“Imagine walking into your office Monday morning and every computer has a ransom note on it,” challenges Sean Connery, chief security officer, Orbis Solutions. “All your data has been encrypted so that you cannot process it. The bad actors most likely have been in your system for days, if not months, and deleted all your backups. [They] know how much your insurance will pay out.”
That’s exactly what just happened to two of Nevada’s largest entertainment and gaming companies. As of press time it was announced Caesars had paid out millions of dollars to hackers and MGM Resorts is dealing with a massive cyber security breach that will cost them millions in addition to lost revenue and customer trust.
Without an incident response plan, it can take a business an average of 71 days to recover. A business with a plan might recover in 20 days. That’s a difference of 51 days during which business is compromised, if not suspended. “What’s your loss of revenue?” asked Connery.
And, a cyber incident doesn’t end with the demand for money from the attackers, or with the lost revenue while the business struggles to perform during and after the attack. There are also regulatory fees, new Securities and Exchange Commission (SEC) reporting regulations, Federal Trade Commission (FTC) standards, notification of government entities and notification of customers whose information was compromised.
For businesses without a plan, recovery will take time. Backups may have been destroyed. Systems need to be rebuilt. “If that happens inside your organization, you must have options,” said Connery. “You have to think through what the next steps are going to be.”
One option is to pay the hackers to get data back. Another is to use an old copy of data that might be six months out of date. And the whole time the business is losing customer faith, losing time, losing revenue.
When it comes to cyberattacks, it isn’t if a business is at risk. It is. It isn’t if there’s an attack. It’s when.
Common Threats and Vulnerabilities
“Cyberattacks can take various forms,” explained Mark Doering, chief information security officer, Link Technologies. “There’s phishing and malware and denial of service attacks, which is preventing access to systems, social engineering which is the phone calls and texts you get soliciting a response and pretending to be someone else.”
There are also structured query language (SQL) injections, which attack data applications by injecting malicious SQL statements into entry fields for execution, affecting execution of predefined SQL commands and allowing attackers to spoof identity and tamper with data; zero-day attacks that exploit previously unknown vulnerabilities in systems; and nation-state cyberattacks from foreign entities.
“From my perspective, [Nevada sees] pretty much the same sorts of phishing attacks, ransomware, network probes and denial of service attacks as everywhere else,” said Bob Dehnhardt, chief information security officer, State of Nevada, Office of Information Safety. “As a state government, we tend to get a little more constant attention from foreign nation-states than private sectors, but from my talks with other state systems, that’s pretty typical; they see the same sorts of things. I haven’t seen any attacks that were specifically targeted to Nevada.”
“As government, we do see more targets from nation-states versus criminal enterprises. For private business, it tends to be the other way around,” said Aakin Patel, administrator, Nevada Office of Cyber Defense Coordination.
“For example, when the conflict between Russia and Ukraine got started there was some concern that attacks being funded by foreign nation-states would increase against state governments and entities,” said Dehnhardt. Such attacks remain more common toward government entities than the private sector.
Phishing
Phishing is the most common cyberattack, trending at 93 percent, said Connery. They can deliver malware, business email compromise threats or identity-based attacks.
Some business compromise attacks use emails, either hacked or copied, to look like company leaders ordering employees to transfer funds or take other harmful actions. It’s one of the easiest phishing attacks. Bad actors create or hack an email address, write instructions and send them out. Fortunately, it’s one of the easiest to train against.
“There are a lot of tools available to businesses for this purpose, but it’s really just training employees to think twice about messaging and whether something is a legitimate email and whether or not it’s something they should be receiving,” said Patel. For example, workers in the custodial department shouldn’t receive vendor invoices. There’s good chance the email is a threat.
Credential and Identity Attacks
Credential stuffing involves sets of user names and passwords that have been compromised from something like a large social media company.
Identity-based attacks are communications that appear to come from a trusted source, urging the recipient to act fast and perform an action like changing a password before their account is shut down. The new password goes directly to the hacker, who now has access.
Insider and Third-Party Threats
“Insider threats can be malicious or not malicious,” said Doering. “Sometimes they’re just incompetence or human error. There are also third-party risks, because businesses often rely on third parties – vendors or providers. Those can lead to supply chain attacks similar to what was seen with SolarWinds compromise a couple years back.”
The cyberattack on SolarWinds, a major U.S. information technology firm, spread to its clients and was undetected for months. The attack by a Russian espionage operation, came via an update, and was used to spy on private U.S. companies and the upper echelons of the U.S. government.
There can also be cyberattack weaknesses in physical components that may seem untouchable. Things like RFID readers – radio frequency identification –which create credentialing badges can be bypassed, spoofed or misconfigured. “A lot of times those types of systems aren’t updated as frequently because people don’t assume they’re vulnerable,” said Doering.
Best Practices for Policies, Procedures, People and Working from Home
“There are only two types of companies: those that have been hacked, and those that will be,” said former FBI Director Robert Mueller.
The best thing a business can do to protect itself is to make security part of the company culture, said Doering. He explained, “That’s the top of the list and starts with understanding the company’s unique risk profile. What works for a multinational gaming operator is a lot different from what works for an online retailer or local pub. Making sure you know what information you have and the cost to recover from loss of that information helps guide what you’re going to invest in to protect that data.”
Industry standards start with strong passwords, meaning both length and complexity. Password managers can store strong passwords safely. Multifactor authentication is becoming the norm. It shouldn’t be tied to text messaging, because phone numbers can be stolen. Systems should be regularly updated and patched. There should be regular security awareness training, and if possible, networks should be segmented, and data encrypted both in transit and at rest.
Even with strong security programs in place, if they’re not based on a good framework, companies are just being reactive to anything coming at them. Adopting a good framework, whether it’s NIST (National Institute of Standards and Technology Cybersecurity Framework) or CIS (Center for Internet Security) Security Controls or any of the other industry standards is important, said Dehnhardt.
New and shiny doesn’t beat a good track record for security, and nothing is 100 percent. “No matter what you do, the bad guys, if they’re motivated and resourced enough, will find a way over, under, around or through,” said Dehnhardt. “You’ve got to build in resilience in the form of incidence response, continuity of operations, and disaster recovery planning. Those are keys. You have to live with the idea that it’s going to happen someday and the more planning and preparation you can put into place, the better off you’re going to be in the long run.”
A common perception is that cybersecurity is used only to stop cyberattacks. “Cybersecurity allows your company to keep on working when bad things are happening or when bad people are doing bad things,” said Patel. “It allows you to keep on functioning. That’s the aspect of cybersecurity that’s overlooked. It is very much a preparedness thing. You are preparing for bad times and disaster and making sure you can keep working during those times.”
When it comes to protecting your business, the number one threat is still delivered via email. Annual training and company culture concerning email can go a long way toward keeping businesses safe.
“The biggest vulnerability in business today is humans,” said Bill Boston, MSP manager, PacStates. “All of the software and tools that are out there can limit access or restrict it, but one human being can circumvent all of that. You have to have employees work. They can’t just be locked down. The only way to secure a system is to prevent traffic to it. Then you can’t really use it for modern networks.”
Cybersecurity isn’t just for operating hours. Cyberattacks uptick during holiday weekends. Kaseya, an IT solutions developer, was attacked over Fourth of July weekend last year, causing downtime to thousands of companies. “Look into a security solution that is monitored by humans 24/7 [who are] looking out for your business,” said Connery.
Remote work has changed the landscape of cybersecurity. “I think it’s done so for the better,” said Doering. “Because, for a long-time, businesses assumed that access to sensitive data was only possible within the confines of the office space.”
“Remote work shined a spotlight on weaknesses,” said Boston. “It changed cybersecurity. Essentially remote work as COVID response was people going home to use their home computers to access company resources. Companies have a lot of systems in place to protect infrastructure and data held within the company, whether that’s the customer’s data, or intellectual data. That’s harder to control when using the bring-your-own-device model.” Post-COVID, companies with remote workers are switching to corporate devices that allow for more controls.
Protections to be put in place for remote work include things like securing laptops that are going outside, removing processes that don’t need to be there and making sure security settings and the security technology on them are correct. Companies need to figure out ways to monitor the traffic that’s coming in from remote endpoint laptops into their environment, because those are going to be the greatest risk if the rest of the steps haven’t been taken.
Companies can get insurance, although not all cyber insurance is created equal. “You want to make sure your plan is going to make you whole for business loss and downtime and get your system back right. Oftentimes, depending on data affected, there are [also] legal requirements to make affected people whole as well,” said Boston. Requirements could include buying threat monitoring for customers or reimbursing them for damages if the company was negligent.
Cyber insurance is expensive. “The rates jumped by pretty significant margins in the last few years and we saw our insurance premium at the state level go up 400 percent,” said Dehnhardt. “Some states reported they saw 600 to 700 percent increases combined with a decrease in coverage.”
Not to mention the approval process is arduous, requiring proof the company is taking reasonable, and sometimes extensive steps, to secure their environment and managing their security program effectively. That’s weighed against the costs of an attack, which varies by incident.
Here’s the silver lining. “If you have a business that doesn’t really know what it should be doing, try to get a cyber insurance quote. It’s a good way to get a free assessment,” said Dehnhardt. “They’re going to go through and give you a list of all the things you’re doing wrong, ‘Why we’re not going to insure you,’ or ‘This is our sky-high quote,’ but now you have a list of things to fix.”
“It’s a valid technique that could save you $50- to $100,000 to get that assessment from a cybersecurity consulting company,” said Patel.
Of Fish Tanks and Flatscreens– Threats to the Internet of Things
The Internet of Things (IoT) simplifies life. Turn the lights on before getting home. Monitor the temperature of the office remotely. However, people don’t necessarily think of updating appliances or TVs or security cameras, and those devices often have poorly developed software specs. “They’re more focused on functionality over security and it’s not until they’re released to the public and out in circulation that security issues come up and get patched,” said Doering. Buying reputable brands with proven track records and frequent updates is important.
“There’s no universal industry-wide standard which means companies and niches all have to develop their own protocols and guidelines, and one of the greatest threats to the Internet of Things is the lack of encryption on regular transmission,” said Connery. “Many IoT devices don’t encrypt the data they send, which means if someone penetrates the network, they can intercept credentials and other important information transmitted to and from the device.”
Example: In 2013, hackers successfully breached Target’s network and stole credit card information from millions of transactions after stealing log-in credentials from an HVAC vendor using IoT sensors to monitor Target’s energy consumption. “I have even seen bad actors use the thermostat for a fish tank in a casino lobby to access gaming data,” said Connery.
Economics
Economic fallout from a cyberattack depends largely on the company attacked, the type of information loss and the number of records lost. Restitution to victims, legal and regulatory penalties, damage to reputation and disruption of the company’s business are all costs. Those are in addition to notifying customers of the breach, remediation expenses and legal fees.
Companies mandated to have protections in place against cyberattacks face regulatory fines. “And if you’re thinking about paying the fine, which is averaging over $700,000, in most cases paying a ransom is illegal,” said Connery.
Many businesses are regulated to take cybersecurity measures to protect their data. Casinos are mandated by the Gaming Control Board, healthcare by HIPAA (Health Insurance Portability and Accountability Act) laws and financial institutions are regulated by the FTC. Businesses not mandated by regulatory pressures but, at minimum, should be looking at acceptable use policies, employee training policies, password policies and having an incident response plan.
Costs ripple into the economy when customers lose trust in companies and business falls off. If jobs are lost, wages spent in the local economy are lost. If the company can’t work, revenue is lost.
“Policies like cyber liability and ransomware insurance are available, but prior to underwriting or a claims payout, organizations are usually required to show they have appropriate safeguards in place,” said Doering. “That means ensuring you have the right people, processes and technology in place.”
“Keep in mind that security is a team sport,” said Dehnhardt. “It’s not just the security team, it’s not just the IT team, it’s everyone. Business continuity and disaster recovery are business processes. The business drives those things. They tell IT what needs to be recovered first and what needs to be in place to continue company operations. Everyone in the company needs to be aware of phishing. Cybersecurity needs to be part of the culture. [You can’t just say,] ‘That’s our security guys and they take care of that.’ It [takes] everyone.”