The effort to protect a company from cybercrime and recover from cyber intrusions extends well beyond the walls of the business, according to panelists at the recent Providence Business News’ annual Cybersecurity Summit.
Like the internet itself, effective defense and recovery from cybercrime requires a web of relationships that includes vendors and supply chains, the insurance industry, lawyers and accounts, and the laws of multiple states and countries, the experts said.
It almost sounded like a group of people girding for battle as six panelists at the summit on Oct. 11 hashed out several cybersecurity topics. The panel was moderated by Doug White, chair of cybersecurity networking at
Roger Williams University and a podcaster at Security Weekly.
The second part of the summit raced right to the nub of the matter when White asked panelists to describe the proper response to a cyber breach. As with other topics of the day, the answer referred back to preparation. And that means advance planning ahead of a crisis.
“You don’t want to be without a plan,” said Francesca Spidalieri, senior fellow for cyber leadership at the Pell Center for International Relations and Public Policy at
Salve Regina University. “You cannot think about a response during the crisis. Plan in advance; build a team; include [information technology], legal counsel.” Other panelists noted that top management must be involved in this work.
Every state has general data protection regulations, also known as GDPRs. State laws govern the reporting of cybercrimes, data breaches and invasion of privacy, including a timetable and deadlines for reporting a breach. Rhode Island companies that do business in other states and countries must comply with regulations in each of those places when a breach occurs. (In Rhode Island, for instance, a breach must be reported to the state within 45 days.)
Eric Shorr, founder of
Secure Future Tech Solutions, said a recovery plan does not need to be complicated, but it needs essential elements. One is who the company should immediately notify – such as the
R.I. State Police cybercrimes unit – and how to get the business up and running again, via data backups that should already be in place.
Companies must document all steps of their response and recovery from intrusion, Spidalieri said, to build a legal defense in case a lawsuit follows.
Jason Albuquerque, chief information security officer at
Carousel Industries of North America Inc., echoed other panelists’ opinion, saying, “Practice the plan to find flaws in the plan.”
The range of different state laws governing responses to cyber intrusions is a problem. Some state regulations – but not Rhode Island’s or Massachusetts’ – allow people affected by a cyber breach to sue the company at fault, Spidalieri said. She noted that fines against companies that allow a cyber breach and violations of privacy can be high, even to the point of putting companies out of business.
The panelists were all aware of a California law, to go into effect on Jan. 1, that will raise that state’s regulations on cybercrime and privacy to a very rigorous standard, almost to that of the European Union.
The laws of the European Union are tough, and can be very costly to businesses, said Spidalieri. “There are a lot of requirements under [EU] law. Fines are significant, and they are being enforced. It is costly to comply with those laws; but if you are complying, you will also be more secure.”
Jeffrey Ziplow, cybersecurity risk assessment partner for
Blum, Shapiro & Co. PC, called California’s new law a test case that other states are watching.
Recovery from a cyber intrusion depends heavily on having data backups. Shorr mentioned a Warwick company that found its computer systems locked up and held for ransom by a hacker the boss had allowed into the system by opening an email. “They rolled back to the last backup and business was down in all for only an hour,” Shorr said.
It’s important for companies to monitor connections with their third-party vendors, members of the supply chain, and vendors of iCloud services, the specialists said, recounting the cyber breach of Target Corp. several years ago that was done via Target’s heating and ventilation vendor.
“Vendors are an extension of your own network,” said Albuquerque.
Companies need to vet iCloud vendors diligently, for instance, to make sure their security is top-notch, and to settle many other details, such as what roles the company and the vendor would play in the case of a breach, and who would be subject to fines and lawsuits.
A company’s exposure to risk – through its own email and computers but also through its vendors and customers – also extends to the growing “internet of things.” That phrase extends to all the gadgetry, such as smart speakers, security cameras, and even home appliances, that are connected to the internet via Wi-Fi. The internet of things is going to increase to an estimated 50 billion gadgets by next year, said Cindy Lepore, assistant vice president for business insurance with
Marsh & McLennan Agency. That’s a lot of portals for criminals to attack.
Ziplow described service organization controls – or SOCs – essentially an independent audit of a vendor to determine that security protocols are performed and tested. An SOC could be performed by a company’s lawyers or accountants or payroll company. “You can do [an] SOC yourself,” said White, the moderator.
Ziplow said a new level of SOC is now being formulated, and it will focus on business supply chains. “This will be a new level of independent assessment on how vendors supply and pass information,” he said. “It will force vendors to have much better protocols. Hacks on vendors are a huge threat.”
The panelists spoke in favor of cyber liability insurance as an extra layer of protection. Cyber insurance is a response to a specific danger, offering coverage that is not generally done well, or maybe at all, in other business insurance policies.
Lepore called cyber insurance “another tool in your risk strategy” and experts at the insurance company should be able to help coordinate and assist in response and recovery from a breach. Lepore said cyber insurance policies paid out $394 million in the United States last year.
“You have to read the policies and understand every detail,” said Lepore. Insurance companies could deny claims based on what triggered the claim if it is not a covered loss, she said.
Companies that utilize robust internal practices and computer systems may look more favorable to carriers when assessing risk, Lepore added.
The summit closed with remarks by Rep. James R. Langevin, D-R.I., a member of the House Armed Services and the Homeland Security Committee. Langevin also sits on the Cyberspace Solarium Commission, appointed last spring. In addition to legislators, the commission has members from the Department of Defense, Homeland Security and other national intelligence agencies.
The commission, Langevin said, is working on three issues: how the public and private sectors should collaborate on cybersecurity, how the country should handle cyberattacks from other nations, and how the United States and others should promote and enforce general rules of cyberspace.
Update to the 18th paragraph to reflect the number of devices expected to the Internet of Things by next year, as well as update to 23rd paragraph to clarify what insurance companies may not cover.