ARMA’s InfoCon 2022 in Nashville was a welcome return to in-person events for our team. For us, there is no substitute for meeting in person. There was much to take in; but one session with former White House CIO,Theresa Peyton brought the conference’s key themes to life. She opened her talk with her belief that that Information Governance is now key to business continuity. That made everyone in the room sit up a little straighter as they realized IG is as critical as Information Security.
Theresa shared stories from her tenure as White House CIO to illustrate her key lessons learned for effectively aligning technology, policy, and people. Far from being far-fetched scenarios, she showed that the challenges she encountered at the White House are universal.
Why a Backup Is No Longer Enough
Backups are routinely compromised during a ransomware attack. Archiving platforms provide an under-utilized data protection and data access strategy. Cloud-based archiving provides the extra security of an airgap, geodiversity, and comprehensive encryption. Archived data is readily accessible to support continued operations during an outage.
Your executive leadership may think that the response to a ransom attack is to just quickly restore from a backup. They don’t understand that backups are almost always compromised during the attack. (In fact, some criminals will wait for an extended period after gaining access to make restoration from an old copy even more painful than paying them.)
You may have a backup copy in the cloud, but few compute the time required to restore an entire network infrastructure’s applications, settings, and data. Even over large data pipes, it could take weeks to get everything downloaded. Hopefully the backup isn’t corrupted once it downloads, but industry statistics show that over 50% of backups will fail to restore. Then, restoring end user computers takes even more time if they are backed up at all. Each device must be rebuilt one at a time. This is a time consuming, expensive, and frustrating for all involved.
Another surprising slowdown in the process is your cyber insurance company. Their first duty is not to restore your operations, but to determine the source of the attack. If your organization’s cyber security tools don’t include a Security Information & Event Management (SIEM) tool to quickly pinpoint the source of an attack, you will be locked out of your network until forensic experts find answers. In short, the insurance company is looking to see if this is a covered event. Depending on their findings, you may end up with a canceled policy with no coverage for recovery expenses. Don’t under-estimate your recovery expenses. Besides lost revenue, costs quickly add up for staff overtime, outside technical support, legal fees and possibly fees from the insurance company’s experts.
Fixing the Universal Weakest Link
The weakest link in your security plan is employee behavior. It’s why the most effective and commonly used cyberattacks come from social engineering. That will never stop. What makes the difference is ensuring your people, technology and processes work together, consistently.
Theresa shared how walking around to departments showed her how and why people were not following procedures. It was not because they were bad employees. It was due lack of training, cumbersome procedures, and a distrust of the technology. In her example, because people were unsure of the archiving technology, they also printed out copies, sorted, filed, and boxed a lot of paper. This created unnecessary expense and waste. By engaging in person, she was able to uncover procedures and systems that were flawed. Streamlining them and providing training closed the human security gaps. There is no organization that can’t benefit from regular security best practice briefings.
Data is Now (Massively) Mobile
The volume of digital communication happening every minute is so large as to be mind-numbing. (But for fun, check out Domo’s “Data Never Sleeps” Infographic.) Along with a snapshot of what is happening every minute of every day of the year, you’ll see that 92% of all digital data originated from a mobile device. Smartphones, tablets, and wearables now constitute almost all digital activity. The reality is that your data is mobile, and likely accessed, if not also generated, from a device you may not own or control.
Bring Your Own Device (BYOD) policies were already thriving pre-pandemic, and during the pandemic, security often had to cede to the demands of that moment. Once the Pandora’s box opened, BYOD became the standard in many organizations. Data retention and protection strategies must address these realities.
Be Choosy When Sharing Your Cellphone Number
Your cellphone number is something you likely don’t think much about. But you need to be choosy about who you share that number with. Here’s why it matters.
- People routinely give out their cellphone number.
- That information quickly enters public domain as part of their digital footprint.
- Hackers use all this freely available data to engineer phishing attacks. If they have the target’s cell phone number, that poses both a personal and a digital security threat.
- Free tools exist to track the location of a cellphone and the person; and the cellphone is typically used for Multi Factor Authentication. With the right tools and some patience, cybercriminals can inject themselves into a MFA process.
Top 10 Security Best Practice Takeaways:
- Walk around. Get to know how your users are using your systems. Ask for input about what concerns they have with data retention and security procedures. Be open to harsh feedback.
- Think like a hacker. Look for the design flaws in your systems and procedures that can be exploited.
- Inventory, assess & check your data access policies. Design access to compartmentalize access if a cybercriminal does breach an account.
- For sensitive systems access such as bank accounts, set up separate email aliases used only for that purpose. (Don’t make it easy for a hacker to get half of the login to bank accounts from a LinkedIn profile or business card.)
- Implement Multi-Factor Authentication across your organization. It will reduce the success rate of a cyber-attacker by over 90%. MFA has a better experience for the user than strong passwords or passphrases, and thus has better compliance rates.
- Measure and track failed logins into your systems. That is often the first alert that a cybercriminal is experimenting both with password options and to see if anyone is watching.
- Have a failover plan for every system you can, including network infrastructure and internet connectivity. (If you don’t want to fund your own data center but need a failover infrastructure, our FLxDR service is a great option.)
- Start vetting your application vendors’ code for documented Q/A validation. Bonus points if it has been tested by ethical hackers or penetration tests.
- Start being more careful with cellphone numbers that are tied to MFA systems. Share your business line whenever possible.
- Provide regular training to your team. Make sure the process is user friendly and show them that the technology works, that they can trust the systems. Even better hold an annual walkthrough of a cyberattack. This ensures a cross-department engagement plan is updated, in place, and that new employees on the team have a clear understanding of what to do.
Donoma has been delivering trusted communications archiving solutions for over 10 years. We’ve expanded our data protection suite to now offer Backup-as-a-Service, DR-as-a-Service and offer a range of SECOPS threat monitoring and response services.
To learn more about refining your Business Continuity plan, access our free webinar “Cyber Incident Readiness: How to Build a Plan to Survive”