Cybersecurity Readiness: Preparing for the Inevitable
Cybersecurity concerns continue to pose a very real and serious threat for enterprises across every industry sector. And with so many of today’s physical security solutions being IP-based and residing on a company’s IT network, they have become more susceptible to cyber-attacks. Technology, while it has ushered in so many new and valuable capabilities, has also opened a backdoor for the silent threat, the one we cannot see or hear. Our interconnected world has become so advanced that it has become hard for us to keep up with the dangers within it.
The repercussions of a cyber-attack are far reaching, and can result in data breaches, economic loss, reputational damage, and operational disruptions. And although it is impossible to eliminate the risk of cyber-attacks, organizations can significantly enhance their cybersecurity posture by adopting an initiative-taking approach to preparedness and response. And that is precisely why we introduced Cybersecurity Readiness: Preparing for the Inevitable session at ESX 2024.
The Dreaded Ransom Note
In this session, Dee Ann Harn, General Manager at RFI Enterprises spoke about her experience with cybersecurity faults and how she dealt with her very own ransom notes back in 2022 that came shortly after the passing of RFI President Brad Wilson. After this sad loss, the company was working hard to adjust and keep business going with its two hundred employees and five offices. Dee Ann expected there to be bumps in the road during such a challenging time, but she never expected what was to come next.
After a long weekend, Dee Ann could not get on her email. She thought that was odd and knew something was wrong. Pretty soon her speculations were proven correct when the Seattle office started sending out emails and messages of a note that had popped up on their computers. Dee Ann’s husband who worked for the company as the IT Director for 34 years went white.
As she pointed out, “He had built our network; it was always something that we knew could happen. It was kind of you know not if but when. Hackers became more advanced during COVID. They really refined their skills and were able to get deeper into our system very quickly and that it where we got notice that we had been hit.”
The hackers had accessed their HR, Financial and company backups data, which were encrypted. The amount demanded. Over a million dollars. Dee Ann promptly contacted her cyber insurance team and they immediately got to work, but one thing Dee Ann knew was she was going to have to pay due to the backups they had gotten into.
The Response
They quickly jumped into action with their response team to start negotiating back and forth with the hackers. After receiving proof that the hackers did indeed have the records they claimed to have, the response team kept communication open, trying to have as much contact as possible for their risk assessment. It felt like a long and hard battle for the company and especially Dee Ann who was juggling running the company while trying to keep everything stable during this cyberattack.
The hacker group was found to be from Russia. To complicate things even more, this was around the time Russia invaded Ukraine. Dee Ann became concerned that the fighting between the two countries would somehow lead to the loss of their decryption key and with it all their information would be wiped. So, she got together with her response team and produced an agreement for payment. They sent it out shortly after and received the decryption key a few hours later.
Legalities During a Cyberattack
The reason we brought this educational session to ESX is to help prepare member companies as much as possible and know the risks and steps to avoid a cybersecurity breach.
The trick is to know who should be involved – and when – if a situation like this occurs. Your gut feeling might be to call a lawyer right off the bat and you would be correct. A lawyer can function as a trusted and confidential advisor in these types of situations and can assist with not only legal obligations but the associated risks, as well. Legal advice could also help in a situation like Dee Anne’s since her customers were huge Fortune 100 companies. So, the question is, how do you best approach that conversation with your customers during such a breach?
As Tim Pastore explained, “That’s a complicated question because it depends upon the type of data that is at risk. For example, if it was data such as medical information, there may be a higher obligation to disclose it if you were a public company. And not just to your customers, but to the public at large. And if you are working in critical infrastructure, you may have a higher obligation. So, the nature of the data that is at risk does inform the degree to which you make these disclosures and notifications.”
Disclosures and notifications can also be determined by other unforeseen circumstances such as your ability to perform for your clients and customers. If something like this were to hold you back from providing the service you offer clients, disclosure at an early stage could be the best option. But it is important to be careful because it can undermine a client’s faith in your business, leadership capabilities, and ability to perform in general. Even more reason having a legal advisor in your corner is the way to go.
Cyber Insurance, do you need it?
The answer is absolutely you do! No matter the size or age of your company, having a cyber security policy is extremely important. The stats that Crystal Jacobs of Security America reported clearly show why: Ninety-three percent of all cyber events happen to small do mid-size Enterprises. Sixty-six percent of those events are ransomware attacks.”
Although you can choose not to have insurance and not pay the ransom, that also means rebuilding your business’ systems from scratch which, even at a small level, could take years. Insurance on the other hand is beneficial because of the resources it provides, like the response team, so you can continue operating your business while managing a cyber-attack.
The reality of the situation is that any good plan starts way before the event occurs. You need to have great legal and insurance representation ahead of time and communicate with those people throughout the year. That way, when a catastrophe occurs, you are as ready as you can be for it.
The way that Dee Ann managed such a high stress situation is beyond commendable. So too is her willingness to share her experience so we can better protect ourselves, equipped with the knowledge of our options and the actions to take if faced with a cyber-attack.
As Kirk MacDowell of MacGuard Security Group notes, “This was the scariest and most intense session in which I have ever participated. Cybersecurity is no joke. Dee Ann Harn received a ransom note some years back and had to pay a ransom of over a million dollars, while at the same time running her company and managing the crisis. I was truly in awe of her leadership and courage during the event and her willingness to share with the audience afterwards.”
Many thanks also to session speakers Tim Pastore and Crystal Jacobs for sharing their knowledge and expertise on the insurance and legal side of these issues.