On July 29, 2021, the Salt Lake Chamber held a webinar to discuss Utah House Bill 80, Cyberattacks, and how to “Get Your Power Back”.
Members of the panel consisted of cybersecurity experts such as:
In the webinar, the panel of experts agreed on and emphasized the true legitimate concern regarding the landscape of ransomware and cyber breaches. There is a material difference in the experience of companies within the cyber threat environment in 2021 compared to just a short time ago.
Many businesses now run all their critical assets in digital form. The representations of their intellectual property, their physical inventory, their customer transactions, all of it is inside and living through computers. There is a lot more vulnerability and distribution of touch points for a business because of social changes with pandemic restrictions and remote work.
The biggest change to this landscape is the actual amount of money to be made by the adversary organizations who participate in cyberattacks. There is a very large market to attack companies and use sophisticated, human operated attack methods that extract ransom payments.
These attackers will lock people out of their data and threaten demands of ransom payments for decryption keys or threaten extortion, forcing payment in order to prevent the release of sensitive data to public internet sites, competitors, the Dark Web, and other reputation damaging locations.
In the news and media, you see major ransomware attacks on large organizations like the pipeline and the meat processing company, but what you don’t see are the thousands of other companies that are attacked on a regular basis. Business professionals are contemplating whether they are a target or not and often think they are not. They feel they don’t have anything cyber criminals would want or need.
In reality, if you have a bank account, conduct business on computers, click on emails, etc., you are a target. These bad actors are moving downstream. They may get one huge payday with a large enterprise, but they find smaller and medium sized businesses to be easy targets because these businesses are not doing enough to protect themselves. Cyberattacks and ransomware attacks on small to mid-sized businesses are real and they are happening.
In essence, hackers are entrepreneurs, they are legit businesses. Yes, there may be that one 14-year-old kid in his parent’s basement that is buying ransomware as a service (RaaS), but there are also very sophisticated organizations with hundreds of employees involved in cybercrime now who evolve with the market.
There is a heightened awareness around the threat of ransomware attacks and other cyberattacks. Organizations are getting more judicious about making sure they have good and multiple tiers of backups. A lot of organizations now have the ability to recover in a reasonably quick order from a ransomware incident without having to pay the ransom.
However, cybercriminals are noticing that there is a potential danger of their revenue streams drying up. They are not only encrypting the data in your environment, but they are now exfiltrating your data which means they are stealing and taking that data off-site, copying it to some server, some proxy, or somewhere in the world. Even if you are able to recover from the ransomware attack, utilizing your backups or other disaster recovery methods, cybercriminals are continuing to hold you hostage and threaten to release your sensitive data if you do not pay the ransom and they will heighten the quantity of the ransom they are asking for.
Statistics show ransomware attacks, or other malicious events, occur every 11 seconds. There’s a long list of best practices every business should follow. The first step is to acknowledge the risk. Then do a gap assessment, a risk assessment. Answer these questions and run through the list:
Studies have shown that 90-95% of all cyberattacks involve a human element. In today’s threat landscape, your primary risk is you and your own people. The executives and leaders of organizations are the ones falling prey to attacks such as phishing and spear phishing campaigns. It is important to educate yourself and your team about the risks, how to spot them, and how to avoid them.
Utah just passed House Bill 80, and in its simplest form, it centers around exposure to liability. The risk of extorting sensitive data could expose you to potential lawsuits. Not only will you have restoration expenses, but you could face potential litigation issues as well. This bill is known as the Safe Harbor or affirmative defense law.
This new law recognizes that cybersecurity can impact your business. Your business most likely must adhere to standards to be compliant, depending on the nature of your data. If you are adhering to specific standards, assessing your risks, and have documented what you have done to take steps to safeguard that data, then your business will fall inside that “Safe Harbor”. So, if your business faces litigation, your legal representation will be able to show how you met those standards and that litigation should be dismissed.
Utah businesses can start entering the “Safe Harbor” now by putting together a Written Incident Response Plan (WISP). Look at your technical risks, your processes, and your people. Put together a plan of what to do in the event of a cyberattack. If an attack occurs, have the plan accessible to refer to immediately.
The first item on the plan should be to call your cyber attorney, or breach coach, and make sure you have one on retainer or engaged ahead of time. Next, you will need to contact your IT services partner, like Nexus IT consultants, and then your digital storage facility, such as Perpetual Storage, Inc. Consult with these companies first to put together a comprehensive step-by-step plan for recovery.
Once you have a WISP in place, run a cyber incident exercise involving your entire staff. Make sure your staff is educated on what should be done, what not to say on social media or publicly, and what steps will be taken.
Studies have shown that businesses who do have a business continuity plan, using WISP and an incident response plan, to continue operations in the event of a cyberattack, their time to recovery is generally a tenth of the time of businesses who are not prepared. When you are prepared, you can recover within 24 to 48 hours. Trimming downtime from 2 to 4 weeks to 24 to 48 hours can mean millions of dollars for any business.
Part of an incident response plan requires you to notify those entities that had data affected in your breach. This is why you need a cyber attorney on your side, a breach coach. A cyber attorney can assess the breach to see what data was breached and may be able to legally reduce the notification requirement so that the collateral damage to your public image will be significantly reduced, thereby reducing the financial impact to your organization.
One major competitive advantage that will greatly impact your bottom line is an opportunity to position yourself in an entirely different category in your market. By having a WISP and an incident response plan in place, you can go to potential new clients, more significant larger revenue opportunities, and show them your plans. You can present your compliance certifications such as SOC 2 and CMMC, along with your WISP to attest to your robust cybersecurity plans.
With your attestation, you can make more profit from that revenue because you are a responsible steward of data. You can utilize it in your marketing strategies. You can charge a higher premium for your products and services and therefore you can increase your margins, allowing you to invest more heavily into your business to develop your products and services.
Utah’s House Bill 80, the cybersecurity affirmative defense act, puts pressure on businesses to increase cybersecurity measures and processes to comply with standards, keep sensitive data safe and secure from cyberattacks, to keep businesses safe from litigation, and offers businesses a unique position in the market to increase revenue.
Nexus IT Consultants offer many IT services and products. We will deliver a business technology security solution that we tailor to deal with the unique vulnerabilities of your IT. Protect your employees, your processes, and your profitability with our network security solutions. We can help make sure you have all the right plans in place. Let’s get started today. Call us at (801) 839-7006 or (435) 200-5926. You can also send an email over to email@example.com.