“We’ve had to cope with a world that’s broken down from classic perimeter-based security,” explains Evan Schwartz, chief enterprise architect at AMCS Group, at the ISRI2022 session Cybersecurity: Pitfalls, Risks, and Solutions on Thursday, March 24. “Remote work has brought in a litany of headless communication and data. We’re in a landscape that has evolved rapidly over the last two years and traditional models have to change with them.” Schwartz was joined by Tony Sabaj, head of engineering/office of the CTO, Check Point, and Megan Griffanti, commercial insurance account manager and consultant at AHT Insurance. The session was moderated by Tanishia Martin, assistant vice president of digital strategy and systems at ISRI.
As his company often has a front row seat to the recovery process after these incidents, Schwartz notes there are reputation costs to a cyberattack. “Most of our commodity-based industries are built on reputation. So, much of the job and daily business are done with a handshake because we trust our suppliers, vendors, and customers,” he says.
To minimize the damage, he recommends recycling companies engage with a partner or company whose core competency is cybersecurity. Schwartz described a cyberattack where a compromised customer emailed a customer service representative (CSR) with a question about an invoice. “The CSR clicked on the invoice, pulled it up, and that was it,” he says. “The customer’s [business] was down for 35 days [because of the attack]. What would be the impact to your business if it was offline for 35 days?”
Once the CSR clicked the link, the entire network was attacked. By the time the company discovered what had happened, the data hit every machine connected to the network. “[The company] had a strong disaster recovery (DR) plan and off-property backups but none of it worked, the DR plan hadn’t been tested because it was costly and might interrupt daily business,” Schwartz says. “[The company] now runs DR plans every three months because the cost of not testing it was greater.”
Since a company can’t completely protect itself from an attack, Schwartz says it’s important to operate from the mindset of what to do when rather than if there’s an attack. “Purpose-built integrations across APIs (application programming interface) that are only built for the thing they do limits the amount of damage moving to serverless architecture and moving to the cloud are powerful first steps,” he says.
He recommends training employees on cybersecurity and potential threats so they will be better able to spot potential malicious emails and attachments. “Continuous training and continuous awareness that we are being targeted and are vulnerable right now,” he says. “Do your DR tests and train and refresh your employees’ awareness.”
Many attacks begin with a simple phishing email Sabaj notes. “Between 75-90 of all attacks start with malicious or phishing emails, the way you protect against those attacks is through cybersecurity awareness training.” He echoes Schwartz’s sentiments that employees are a company’s first line of defense against cyberattacks. Developing awareness is more than simply blocking email addresses of bad actors, it’s also about the email attachments. “Lots of malicious coding can be embedded into a PDF or Excel file,” he says. “Opening the file introduces the attacker to your company’s environment.”
To combat malicious code in attachments, Sabaj discussed a technology Checkpoint provides called content disarm and reconstruction (CDR), also known as threat extraction. In a compromised file, only a small fraction of the files or objects in the document are potentially malicious. These are any executable content embedded in the document. CDR removes the executable elements from the document and reconstructs it using the remaining pieces. “It removes executable content whether or not it’s detected as malicious,” Sabaj explains. “If something starts to look like ransomware, the software takes micro back-ups of anything the file is touching so if it is malicious the software can replace everything that file touched.”
Griffanti discussed how many bad actors have shifted their motives from targeting healthcare and technology industries to any industry with an exploitable path. “Industrials are the second most targeted industry for cyberattacks,” she says. “Increasing dependence on the internet and email as communication further opens vulnerability to cyberattacks.” She seconds Schwartz’s comment about being prepared for when, not if, there’s a cybersecurity attack.
“I remind my clients that every business carries property insurance, but you have less than a 1% chance of a business burning down,” she says. “However, less than 50% of companies carry a cyber liability insurance but those incidents have a 60% chance of occurring.”
She noted that typically attackers gain access to employees’ email address through lost, stolen, or easily guessed passwords. “If you think about it, there’s a lot of personally identifiable information you can find in emails and financial confidential information.”
If there’s a breach and a bad actor gains control of an employee’s email, typically the victim is responsible for notifying whoever may be compromised if their information is stolen. It’s a difficult task to undertake and usually companies hire a forensic firm to do the job. The firm downloads the data and determines which vendors and customers had their data compromised. “It’s a very expensive process for a simple email getting compromised,” she says.
Griffanti recommends companies adopt multi-factor authentication. “When you login to your system, you’ll be asked for a password as well as [time-based] pin [number],” she explains. “Multi-factor authentication helps make you less of a target.” She also discussed the “3-2-1 Backup Rule,” which is an acronym for a common approach to keeping data secure. The rule is to keep at least three copies of data, store two backup copies on different storage media, with one copy located offsite. She recommended companies implement a two-step verification process for wire transfers, especially for payments over $25,000. She also suggested companies adopt strong password management programs to help their employees develop strong, unique passwords.
Photo courtesy of ISRI.