Archive for category: Risk, Compliance & Governance

Where perfection is impossible, Executive Order 14028 offers progress

Though the internet’s rise to omnipresence brought about innovation and prosperity, it also became a vehicle for malicious attacks on our nation’s networks, infrastructures, and our most vulnerable populations. In today’s cyber threat landscape, no target is too small — or too big.

The Colonial Pipeline ransomware attack in 2021 made apparent the potential impact of just one cyberattack. President Biden signed Executive Order (EO) 14028 to bolster national cybersecurity standards in response to this incident — and the steep rise in cyberattacks preceding it.

Let’s face it: pinning down the perfect set of defensive standards is impossible. Malicious actors will constantly evolve and change tactics to evade our cyberdefenses. But EO 14028 gets a lot of things right when it comes to cybersecurity on a federal level. Let’s look at four ways it does this well.

1. EO 14028 Makes It Harder for Malicious Activity to Reach Federal Networks

Rather than leave federal systems open to malicious attacks, agencies are now required to operate on secure cloud services with zero-trust architecture. These requirements allow agencies to function with all the convenience and efficiency allotted by cloud services but with minimized human error that allows threat actors to breach them.

Users can only gain access to federal information through multifactor authentication (MFA), which adds several layers of protection to every set of credentials. Cybercriminals would not only need to infiltrate the correct devices, but infiltrate them at just the right time to fake their way into a federal system.

2. Higher Baseline Standards for Cybersecurity Software and Incident Responses Elevates Every Line of Defense

It’s become clear that, while every federal network is interconnected with dependencies (think communities, industries, and critical infrastructure and processes), its safeguards have not necessarily kept up with modern threats. This level of connectivity called for a serious re-examination of foundational cybersecurity standards for all federal agencies.

EO 14028 institutes higher security standards for the software every federal agency uses. Multiple agencies — including the National Institute of Standards and Technology (NIST) — now oversee initiatives to make computing environments safer. In accordance with EO 14028, NIST:

• Provided guidance to safeguard software supply chains.

• Published minimum standards for software development.

• Established security measures for critical software.

Incident response standards also received a much-needed upgrade. Federal departments and agencies now have standard playbooks for federal system breaches — which the Cybersecurity and Infrastructure Security Agency (CISA) has made publicly available for any organization to learn from. The playbooks cover everything, including:

• What to do during a breach.

• How to contain a threat.

• The follow-up steps required post-incident.

3. Consistently Gathering Timely Post-Attack Information Is Key

Information around a cyberattack can leave a trail of digital crumbs leading to its source and (if we’re lucky) solutions. So the more we can gather as close to that source as possible, the better. That’s where the Federal Acquisition Regulation (FAR) and its closely linked supplement, the Defense Federal Acquisition Regulations Supplement (DFARS), come into play. Executive agencies like the DoD and NASA use FAR and DFARS to acquire supplies and services, including software.

EO 14028 calls for updates to FAR’s and DFARS’s language, requiring vendors to report incidents and share detailed and timely information about cyberattacks. Information on who was attacked, when, and how can be shared with fellow industry professionals and experts to build a solid, united front against threat actors.

4. Improved Communication and Connectivity Leads to Collaboration — and Better Chances of Detecting Malicious Activity

Adding to that united front, removing barriers to information sharing allows for more effective communication from many perspectives. So it’s to everyone’s advantage that EO 14028 encourages not only collaboration between federal agencies, but also federal agencies and organizations in the private sector. The Cybersecurity Safety Review Board, comprised of leaders from both worlds, was established under the executive order.

The board convenes after significant cyber incidents to share information, analyze what happened, and recommend ways to prevent or mitigate future attacks. In light of the attack on the Colonial Pipeline, their first meeting focused on remediating its cascade of industrial damage and addressing the vulnerabilities threat actors exploited — particularly in the log4j library.

Adaptability Wins the Race

While EO 14028 isn’t an instant fix, it lays solid groundwork for a higher standard of cybersecurity fundamentals at the federal level. Its primary directives leave room for — and even encourage — growth and flexibility in facing down cyber threats. Consistently improving proactive measures, keeping detailed records, and pushing for collaboration will help us, as a country, build upward from there.

Even The Smallest Mistake Can Result in a Data Breach

Back in the day, a heavy-duty vault with a bullet-proof locking mechanism assembled by a world-renowned locksmith was enough to protect banks from Jesse James wannabes. Maybe a security guard stationed at the door, a little red button under the tellers’ counter triggering a silent alarm, cameras everywhere. But it’s 2022, and banks are facing escalating cyber threats that can sabotage business as usual in a matter of seconds.

At this point, nearly 80% of banking customers would prefer to manage their finances digitally from the comfort of their own couch than trudge to the nearest bank. While fancy vaults, security guards, and red-button alarms still have their place, cutting-edge cybersecurity solutions and groundbreaking technologies are stealing the show.

But despite massive investments in cybersecurity products and solutions, banks are still making basic mistakes — and losing millions of dollars to cybercriminals (and even more in reputation) on the reg.

5 Banking Cybersecurity Mistakes Banks Should Fix Right Now

Below are just a few of the cybersecurity mistakes we see banks making way too often.

1. Thinking Cybersecurity Is Just an IT Department Concern

You might think the first mistake on this list would live somewhere in the high-tech echelons, complete with jargon no mere mortal could wrap their head around. But no. First up is failing to create a culture of security that trains every employee in cybersecurity and zero-trust best practices.

Banks are 300 times more likely to face a cyberattack than any other type of institution. With the widespread nature and scale of today’s cyber threats, everyone in your bank needs to become a digital security guard. After all, anyone — from the CEO to the newest intern — could be the point of entry via a phishing email or malicious link.

How to fix it: Educate employees on cybersecurity best practices. Even small security measures — such as discouraging the reuse of passwords or sending sensitive information over vulnerable channels like email — go a long way to prevent a digital bank heist.

2. Forgetting That Customers Are Part of Your Cybersecurity Strategy

Similarly, consider customers a cybersecurity weak point. Just like employees, customers should receive some basic training around cybersecurity. Alongside mandatory multi-step authentication, facial recognition, encryption, and strong passwords, customers must be taught to play their part to keep their own data safe (and avoid clicking on that malicious link from their “bank manager”).

And if you haven’t upgraded your IT systems with basic security measures, your organization is at major risk of a cyberattack. Kristen Bolig, CEO of SecurityNerd, points out that many banks don’t offer customers the most basic security measures such as multi-step authentication on mobile apps. This is especially concerning since mobile apps are, as Bolig puts it, “somewhat easy points of entry for hackers.” She adds, “If a bank only requires the user to put in their password to log into the app, that’s not very difficult for hackers to figure out. Banks that have multi-step authentication and even allow for facial recognition are immediately more secure.”

How to fix it: Create customer-facing education around cybersecurity. You can do this through a newsletter, mobile app push notifications, or a digital security section in your FAQs. Encourage customers to scan their transactions regularly to check for suspicious activity, no matter how insignificant or harmless it may seem. And, if you haven’t already, enable security features such as multi-step authentication and regular password updates.

3. Using Subpar Encryption Methods

None of this education means anything if your employees and customers send information that’s not adequately encrypted.

Financial organizations regularly request sensitive information from customers (to verify identities, run credit checks, and grant loans, for example). Luckily, the Federal Financial Institutions Examination Council (FFIEC) creates, examines, and reports on standards and protocols. And the FTC’s Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect sensitive customer data and provide transparency around information sharing. To protect customers, regulations from the FFIEC and GLBA require financial institutions to encrypt:

• Sensitive information (e.g. names, addresses, and Social Security numbers)

• Transactional information (e.g. account numbers, loan balances, or purchase amounts)

• Other personal information acquired to provide a financial service (e.g. credit scores or criminal records

Make sure you’re encrypting the information that needs to be encrypted: Bank-standard encryption is a 256-bit advanced encryption standard (AES). However, as Andrew Orr points out in an article for The Mac Observer, “You can use the strongest encryption algorithm in the world, but if you don’t use it correctly, it doesn’t matter if it’s 128[-bit] or 256[-bit].”

How to fix it: Conduct an audit around your encryption methods — but don’t stop there. Ensure your servers and machines are configured to process 256-bit AES to eliminate potential weak points.

4. Using Cybersecurity Protocols and Tools That Aren’t Built for Banks

While conducting a cybersecurity audit, whether you start with your encryption protocols or testing employees’ knowledge, use the FFIEC’s Cybersecurity Assessment Tool. To use it most effectively, make sure your practices align with basic cybersecurity requirements.

Perry Zheng, former software engineer and founder and CEO of real estate syndication platform Cash Flow Portal, says, “Most medium-sized banks fail to link their cybersecurity with cyber compliance.” If you’re following cybersecurity practices that don’t match your required compliance, “it can be difficult to respond to exams and audit requests.”

And if you do have to go through an audit, violations can be costly — especially if you don’t take corrective steps. You could incur fines from the NCUA, FRC, OCC, or FDIC. No matter which organization is coming after you, their fines can render your bank, well, bankrupt.

How to fix it: Leverage the information included in the FFIEC’s Cybersecurity Resource Guide for Financial Institutions to find both paid and free assessments and tools to evaluate your cybersecurity practices for compliance. Document your findings and make changes if you find weak points or violations. If a cyberattack does occur, you can use your records to show that you were following best practices for financial institutions — not just generic cybersecurity protocols.

5. Sacrificing Security for Cost

Cybersecurity is not a budget line item to second guess.

The sheer volume of cyberattacks on banks might drive you to hire third-party security providers. The pricing model for security packages often depends on the number of systems covered. To keep costs affordable, many vendors — and even banks — suggest covering only “critical” systems.

But for financial institutions processing thousands (or millions) of records containing sensitive data, every system is critical. Cybersecurity corners should not be cut, especially for organizations as highly targeted as financial institutions.

How to fix it: Whether you’re working with an in-house security team or a third-party vendor (or both), don’t let cybercriminals catch you exposed — make sure you’re covered everywhere. Has your cybersecurity spending actually decreased recently? Leaving a “non-critical” system unmonitored to cut costs could be just the open (vault) door a hacker is looking for.

Upgrade Your Bank’s Cybersecurity

Even the most sophisticated cybersecurity system needs a basic foundation to stand on. Educate customers and employees about the importance of cybersecurity and the consequences of cyberattacks. Anyone connected to a bank should be vigilant about preventing cyberattacks; people can be your greatest weakness or your greatest strength.

And then, make sure your products or solutions, partners, and processes follow the same cybersecurity standard as your organization. Every product or solution you use, vendor you partner with, and protocol you follow should comply with FFIEC standards. Whether you run a small local credit union or an international institution, you should always be on the lookout for cutting-edge tech and groundbreaking cybersecurity solutions that will reduce risk and mitigate damage.

Want to know more about guarding your bank against cybercrime? Check out some of our other resources:

• Prepare for the worst by running this cyberattack simulation exercise for banks.

• If you need any more convincing to stay on your guard — read about the true cost of a data breach.

• Have you already become the unfortunate victim of a cybercrime? Learn what bank CISOs should do after a data breach.

Make Sure You’re Prepared For Cyberattacks

Picture this: Your bank’s network slows to an uncharacteristic crawl, affecting both processing and productivity. Customers begin to lose their patience — and they aren’t too shy to let you know. Your IT team investigates and comes back with grim news: Your network is under attack.

What do you do?

If you can’t immediately answer this question, you’ve got a very big problem. Preparation is the key to winning any battle: Along with playing cyber wargames, running cyberattack simulations with your staff is critical to staying prepared.

Cyberattack Simulations For Banks

The following steps should be a part of every bank’s cybersecurity training and preparation:

1. Identify your strengths and weaknesses.

Though it’s intuitive — and necessary — to identify liabilities, it’s equally important to recognize the strengths of your security systems and your staff’s abilities. You may uncover unknown assets that can bolster the weaker areas — and develop strategies that play to those strengths.

2. Improve response time through training.

Train your whole team — not just IT personnel. The more knowledge each employee has about the telltale signs of a cyberattack, the more quickly they’ll be identified and contained. While practicing your responses, determine responsibilities; an incident response team works like a well-oiled machine when everyone knows their role.

3. Plan ahead for expenses and external assistance.

Who will you call if an attack exceeds your cybersecurity team’s skill set or bandwidth? How much do those services cost? Do your research ahead of time and keep the information readily available should you need it at a moment’s notice.

4. Identify internal risks and raise awareness.

Non-compliance with cybersecurity best practices puts your customers’ information at risk — and it could also cost you to mitigate the damage should an attacker successfully breach your customer data. Consider activities that make it easy for a malicious actor to get in, like using personal logins or unauthorized accessories on company devices. Make sure your employees all know what to do, as well as what not to do, and why.

5. Hope for the best; plan for the worst-case scenario.

Consider the varying degrees of attacks your bank might endure and the most effective response to each. Create an incident response and plan for the worst-case scenarios. Then, brainstorm how outcomes might be even worse than that.

6. Prepare your team with drills.

Test your knowledge with scenarios (more below), do your research, and work with your IT team to establish your incident response plans — and then drill! Practice these role-plays regularly — and continue to update information as the cybersecurity landscape evolves.

Cybercriminals will use all resources and assets at their disposal to break into your systems and networks. Get creative while evaluating your defenses and ask yourself: What other angles could a cybercriminal take to leverage vulnerabilities and gain unauthorized access to your bank’s systems and networks? Think like the enemy as you practice and prepare — and don’t stop until you find new ways to breach your defenses. You need to remain several steps ahead of your enemy to defend your business in today’s cyber minefield.

Knowing how you should respond to a cyberattack isn’t enough these days: It takes practice and research to establish an efficient and effective response. Take your security into your own hands and see how well you deal with the following scenarios. You may be surprised by the invisible tripwires and potholes that can lead to cybersecurity incidents that cost your bank millions of dollars — and damage your reputation.

Cyberattack Simulation Exercises

Introduce the scenarios below, and ask your team the following questions:

• What are the first steps you must take to minimize damage?

• Which authorities and individuals will you contact — and in what order?

• How will you assess the damage?

• How will you manage the fallout?

• How can you prevent these scenarios from happening in the first place?

Scenario 1: Leave your personal logins at the door.

Bob left his phone in the car, but he needed to double-check the time of his doctor’s appointment, so he logged into his personal email from a work computer. The next day he logged in and found odd extensions on his files — and he was unable to open them. It turns out that cybercriminals used a MITM (man in the middle) attack to have Bob’s personal email credentials redirected. When Bob lets your tech team know about his problems, he mentions that he uses the same password for everything, including his login credentials at your company. In other words, the attacker can now access everything Bob had access to — and since Bob is a Senior Manager, he has access to some of your most sensitive data.

Scenario 2: The problem with home devices.

George received a call from his daughter’s preschool that she had a cough and a fever, so he had to leave work early to pick her up. He wanted to continue working on his project from home, so he made copies of his files on a flash drive to take with him. He completed his tasks on his personal computer at home, updated the files on the flash drive, and brought the drive into work the next day. Unfortunately, his home computer had been infected with malware, and now his work computer is compromised.

Scenario 3: It’s not you. It’s them.

Your bank’s Human Resources department uses a cloud-based online video platform to stream training videos for new hires. You just heard on the news that this provider was recently hacked, and malicious actors formjacked files that the HR department had been using.

Scenario 4: One simple mistake.

Diane followed every security protocol when she installed Outlook on her phone to access her work email at home. Like many people, she often purchases from large online retailers and frequently receives notifications in her personal email. One such notification popped up on her screen (apparently, there was an issue with a recent order). She opened the email from her lock screen and clicked on the link provided. Sadly, this was a phishing email sent to her work email. Her phone became infected with malware, which compromised her work email.

Third-Party Vendors Are a Growing Cyber Risk for Pharma

Pharmaceutical companies regularly outsource critical business functions to third-party vendors. Outside companies are often responsible for research, product development and distribution, sales, and IT (to name a few) — and these third-party vendors pose an enormous cyber risk for pharma. Over half of all data breaches in 2021 were traced back to third-party vendors.

Pharmaceutical companies store valuable data on their networks, from patient information to sensitive data about patent filings. Attacking pharma through a third-party vendor — who has access to a company’s proprietary information and internal networks — is low-hanging fruit for cybercriminals looking for an easy payday. Even worse, the average cost to bring a new drug to market is roughly $1 billion. A cyber attack that delays the approval process — or puts approval at risk— can be enormously expensive.

Despite strict regulatory compliance requirements, a record number of pharmaceutical companies lost millions of dollars in data breaches last year. The average cost of a data breach in the pharmaceutical industry rose to $5.04 million in 2021 — nearly $1 million more than the average cost across all sectors.

Mitigate Third-Party Cyber Risks

Mega data breaches, supply chain attacks, and devastating ransomware regularly make the headlines, especially when the healthcare industry is under siege. By now, pharmaceutical security experts know many cybersecurity hygiene basics, like keeping software up to date, following zero-trust best practices, performing penetration tests, patching early and often, and educating employees, to name just a few.

But every pharmaceutical company should take additional steps to mitigate third-party risks and ensure a chain of trust with companies offering essential services in the supply chain. If an attack shuts down a critical system used in the approval process for a new drug, the financial consequences can be enormous. The best third-party vendors will take all necessary security measures to keep your company safe.

Here’s what you need to do to minimize risk:

1. Make a list of your vendors and update it regularly.

Keep a list of vendors — including the details of your business relationship and what data they access — complete with representatives’ names and contact information. This will make it easier to identify attacks (like phishing attempts disguised as your vendors or unauthorized data transfers). It will also help your IT team with investigations in the event of an attack.

2. Identify the risk factor for each third-party vendor.

Discuss the following topics with your vendors’ representatives to gauge their cybersecurity preparedness:

• What cybersecurity measures are you taking? All pharmaceutical companies should be using encryption and 2FA, testing against potential attacks, employing least-privileged access, and performing routine employee awareness training and audits.

• Do you use VPNs or desktop sharing tools? These tools pose potential security risks, creating vulnerabilities that cybercriminals can use to access your data.

• Has your network been breached before? What was the outcome? It is important to know if a vendor has experienced numerous breaches.

3. Include cyber risk management in your contract.

Including cyber risk management in your contract may not prevent a breach, but it holds the vendor responsible for protecting your data — and encourages cybersecurity best practices.

4. Set up strong access control measures.

Pay close attention to the data you share with third parties — and limit access whenever possible. Enforce access reporting, auditing, and monitoring to keep all movement out in the open.

5. Create a clear incident response plan — and have your team role-play with realistic scenarios.

Your team’s first response to an incident shouldn’t be during the chaos of a devastating cyberattack. Identify exactly what your company will do in the event of a third-party data breach — and practice your response until you’ve covered all of your bases.

Pharmaceutical companies must stay vigilant and prepare for escalating cyber threats: It’s no longer a matter of “if” a company will be attacked, but “when.” Institute a third-party risk management plan, identify your weakest links, and safeguard your data today; it could save your company millions of dollars in the long run.

The Real Cost of Recovering From a Ransomware Attack

Paying the ransom itself comes with a hefty price tag — but remediation costs, including the cost of downtime, lost opportunities, data recovery, lawsuits, and loss of reputation, increase the bill tenfold. And it all adds up to an average of $1,270,000.

Hospitals Are at the Center of the Escalating Cyber Storm

The pandemic offered a perfect storm for cybercriminals — and hospitals paid the price. Cybercriminals brought in staggering amounts of cash by installing ransomware at overstretched hospitals, notoriously unprepared for escalating cybersecurity threats. Now, cyber gangs like FIN12 intentionally target vulnerabilities in the healthcare sector, looking for an easy payday. The increased risk to patients’ lives incentivizes hospitals to pay up, and cybercriminals know it.

When cybercriminals shut down networks, encrypt data, and threaten to shut down the facility’s utilities, the repercussions are complicated and costly. Precious commodities like patient information and lifesaving equipment are at risk. And when ransomware infiltrates a hospital’s lifesaving systems, there are no clear instructions for recovery. Even hardliner authorities (“We don’t negotiate with terrorists!”) recommend meeting ransom demands to save patients’ lives.

The Hidden Costs of Ransomware Attacks at Hospitals

The ransom paid — an average of $131,000 in the healthcare sector — is just a fraction of the $1,270,000 average recovery cost from a ransomware attack. Operational downtime, negative patient experience, loss of reputation, staff overtime, device costs, and network repairs make up the difference. Even if the attack is swift and the criminals withdraw quickly after paying the ransom, lost revenue adds up. NEO Urology in Ohio lost $30,000 to $50,000 every day for three days after paying a $75,000 ransom.

A worrying 54% of IT teams said that cyberattacks are too advanced to handle on their own. Outside agencies are often brought in to assist with data and device recovery (which can take years). When all is said and done, the bill can cost more than the ransom. It costs up to $2,000 on average to recover data from one hard drive. Consider how many hard drives are in a single hospital and what it would cost to bring them all back up to speed. Okay, you can spare yourself the mental math: It’s a lot. Don’t even try to think about the other, more complex medical devices similarly affected by network attacks — you’ll get a headache.

Payroll and education costs also add up. With networks offline, hospital staff must make handwritten records to maintain protocols, procedures, and schedules. Once systems are back online, those same records must be transcribed into the system to avoid leaving gaps in the facility’s history. These tedious tasks add a surprising amount of time to any healthcare worker’s shift, resulting in overtime and hazard pay. And let’s not forget the resources needed to train staff about cybersecurity best practices to avoid another attack.

$1,270,000 is a hefty price tag, but even so, it fails to include the costs of legal repercussions associated with a successful cyberattack.

Quality Rep Services, Inc. (QRS), a healthcare technology vendor in Knoxville, Tennessee, is facing a class action lawsuit for a data breach of 319,778 records. On the internal side of things, Community Medical Center (CMC) in Missoula, Montana, flirted with employee lawsuit material over payroll discrepancies. CMC suffered a cyberattack in late 2021, which affected payroll processing. In the interim, the medical center duplicated paychecks from December 3, 2021, prompting a letter from the Montana Nurses Association (MNA) urging CMC to pay nurses what they are owed.

Minimize Damage and Keep Your Data Safe

Until cyberattacks let up (which is more likely than seeing the dead rise from the grave but less likely than seeing a good Matrix sequel), these expenses aren’t going down. Remember, the best defense is not preventing attacks (they’re going to happen!), but preventing successful attacks by keeping backups of your important data secured off-network and minimizing the effects on patients. The less damage done, the less recovery is needed.