Cyberattacks occur daily and effects linger for months, so each company needs to have its own roadmap on how to take back its data care and prevent future devastation.
Kentucky has seen its share of breaches in the last 12 months, including notables like the Norton Healthcare ransomware attack that impacted 2.5 million patients. AT&T indicated millions were affected nationally this April, and many other hacks were more localized but just as destructive. Entities such as Campbell County Schools in Northern Kentucky grappled with being a victim and how the stolen information will appear.
The best solution when facing a breach varies depending on the type of breach, said Jordan Johnson, a cybersecurity senior consultant at Dean Dorton’s London, Kentucky, office.
“If it originated from email—as the vast majority of incidents do—implementing policies to provide end-user awareness training to the affected employee along with all other employees is important. Putting policies in to ensure systems adhere to security guidelines—such as using endpoint detection and response tools, utilizing hardening baselines—is recommended,” Johnson said.
Right after a breach, the best help for a company is generally through federal resources available through area offices of the FBI and CISA, said Richard Connor, CEO of Lockstock Cybersecurity and Analytics in Louisville, a managed security service provider (MSSP) and cybersecurity consulting firm.
In today’s environment, cyberthreats continually disrupt and financially impact businesses, with at least 40% indicating cyberthreats will “highly affect” their organization’s performance in 2024, according to a survey by Tech.co.
To begin to get a handle on cybersecurity needs in a small company, the Cyber Readiness Institute suggests appointing a cyber team leader. This person does not have to be technical but should be a champion for internal discussions and implementation of new or existing policies.
“It’s important to recognize a key stakeholder within the organization to take on owning the responsibility for designing a risk assessment strategy and reporting back to senior management, the audit committee and cyber professionals in the company who will also weigh in on and control budget, internal or external resources and understanding applicable regulations,” said Steven Ursillo Jr., partner and leader of the cybersecurity advisory practice for Cherry Bekaert, a North Carolina-based public accounting firm that has an office in Louisville.
Policies to live by
As Johnson at Dean Dorton mentioned, every small business should create cyber policies to live by. The primary basic policies recommended by the Cyber Readiness Institute are as follows:
- Passwords and two-factor authentication
Choose passwords that are more than 11 characters and change your passwords on a schedule. Determine if you can use two-factor authentication for financial and other important software logins. Two-factor authentication (2FA) is an identity and access-management security method that requires two forms of identification to access resources and data.
“We always recommend to our clients that they put in place strong password policies and two-factor authentication. We recommend all applications have them and avoid password recycling policies. This is very critical,” said Sunny Dronawat, president of Samiteon, a certified woman-owned minority IT development business in Louisville that assists clients with AI guidance, software solutions and application development.
- Software updates
Require software updates for key systems on a schedule. No matter what system you use to run your small business, regular updates often come with security patches. When you receive a notification to update to the latest software version, it’s best to update right away.
- Employee training
Communication that entices employees to click and download malware is still a major concern in small businesses and training to become cyber aware through tools like KnowBe4 is highly recommended. ConcealBrowse can also assist as AI-powered browser security that can mitigate issues for small businesses.
Managing risk
Asset inventory is the foundation for risk management, says Lockstock’s Connor.
“Knowing what assets you have, their value and their vulnerabilities helps in assessing risks accurately,” said Connor.
To assist with that, asset inventory worksheets such as those from the Center for Internet Security can be helpful.
“An overlooked asset inventory is the business process inventory,” Connor noted. “Taking an inventory of a company’s business processes is the first step of a business impact analysis—a foundational risk assessment.”
Samiteon’s Dronawat said her company always recommends cybersecurity insurance to clients after an asset inventory is done.
“It is not that expensive,” she said. “And make sure you are PCI-compliant, and not storing processed credit cards.”
Free federal, state resources
There are numerous free resources available to learn more about how to deter a cyberattack. Information is available through CISA (Cybersecurity and Infrastructure Security Agency), the FBI (Federal Bureau of Investigations) and even Kentucky’s Department of Homeland Security (KOHS) cyber group from the Kentucky Intelligence Fusion Center, put on by Phillip Ross, the cybersecurity analyst and PISCES manager for the office.
As a company, you can join the KOHS monthly meetings for valuable information regarding next cyber steps. (For an invitation, email Phillip.ross@ky.gov . Once on the Kentucky Department of Homeland Security homepage find “Cybersecurity” and then go to the “Getting Started” tab.)
Ross has built easy-to-use guidance with key links for small businesses, including the CISA Cyber Essentials document for download. There are also links to report ransomware attacks and other internet crimes to the government.
You can also request no-cost cybersecurity training for your company, Ross said.
Since information-sharing is so important, joining the Multi-state Information Sharing and Analysis Center (MS-ISAC) can be particularly useful for your company’s technical team members. MS-ISAC provides many no-cost services including 24/7 cyber-incident response, training and webcasts, cybersecurity tools and assessments.
Incident response planning is best done before a breach and there are worksheets available from CISA to use for your company.
The value of getting expert guidance
Companies often look to outside firms, such as managed service providers (MSP) and managed security service providers (MSSP) to assist with cybersecurity software choices and implantation. Remember, you can outsource some of your cybersecurity responsibilities, but you cannot outsource your accountability for cybersecurity, as pointed out in the Cyber Readiness Institute’s Small Business Series Guidebooks regarding the use of outside firms.
“An MSSP or MSP with a cybersecurity team who holds cybersecurity certifications and has practical experience will have real-world explanations for the business owner or client technical team” regarding infrastructure design, implementation and a variety of managed services, said Russ Hensley of Hensley/Elam, a Lexington-based IT services company. “These insights and explanations explain the value of why the client needs the tools in the first place, but also are able to review the blind spots in the business that an owner or internal IT staff without practical experience will have had so far. It takes a team approach for these issues.”
Before choosing, the best practice is to internally create your own critical assets list. There is support for this through CISA, helping to categorize hardware and software elements. Get familiar with the vulnerability assessments offered by state CISA representatives at: cisa.gov/cyber-resource-hub. Companies can also request an assessment from CISA by email at FusionCenter@KY.gov.
Evaluation done by MSSPs and MSPs are based on understanding capabilities, threat prevention, vulnerability assessment, and 24/7 real-time protection. According to Connor, reasons to focus on an MSSP are access to specialized security expertise, scalability and flexibility, and regulatory compliance.
“Keeping up with the myriad of compliance requirements can be a complex and constantly changing challenge. MSSPs are well-versed in these requirements and can ensure that a business’s security practices meet or exceed necessary standards, helping to avoid legal or financial penalties,” he said.
Johnson from Dean Dorton said choosing both an MSP and an MSSP can be wise because they can work in tandem. Dean Dorton offers both in-house.
“Clients are often encumbered with other IT-related projects, so we are able to provide and implement various cyberdefense tools to help protect their networks, along with performing assessments, our cybersecurity scorecard, for common risks and exposures,” Johnson said.
“Before you invest in tools, make sure you understand your business risks and potential threats by investing in a quality cybersecurity threat assessment on your business,” said Advanced Business Solutions Director of Cybersecurity Wes Johnson. “Once you identify your risks, invest in the appropriate tools to mitigate. Tools are not magic bullets. You need well-trained people to respond to the incident and manage your cybersecurity toolset. Tools make managing an environment easier, but ultimately people must use them correctly.”
Businesses should look for solutions that address current threats, not those of the past, Johnson said.
“A great example of this is antivirus software,” he explained. “In the past, malware had defined names or programing ‘signatures,’ so the software of that era would search for those elements. Today, malicious software does not have a signature and often will use portions of the computer’s operating system to evade security software (live-off-the-land techniques), so modern solutions would be a ‘next-gen AV’ (next-generation antivirus) that looks for program behavior rather than scanning for signatures.”
Keeping hardware refreshed to modern standards is important since hardware gets less support as it ages. “Enabling auto updates in third-party apps (i.e. Google Chrome and Adobe Reader) is also a good step. Vulnerability management can get a bit overkill at times, and that is where we need to understand risk,” Johnson added.
Team training and security certifications
Team training for the various levels of your company can be technical or nontechnical in nature as well as live or virtual.
“There are a number of cyber certifications and they get specialized,” said Cherry Bekaerts’ Ursillo. “The well-known certifications are the CISSP certification, ISACA’s Certified Information Security Manager (CISM) certification, EC-Counsel’s certified ethical hacker training, Comptia’s Security Plus, as well as cloud security-specific training under ISC2’s CCSP.”
ISC2’s Certified Information Systems Security Professional (CISSP) ranks among the most sought-after credentials in the industry. To qualify to take the CISSP exam, five or more years of cumulative work experience in at least two of eight cybersecurity domains is required. These include security and risk management, asset security, security architecture and engineering, communication and network security, identity and access management, security assessment and testing, security operations, and software development security.
There are also new tools available and for those that need no-fee solutions, they do exist.
Colin Glover, Kentucky (Region IV) cybersecurity coordinator for the Cybersecurity and Infrastructure Security Agency, suggests a 2024 training tool called Back Doors & Breaches, an incident response card game from Black Hills Information Security and Active Countermeasures.
Cybersecurity AI threats
Critical infrastructure attacks have long been a target of Chinese hackers and this will continue to be a problem with bad actors transitioning to generative AI tools. Expected targets in late 2024 are physical industrial systems such as those that maintain pumps and temperature.
“As companies begin to use AI, they will need to be looking at data privacy law and whether the AI tool being developed and its data sets are segregated with proper boundaries in an open or closed model,” Ursillo said.
Making sure the AI model is not poisoned with the wrong data and that it is cyber-protected and secured according to internal guidelines is critical, he added. Challenges include human oversight factors, supervision for data quality and fairness, avoiding bias in new AI models, accountability, and ethical use transparency.
