Attacks on your systems may be inevitable, but preparing for cyber risk ahead of time has its own rewards in the form of fewer headaches, according to a session at the 2019 ASAE Annual Meeting.
When a cyberattack happens, the problem can take a number of distinct forms and affect a variety of players.
It was a point emphasized in a session on cyber risk at the 2019 ASAE Annual Meeting & Exposition on Sunday, in which three of those players—an IT executive, an insurance official, and a lawyer—laid out potential areas for impact.
“The thing about cybersecurity and incidents is, it’s equal opportunity,” explained S. Keith Moulsdale, who co-chairs the cybersecurity, data management, and privacy practice at Whiteford, Taylor & Preston, LLP.
It may affect everyone, but what matters more than anything is your organization’s reaction to and handling of such situations. While there are specific attack vectors to watch out for, much of the problem comes down to preparation and risk management.
Any missing gaps—whether in the form of poor technical hygiene, weak vendor relations, contractual gaps that haven’t been considered, or even a lack of backups—can hurt a lot more when an attack happens. A big reason for this is that such attacks aren’t immediately detected, often not surfacing until months after they happen, but organizations are expected to respond immediately—especially due to regulations such as GDPR, as well as a requirement by the New York Department of Financial Services that organizations must report breaches within 72 hours of their discovery.
“So when you put it into perspective that sometimes it takes months to discover, and then you have a scenario where, ‘Oh my gosh, something’s happened to our system,’” said Renee Stock, an account executive with AHT Insurance, “getting the appropriate people like IT, insurance, and legal involved very, very quickly is pretty important.”
And with ever-increasing concerns about cybersecurity and ransomware keeping officials on their toes (Hear about what’s happening in Baltimore recently?), it’s better to get ahead of a problem through a strong approach to the basics, because a strong discipline will help make problems easier to tackle and less expensive to fix.
“You have to be prepared, you have to train your staff, you have to get into the point of understanding,” said Ray Arambula, IT operations manager for the American Society of Radiologic Technologists. “This is a part of everyone’s job to do in their organization.”
Some other relevant points from the session:
Often, the biggest problems with security are cultural. While specific exploits are frequently brought up when discussing cybersecurity issues, often a poorly disciplined culture makes those problems worse—something Moulsdale has cited in the past. “I surprised a lot of people by saying that the number-one thing to do in your organization to prepare for a data-security incident is change your organization’s culture,” Moulsdale said. “And what I mean by that is … if the executives aren’t leading on data security, then you will fail.” He added that it was important to take a look for the “best way to fail,” accepting that problems were likely to happen, minimizing impact.
You need a plan—not a savior. While the instinct among many organizations might be to reach out to someone on the outside in the case of a data breach, Stock warned that many of the problems require preparation, and there’s only so much an outside vendor such as an insurer can do. “I have a lot of clients that I’ll sit down and I’ll say, ‘OK, you have a breach at four o’clock today, what do you do?’ I get the ‘Oh my gosh,’ and I love when they say, ’Well, I’m going to call you,’” Stock said. “I can’t solve all of your problems, but I can get your insurance kicked off.” She says that it’s important to engage third-party vendors before a breach takes place and have your ducks in a row so you know who to notify and who to ask for help.
The ground is always changing. One thing that was made clear in the list of suggestions recommended by the speakers is that, even if you have a process set in stone, that ground won’t stay stable for long—which means your technical stack and regulatory approach must keep adapting. A good example of this came via a question from an audience member who asked whether Macs were safer than Windows from a security standpoint. The answer? Not anymore, and the reason was because of a change in focus on the part of the attackers. “They’re trying to exploit human flaws; it’s not so much technical flaws anymore,” Arambula said.
Just as you’re always changing, so are the people who want to steal your association’s data or money. So keep it safe.