What You Need to Know About Cybersecurity
The Cybersecurity panel is produced by the L.A. Times Brand Publishing team in conjunction with Greenberg Traurig, LLP, Miller Kaplan, M-Theory and OpenText.
Corporate cybersecurity breaches have become more and more commonplace, and the threats (and fines) are growing as we become increasingly reliant on cloud-based computing and other online innovations. With hundreds of thousands more employees working from home, with devices containing sensitive data leaving offices and entering homes at an exponential rate, those concerns have exponentially increased. While tools to prevent breach incidents have become more sophisticated, so have the methods of the hackers and cybercriminals. What actions can business owners take to protect their private data and that of their customers and employees? How can C-suiters and IT teams sleep better at night when there are so many mounting threats to our digital security? Los Angeles Times Brand Publishing turned to four uniquely knowledgeable cybersecurity experts for their thoughts and insights about threats businesses face in today’s digital world, and what executives can do to safeguard the privacy of their organizations, employees, customers and other stakeholders.
Q: What are the greatest cybersecurity threats of 2021?
Muhi Majzoub, Chief Product Officer, OpenText: The greatest cybersecurity threats this year are no longer foreign to an average person. Most people now know the names of the most devastating attack methods, for example ransomware and disinformation campaigns. But people need cyber awareness to help understand how cybercriminals are innovating and evolving these attack methods for maximum damage in 2021 and beyond. With a large majority of workers remaining at home, hackers will build more effective attacks, taking advantage of the proliferation of connected devices and increased pressure on cybersecurity professionals to protect both home and business environments. Disinformation campaigns will remain prevalent, due in part to the increasing sophistication of deepfake videos and images and bots “participating” on social networking sites. Additionally, hackers will attempt to capitalize on COVID-19 and mass vaccination efforts by creating malicious URLs and incredibly realistic phishing campaigns to trick people into sharing personal information.
David Lam, CISSP, CPP; Partner & CISO, Miller Kaplan: Attacks related to human interactions remain highest on the list of attack vectors. We are primarily concerned about phishing attacks and ransomware as the top threats. Whereas typical malware steals your data, ransomware renders your systems unusable, which is the worst of nightmares. From a technical perspective, we continue to be inundated by clients who are not properly patching their systems, and, as such, folks who are attacking from the outside find easy ingress to multiple companies. Most interestingly, some companies that don’t have their own information security expertise, rely on IT’s assertion that everything is awesome from a patch management perspective, and a simple vulnerability scan reveals that there is big trouble hidden beneath the water.
Ian C. Ballon, Co-Chair, Global Intellectual Property & Technology Practice Group, Greenberg Traurig, LLP: One of the greatest threats is lack of preparation. Most businesses should assume that they will experience security incidents despite their best efforts. But if they plan ahead, they can mitigate the impact of an incident. For example, a business that has mirrored copies of its data will be less vulnerable to ransomware. Planning, of course, means implementing “best of breed” security protections and reevaluating security on an ongoing basis. But it also means making sure that key stakeholders in an organization should be discussing and planning for how to respond to a security breach before it occurs. For example, if you bring together key stakeholders for table top exercises - where a company anticipates how it will respond to common threats - it is more likely that a company can avoid common mistakes when an incident occurs. Among the issues a company should consider is who the key decision makers will be when a breach occurs, what lawyers and vendors will be contacted, how press inquiries will be handled, whether and how to involve law enforcement, and similar questions that should not be considered for the first time when a breach occurs. Under the GDPR and some other laws, notification to consumers and regulators may be required in as little as 72 hours after a breach is discovered. In my experience, it is rarely the case that a company knows exactly what happened - and how and why it happened - in that time. Yet, the business may be required to make representations to regulators or consumers before all of the facts are known, generate documents that could be used against it in litigation if the company is inadequately prepared, and give statements to the press, employees and/or investors. If a company’s IT and PR professionals, lawyers and C-level executives have anticipated how they will respond in different circumstances, a business will be less likely to make costly mistakes. A consistent threat is that hackers and state actors stay several steps ahead of those who work to detect and deter cyber threats. Yet a substantial number of breaches each year are preventable - the result of companies failing to implement needed security patches or upgrade old systems. In times of economic turmoil, companies may cut corners in ways that leave them more vulnerable to attack. The rise of state-sponsored attacks on private companies is also a threat that requires national attention.
“Frankly, the difference between cloud providers ranges from doing almost nothing from a security perspective to phenomenal controls that can significantly improve your security posture.”
— David Lam
Chant Vartanian, Chief Strategy Officer, M-Theory: The digital landscape is going through a reformation. With the workforce moving to remote, we are facing a unique challenge of keeping tabs on data movement. While we always like to equip our employees with the best digital protocols, it is not uncommon to follow inadvertent poor data practices. As such, data loss due to insider threats is a big hazard that enterprises are facing as we continue to see them struggling to gain visibility into employee activity outside of the corporate firewall boundaries. When it comes to which industries are hit hardest by breaches, there seems to be an anecdotal disproportion to cyber-crime and that’s because of the omniscience of technology and the internet. This leaves people as unaware as they are vulnerable. Healthcare would be one of the primary industries that suffers heavily from cyber threats. A large percentage of healthcare was not really designed to work remotely, however, as admin transitions to this remote work mode, data governance and compliance is taking a huge hit. If the appropriate measures are not put in place, most employees tend to lean towards convenience, which in turn falls outside the recommended best practices for data security.
Q: How has the booming numbers of people working from home due to COVID-related issues changed the cybersecurity landscape?
Lam: The biggest threat we see from people working at home is the catastrophic misunderstanding that you can safely use a personal machine to access corporate networks. The simple truth is: you must control any machine accessing your information in accordance with commercially reasonable policies, and that means not using personal laptops or computers to access your information.
Vartanian: From the ancient hieroglyphs drawn on walls to Gutenberg’s printing press to our Twitter timelines, society functions off the precedent that technology adapts with them. Since COVID-19, the digital landscape has changed, along with the dialogue it transfers. Now, admins have to cater to monitoring data and access when the workforce is outside the perimeter. When this gets compounded with SaaS-based data access methodologies, we really fall prey to the various challenges of shadow IT. In general, keeping our increasingly mobile landscape safe is an important consideration as well. The proliferation of technology over the past twenty years has caused a paradigm shift so quickly, we barely noticed it. Since tech is so heavily entrenched in our culture, its vigilance is imperative. There is no one-stop solution to address this requirement, however, we need to implement multiple layers of security that can alert us early. We start with the weakest link - that is the user - and work through their daily activities and design our security practices around those. Then we implement endpoint protection, then we look at email security, then we look to block unwanted websites. Next, we ensure that data is protected from insider threats. Regular training for users on best practices to follow and how to identify malicious content goes a long way.
Q: What are some of the biggest trends today in cybersecurity?
Ballon: The uptick in litigation and regulatory enforcement is a trend that often goes unnoticed when experts discuss cybersecurity. The Federal Trade Commission and State Attorneys’ General have given increased attention to cybersecurity and data privacy issues in recent years. There has also been a flood of new lawsuits arising out of the CCPA. In the absence of comprehensive federal legislation, states increasingly are enacting cybersecurity laws. Businesses that operate nationally must contend with a patchwork of state laws.
Vartanian: We are noticing a heavy shift towards solutions to address insider threat. From an operations perspective, a lot of organizations are adopting a managed services approach. They prefer to offload the day-to-day operations to larger teams as opposed to having team members on payroll. To stay ahead of the curve, we look in-between the nuance of technology in the corporate landscape to catch any user vulnerabilities.
Q: What tools can companies use to protect their data?
Majzoub: When it comes to protecting data, antivirus and backup work together to combat a wider range of threats than either one of them working alone can prevent. Antivirus prevents a lot of attacks that would otherwise lead to a lengthy disaster recovery effort. But if an attack does get through, backup enables you to recover clean copies of your data without paying a ransom. To be effective against all types of data loss, such as ransomware or user error, a data backup solution must continuously update, monitor and test performance to ensure that system is up and running optimally. But the hands-on IT work can’t stop after implementation. Data backup is not a ‘set- it-and-forget-it’ solution - there must be an always-on approach, and backup recovery should be tested periodically, to ensure easy file recovery and access in the event of an attack or data loss.
Vartanian: One highly sought-after tool for most security teams is an open detection and response platform. The security teams need to be able to integrate alerts and events from multiple sources and then be able to dynamically act on the same in real- time. With the rising cases of ransomware, it is essential to have contingency plans to ensure your business is not impacted by any breaches. Cyber insurance covers your liability in case of breaches involving sensitive customer insurance.
Lam: Frankly, most companies are ignoring basic Information Security hygiene in configuring their systems. The Center for Internet Security publishes free guides on how to “harden” or secure your systems. Microsoft Office 365 gives you a free self-guided tool to making your access more secure. And, either acquiring your own vulnerability scanner to check for missed patches and missed configurations, or having a firm run monthly scans for you makes a big difference.
Q: What are some of the biggest mistakes companies make when attempting to protect themselves from breaches?
Vartanian: A lot of organizations tend to deploy best of breed solutions in a siloed environment. These products, most of the time, do not talk to each other or share the threat intelligence. As such, some advanced persistent threats tend to be missed as we do not have a holistic view of our security posture.
Ballon: The biggest mistake companies can make in this area is to not plan ahead. It is inevitable that every company will be subject to security incidents. Their severity and consequence may depend on how well prepared companies are when a breach occurs. Businesses should consider adopting a written information security plan and engaging in table top exercises where key executives, technologists, legal counsel, and marketing professionals run through common exercises so that they are prepared when a real breach occurs. Other common mistakes include deferring or failing to make timely upgrades that leave a company vulnerable to attack, failing to check the security of vendors and other third parties given access to a network, and failing to account for both network and physical security in seeking to prevent loss. Failing to provide adequate education and training to employees may also leave a company vulnerable to spear fishing, which is one of the most successful ways that bad actors gain access to account credentials and a company’s most sensitive information.
Majzoub: Companies often make the mistake of focusing on one specific threat area instead of looking at the entire threat environment holistically. For example, an organization may be well-protected against attacks from outside but forget to protect itself from the inside. There’s no silver bullet to address constantly evolving threats or ensure seamless business continuity in the face of unforeseen circumstances. Defense-in-depth strategies address the problem of a seemingly limitless number of attack vectors and data loss scenarios by not relying on any single solution. To be truly cyber resilient, companies must build layers of security and protection that address everything from employee training on common attack types to the network and endpoints to data backup and recovery. This big picture approach creates the ability to keep businesses, data, and devices online no matter what threats arise, or to quickly recover should an attack occur.
Lam: The biggest thing we can do to protect ourselves is to patch our systems and have information security policies and standards to tell us what to do.
Q: How to we protect against ransomware?
Lam: To protect your company against ransomware you should focus on training your team members, having appropriate technical controls, and patching your systems.
Vartanian: We have to look at a defensive, in-depth approach where security is deployed at multiple layers. We should implement multiple solutions that can detect malicious file activity in the early stages of the kill chain and raise alerts so IR teams can act on it.
“Data backup is not a ‘set-it-and-forget-it’ solution – there must be an always-on approach, and backup recovery should be tested periodically, to ensure easy file recovery and access in the event of an attack or data loss.”
— Muhi Majzoub
Ballon: It is important to make sure that critical data is adequately backed up in a secure location so that an attack on a company’s network does not disable it. This is especially true because payment to a ransomware attacker could constitute an OFAC violation. Even when companies have paid to restore their data, there is no assurance that the data won’t have been corrupted or infected with malware or other vulnerabilities. Conversely, even companies that don’t need to recover their data to continue business operations may be blackmailed with the release of the information if they fail to pay a ransom. With more people working at home, the need to protect against malware attacks is more critical as the attacks may be targeted at individuals working at home, and not just networks. For example, through a spear fishing attack a bad actor may gain access to credentials that allow the actor to access the network and begin copying data. In addition to maintaining up-to-date backup copies, companies should have a comprehensive plan for how to continue operations if the network is brought down. As with most aspects of cybersecurity, this requires coordination between a company’s CISO (or IT professionals, for companies without a CISO), legal department, and public relations teams, among others. When an attack occurs, businesses need to act quickly - and are more likely to make mistakes if they have not planned ahead. Depending on the facts of a given incident, a malware attack also potentially could trigger security breach notification obligations, requiring notice to consumers and regulators. Coordination with law enforcement also requires careful consideration and coordination with a company’s PR professionals and lawyers. Buy-in from C-level executives will also be required for major attacks. As a lawyer who typically defends companies following cybersecurity incidents, I believe it is important to involve outside litigation counsel in preparation of a company’s plan - to ensure, to the extent possible, that internal deliberations remain subject to the attorney-client privilege, work product privilege, and other privileges that may shield these communications from disclosure in the event of litigation. Recent court decisions underscore the importance of involving outside litigation counsel, and not just in-house or compliance counsel, to maximize protections.
Q: Can we keep our data safe in the cloud?
Majzoub: Putting your data in the cloud protects against some threats - including natural disasters like fire or flood - but not others, so it boils down to how people are using the cloud to store data and if they are doing it securely. For example, cloud storage applications (not to be confused with secure cloud backup) don’t provide comprehensive, automatic backup of all files on a computer, leaving users unable to set policies for data retention, including what’s backed up and how frequently. They’re also poor protection against one of the most common forms of data loss - user error and accidental deletion. The best way to keep your data safe in the cloud is to use antivirus and a secure cloud backup tool but make sure it is not your only backup copy saved.
Vartanian: We exist in the cloud and ensuring data stays secure starts with encryption and ends with proper maintenance. With the right data governance policies and practices, yes, data can be secured in the cloud. However, we need to clearly establish SLA’s with our cloud provider and ensure they take our data concerns seriously.
Lam: The first part of keeping your data safe in the cloud is doing appropriate due diligence on the practices that your cloud provider has in place. Frankly, the difference between cloud providers ranges f rom doing almost nothing f rom a security perspective to phenomenal controls that can significantly improve your security posture. A great measure of this is asking for audit reports, such as ISO 27001, SOC-2 and HITRUST. You can also ask the cloud provider if they adhere to Cloud Security Alliance recommendations.
“If the appropriate measures are not put in place, most employees tend to lean towards convenience, which in turn falls outside the recommended best practices for data security.”
— Chant Vartanian
Q: How have new regulatory issues (such as GDPR in Europe) changed the way businesses view cybersecurity?
Ballon: The adoption of the GDPR in Europe and the CCPA and CPRA in California have forced some businesses to confront data privacy and cybersecurity issues for the first time. In a global economy, a business may be required to comply with the laws of numerous different countries (and continually adjust its privacy and data security practices as new, somewhat inconsistent laws, take effect in different parts of the world). Businesses that operate in California nevertheless may need to comply with vastly different regulatory regimes in different parts of the world. Changes in the law have also magnified the risk to companies of failing to comply. Fines under the GDPR can be very large. In the U.S., litigation remains a significant cost of doing business. Companies now typically have a CISO and/or give security issues greater managerial and board-level attention.
Q: How should we best train our employees and customers about phishing and malware?
Vartanian: I highly recommend quarterly training sessions that point out key things to look out for in emails. Always verify personnel and links before clicking. Also, try services offered by companies like Knowb4 and Barracuda that send emails to users, luring them to click and then use that as training mechanisms.
Lam: We find that the best way to train your employees about phishing attacks is to hold small, 10-13 person sessions that focus on discussions of what phishing attacks look like and breaking down the elements of a specific phishing email.
Q: There have been a number of recent news stories about other kind of threats, such as hardware hacking and denial of service (DOS). How serious are these concerns and how can we avoid them?
Vartanian: With IOT market booming, hardware hacking has taken a turn for the worse. Over the last six months, some of the big named manufacturers have discovered backdoors in their firmware. It is absolutely essential to monitor the connections from all of their connected devices. As for denial of service, it is one of the easiest to carry out, especially when we have bad actors offering DoS as a service. DoS is an attack meant to prevent access to resources by bombarding the customer gateways with half-opened sessions thus overloading the system and making it inaccessible to legitimate users. We can avoid it by getting higher bandwidth or using dedicated hardware or software DoS prevention solutions that can identify traffic base on thresholds and block accordingly.
Q: What checks and balances can we use to ensure the safety of our IT ecosystem?
Majzoub: The safety of our IT ecosystem requires security partners and vendors to earn the trust of those they serve each and every day. There is simply too much at stake for companies to place blind trust in technology partnerships. By asking a security supplier the right questions, such as their viewpoints around backup practices, details on where and how data is stored and the importance of cybersecurity education and training, an organization can selectively build their own cyber resilient ecosystem to stay one step ahead of bad actors or at least mitigate damage. This is especially important for smaller organizations that typically lack resources for dedicated in-house security personnel, but rather rely on partners to deliver security services at scale. Make sure potential partners follow best practices and take a holistic approach to cyber security before trusting them with corporate security and data.
Vartanian: It is essential to run periodic red team operations including full-blown penetration testing and vulnerability assessment at least every six months. Regular training against phishing is an absolute must. Another key area that is usually overlooked is simulation of a disaster and verifying that our incident response and disaster recovery plan are in line with our business continuity plan.
Q: What cybersecurity positions should companies fill?
Lam: Filling a cybersecurity position completely depends on the needs of the firm. Because of the severe shortage of qualified cybersecurity personnel, small and medium businesses are typically best served by finding a well reputed firm that can cost-effectively meet their cybersecurity needs. In the event those needs cannot be cost-effectively met by outsourcing, such advisors can help you find qualified individuals to staff appropriate roles.
Vartanian: A few key positions that every organization need to fill would include security analyst, incident responder, and security architect/engineer.
Majzoub: There has been a significant deficit of skilled security professionals for years, including a scarcity of developers, threat researchers, and forensic specialists - and the pool of skilled workers continues to shrink compared to the demand. A company’s cybersecurity needs vary greatly based on the data they handle and the budget allocated, but cybersecurity analysts working in a security operations center (SOC) role with some coding knowledge is one of the most widely desired. Companies, especially smaller ones who do not have budget for dedicated security personnel, should look for products that leverage artificial intelligence (AI) and machine learning (ML). These more automated products will help to offset the lack of experienced security staff.
Q: What is the one great piece of advice for a company looking to strengthen its cybersecurity?
Ballon: It is important to plan ahead. I have represented companies in connection with cybersecurity breaches going back to the late 1990s - before notification laws made disclosure mandatory in certain cases, when companies treated security breaches like property losses - and the one common theme is that businesses that haven’t planned ahead are more likely to make mistakes. A company should consider developing and implementing a written information security program and hold table top exercises with key stakeholders, as well as taking other measures to plan for security incidents and train key stakeholders on how to respond.
Majzoub: Taking into account our global report on phishing attacks seen during the pandemic, it has to be: “don’t forget your people.” Make sure to get them trained and aware of the modern threats facing them, and be inclusive of all departments and levels. Many businesses have realized that the human element is often the weakest link or layer in an organization’s security posture but don’t necessarily recognize that it doesn’t have to be. Businesses can empower employees to be the first layer of defense by helping them become cyber aware, able to spot socially engineered attacks, and prepared to take action if they do encounter something “off” or “phishy.” Proper, consistent security awareness training can greatly reduce a company’s exposure to malware, especially when coupled with other layered security measures such as endpoint protection.
“A company should consider developing and implementing a written information security program and hold table top exercises with key stakeholders, as well as taking other measures to plan for security incidents.”
— Ian C. Ballon
Vartanian: A threat online is a threat off, which is why establishing a crypto-phalanx, so to say, early on is the strongest move. We cannot stop attackers from wanting to breach our defenses and there is no way to account for all possible modes of attacks. Cyber defense will always be reactive and it is safe to assume the bad actors are always one step ahead. However, we need to deploy multiple layers of security at each level and also have a comprehensive view of our ecosystem so the attacks can be detected in the early stages of the kill chain. Also, organizations should invest in an automated response to incidents: there is nothing called “too much security.”
Lam: The number one thing you can do to strengthen your cybersecurity is to implement an Information Security Management Program (ISMP), meaning appropriate Information Security Policies and Standards, under the guidance of a qualified security professional. This gives you the bar that you need to meet and a methodology for meeting that bar. This way at least you know what you need to get done. Remember, the goal of this program is to operationally manage information risk. From there, everything is dictated by your management methodology as defined in the ISMP.
Q: How have the CCPA and CPRA changed breach response?
Ballon: California enacted the most comprehensive privacy law in the United States in 2020, which has allowed consumers to recover up to $750 in statutory damages (and a minimum of $100) for security breaches regardless of whether a consumer has lost any money or otherwise been injured. $750 may not sound like a lot, but CCPA cases typically are brought as putative class action suits. If one million California residents have been impacted by a security breach covered by the CCPA, a company’s exposure potentially could be up to $750 million - and would be at least $100 million - if a class were to be certified and liability established. These kind of numbers have created a California gold rush for lawyers from around the country, who swoop in to file suit almost immediately after a security breach is announced, seeking to stake a claim. While not every security incident constitutes a breach under the CCPA, every reported breach now raises the potential for class action litigation. As someone who has been defending companies in internet disputes since the 1990s and defending cybersecurity cases for more than a decade, I have never seen as much of a feeding frenzy.
The pandemic has arguably made things worse, as class action lawyers whose cases against companies in industries that were hard hit have tried to shift their focus to cybersecurity (and data privacy) cases. For example, one breach that I am defending has spawned six separate putative class action suits. This trend will only accelerate under the CPRA when it takes effect on Jan. 1, 2023 (unless Congress enacts a national law to preempt it). Businesses need to work with their lawyers, IT professionals and marketing departments to ensure their compliance. There also are specific steps companies can take to reduce the risk of class action litigation, including entering into binding arbitration agreements with consumers (and ensuring that consumer agreements in fact form enforceable contracts - especially when formed online or via mobile phones) or becoming intended beneficiaries of business partners that are in privity of contract with potential claimants.
It is important that companies and their lawyers review their online Terms of Service, arbitration provisions, and online and mobile contract formation processes at least annually, if not more frequently, given how much litigation there is in this space and how many court opinions issue each month on arbitrability and contract formation. Posted Terms of Use may not be enforceable, for example. And even where assent is obtained, not all arbitration clauses are enforceable against consumers. Some provisions commonly found in online or mobile Terms of Service contracts are actually unenforceable under California law. Companies that cut corners on the front end when preparing or updating online and mobile consumer contracts may end up paying hundreds of thousands of dollars more in litigation costs down the road, which otherwise could have been avoided. Minimizing exposure under the CCPA will pay dividends down the road. Businesses also should evaluate their insurance coverage for CCPA litigation. While the CCPA is a California law, businesses with headquarters in other states are also vulnerable to being sued for breaches that impact California residents.