans are outdated and contain incorrect information. This is an ideal time to make sure your plans are current and reflect changes that may have occurred, like your increasingly remote work force, or that systems have changed. An outdated Incident Management Plan is like being sick and trying to call your doctor for help only to find out your doctor has retired. 
6. Training—phishing attacks
   Hackers’ most common approach to gain access to systems and deploy crippling ransomware attacks is through phishing campaigns via email. Phishing campaigns trick a user into either providing the hacker with credentials to log into systems or to download malware that could turn into ransomware through what appears to be legitimate business correspondence. Training end-users on what to look for in verifying an email’s authenticity is critical and should be seen as an opportunity that benefits the entire organization. Testing users is also critical so management understands the current risk and what is needed for additional training. Security teams should also have other supporting controls to help prevent phishing emails and detection tools in place in case a user does fall for an email. Not training your employees on security is like not coaching your little league team on how to play baseball and then being surprised you didn’t win the game because no one knew what to do. 

In the current environment, information security is an asset to any organization and needs to be supported so that you can protect your organization from cyberattacks of all kinds. While we can never guarantee that having controls in place will prevent an attack from occurring, they make it a lot more challenging for the hacker. One more analogy, and then I’m done, I promise. Basic IT controls are like speedbumps in a neighborhood. While they keep most people from speeding (and if you hit them too fast they do a number on your car), you can still get over them with enough motivation. 

If you have questions about your cybersecurity controls, or would like more information, please contact our IT security experts. We’re here to help.

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

• Security awareness training on phishing emails and overall IT security practices for all organization users
• Multi-factor authentication 
• Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
• Anti-malware software installed on devices that connect to organization systems 
• Use of Zero Trust data management tools for backups
• Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

• Disaster recovery plans/business continuity plans 
• Incident response plans
• Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

1. People: Create and maintain a vigilant workforce
   Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
    

   According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

   Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.
   
   So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.

2. Plan: Implement a disaster recovery and incident response plan 
   Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.
   
   It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
    
   1. How will we communicate internally with our staff about the incident?
   2. How will we communicate with our clients? Our patients? Our community?
   3. When should we call our insurance company? Our attorney?
   4. Is reception prepared to describe what is going on if someone visits our office?
   5. Do we have the technical expertise to diagnose the issue?
   6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
   7. When the press gets wind of the situation, who will communicate with them and what will we share?
   8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

3. Practice: Prepare your team with table top exercises  
   Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.
   
   A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.
   
   Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

In light of the recent cyberattacks in higher education across the US, more and more institutions are finding themselves no longer immune to these activities. Security by obscurity is no longer an effective approach—all  institutions are potential targets. Colleges and universities must take action to ensure processes and documentation are in place to prepare for and respond appropriately to a potential cybersecurity incident.

What are some examples of incidents that managers need to prepare for?

Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with higher education institutions. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons. Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest security teams include staff members outside of IT. When you’re responding to incidents, you want people who can look at a problem or situation from an external perspective, not just a technical or operational perspective within IT. These team members can help answer questions such as, what does the world see when they look at our institution? What institutional information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?

I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?

There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities, so your team can assign and track tasks.

Any other tips for developing incident response plans?

First, managers should work with, and solicit feedback from across the academic and administrative areas within the institution when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your institution’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your students and external stakeholders in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your institution. The last thing you want is students and stakeholders receiving conflicting messages about the incident. 

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?

Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should institutions have dedicated incident response teams?

Definitely. Institutions should identify and staff teams using internal resources. Some institutions may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, institutions should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every institution can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your institution about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?

Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a hackathon. The word can elicit negative or concerned reactions. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the institution for another, higher-paying job. I think you should be committed to the growth of your team members―it’ll only make your institution more secure.

What are some best practices managers should follow when reporting incidents to their leadership?

Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in an institutional context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the institution. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

How much institution-wide communication should there be about incidents?

That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole institution know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire institution about an incident, refer to your Legal Department. In general, institution-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: senior leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

What are the key takeaways for higher education leaders?

Here are key takeaways to help higher education leaders prepare for and respond appropriately to cybersecurity incidents:

1. Understand your institution’s current cybersecurity environment. 
   Questions to consider: Do you have Chief Information Security Officer (CISO) and/or a dedicated cybersecurity team at your institution? Have you conducted the appropriate audits and assessments to understand your institution’s vulnerabilities and risks?
2. Ensure you are prepared for cybersecurity incidents. 
   Questions to consider: Do you have a cybersecurity plan with the appropriate response, communication, and recovery plans/processes? Are you practicing your plan by walking through tabletop exercises? Do you have incident response teams?

Higher education continues to face growing threats of cybersecurity attacks – and it’s no longer a matter of if, but when. Leaders can help mitigate the risk to their institutions by proactively planning with incident response plans, communication plans, and table-top exercises. If you need help creating an incident response plan or wish to speak to us regarding preparing for cybersecurity threats, please reach out to us.