David Sun, a principal with CliftonLarsonAllen LLP, a professional services firm in Cranston delivering integrated wealth advisory, outsourcing, audit, tax and consulting services, spoke with PBN about the threat to businesses of cyberattacks as technology advances and hackers become more sophisticated.
The Department of Homeland Security has issued a “Shields Up” guidance for all organizations in the U.S. to adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets, as U.S. sanctions against Russia escalate, making acts of cyberterrorism in the United States much more likely.
PBN: We hear about the importance of cybersecurity insurance. What should be included in a policy to adequately protect businesses?
SUN: Especially with the uncertainty related to the ongoing conflict in Ukraine, it’s clear that the time for hypervigilance is now. At minimum, your business cybersecurity insurance policy should include coverage for items such as computer forensic analysis; ransomware negotiation and payment; damages and remediation costs like credit monitoring; and professional services fees for consultants like data privacy attorneys and media relations specialists.
Data breaches, ransomware and other cyberattacks can potentially cost businesses millions of dollars in a mere matter of minutes. Financial harm aside, these attacks can also wipe out a company’s records; compromise customers’ personal information; and lead to an immediate loss in public trust – a priceless asset that typically takes companies years of hard work to build.
PBN: If a Rhode Island company is doing business with a Ukrainian organization right now, what special measures should it take regarding cybersecurity that may go above and beyond normal monitoring?
SUN: When it comes to doing business with Ukrainian resources, Rhode Island companies should certainly take heightened precautions. Ukraine has a thriving technology cluster, and a number of U.S. businesses outsource work to Ukrainian companies or freelancers.
Given the current risks, any business that is working with Ukrainian resources should consider placing increased separation between their sensitive internal systems and external access. Beyond the common VPN [virtual private network] with multifactor authentication that would be used for any type of external access, businesses should consider creating an isolated staging area for Ukrainian resources to use. This staging area may be a replica of the internal systems normally accessed but should be isolated for the actual internal systems. Any connections or migration of data from the staging area to internal systems should be performed by U.S.-based resources – and only after all the data and changes have been verified safe.
PBN: What are things a company can have in place to quickly find where a cyber intrusion took place?
SUN: One of the most important pieces of a company’s cybersecurity plan is always-on monitoring and alerting. Next-generation endpoint detection and response tools are designed to help businesses detect malware, virus programs and any other suspicious activity on computers operating on their networks. These tools – combined with a companywide commitment to following clear safety protocols related to cybersecurity – will help businesses identify and mitigate threats before they spread.
PBN: Do most local companies realize the importance of stringent cybersecurity practices compared with five or 10 years ago, or do we still have a long way to go?
SUN: I obviously can’t speak for every company in Rhode Island and southeastern Massachusetts, but I do believe there is more widespread awareness of cybersecurity threats than there was a decade ago. This is especially true when it comes to larger businesses that have the budgets and resources to address the issue, not to mention those who have the most to lose in the case of an attack.
Some smaller businesses, however, are further behind. Whether it’s because they don’t want to invest the financial resources or because they don’t believe they’re at risk, far too many small businesses are not taking proactive steps to protect themselves. At the rate at which cyberattacks are increasing, every single business – regardless of size – should have a plan in place before it’s too late.
PBN: Is it enough for a company to have a cybersecurity backup plan in place?
SUN: The short answer: No, it’s not enough. A backup plan, which addresses whether a business can restore its data back to an earlier state after an attack occurs, is certainly important, but it’s only one component of a comprehensive cybersecurity plan.
Remember: Even if you successfully identify and pinpoint the location of a cyberattack, it’s difficult to determine just how long the “bad actor” has had access to your systems. The hacker may have entered the network months before being noticed, giving them plenty of time to implement backdoors and other forms of malware in your system, all of which would remain in your network when you restored your data.
That’s why it’s so important for companies to have an in-depth, always-on monitoring, alerting and mitigation plan in place. As the threats continue to evolve, the days of a one-size-fits-all approach to cybersecurity are over.
Susan Shalhoub is a PBN contributing writer.