Congratulations, You Are About to Lose the Super Bowl

Jets in Super Bowl: The last time the New York Jets won a Super Bowl (in fact, the ONLY time they ever won), Richard Nixon was elected president of the United States. The year was 1969, kids.

Intel on Opposing Team: One thing about being in the Super Bowl is both teams know who they are up against. The opposing team has just finished an entire season of football. Both teams will review the video recordings of every game so they know the strengths and weaknesses of the other team, and of their own.

Your Turn: Imagine YOU are the New York Jets, and you’ve just been notified that through a quirk of fate, you are playing in the next Super Bowl! Congratulations! Oh, but there is a catch. You don’t know who you are playing.

Cyber Super Bowl: What does this scenario have to do with cyber security, you ask? Actually, quite a lot. For one, almost every network, especially homes and small businesses, are about as well defended as the New York Jets. Which means, not very well. And offense is completely out of the question.

Offense & Defense: As with football, so with networks. We need BOTH defensive AND offensive lines. We’ve already established that offensive cyber operations are off the table for home users and small businesses. Since we aren’t permitted legally to conduct offensive cyber operations, the next best thing is to detect an intruder early. In a computer network, defense equates to prevention. Prevention consists of firewalls and antimalware. Conversely, offense equates to detection.  Detection consists of Endpoint Detection and Response tools, as well as Security Operations Center (SOC) analysts responding to alerts. In addition, your team can leverage Cyber Threat Intelligence (CTI) from the Intelligence-sharing groups and then actively hunt for those very threats on your network.

Prevention is Affordable: For most home users and small businesses, prevention is all they can afford. Because prevention is usually an automated process facilitated by software, you set it and forget it. Since most home and business users are running Windows 10, you have Windows Defender installed by default, and that is the best option for antimalware and the host firewall.

Detection: Detection is tougher because it usually involves hiring an SOC team (or tasking your IT staff with additional duty, for which they aren’t trained). For a small business and home user, detection and threat hunting is only feasible with a Managed Security Service Provider (MSSP). For example, Dell purchased SecureWorks a few years ago, and AT&T purchased AlienVault to provide those services. The downside is most of the MSSPs target large businesses with deeper pockets. You just need to make sure you pick a vendor that can provide the sweet spot of security and cost.

Cover Your Bases: The sweet spot is really about covering all your bases (forgive the mixed metaphor). Getting prevention and detection capabilities in place. But even when you do that, the persistent attackers will still get through. Eventually. That’s where the cyber insurance comes in. A great place to start looking for solutions would be Stickler Webb Insurance. There you can get cyber insurance quotes and find a cost effective SOC vendor to provide the offensive line.

Your Offensive Line: You are not going to the Super Bowl. If you have a computer network, you are already IN the Super Bowl. Relying on prevention alone is like going to the Super Bowl with only your defensive line. Imagine how that game would turn out. You are in the game whether you like it or not. Make sure you at least HAVE an offensive line.

Business Owners: Red or Blue Pill?

The Choice: The choice is yours. Continue to read this article, and you choose the red pill. The true nature of existence will be revealed. Leave now, and you’ve chosen the blue one. You will remain blissfully ignorant. This article isn’t intended to terrify you. However, at the end of it, you might wish you’d chosen blue instead. Sometimes truth is a bitter pill. 

The Ransom: In July, 2019, on a sticky summer’s day in Rockville Center, NY, the IT administrator for the school district had a message pop-up on his monitor: “Your data has been encrypted.” He frantically pulled the plug on the infected computer.  He limited the damage, but key files were being held for ransom.  Fortunately, the school district had cyber insurance. The insurance company paid almost $100K to get the decryption key from the attacker.  

A Different Result: Contrast this with the recent ransomware payment by University of California at San Francisco (UCSF) of $1.14M, where they did not have any cyber insurance to pay the ransom.  The cost of the ransomware and recovery came from the university’s pockets. 

Cyber Insurance: Cyber insurance is protection against the CONSEQUENCES of cyber attacks. This includes data breaches, and ransomware.  The insurance covers the costs of:  the investigation and forensics, notification and identity recovery for clients, restoring compromised data, and system downtime.  Some policies cover losses from social engineering and, like the policy held by the school district mentioned above, cover the cost of a ransomware attack.  Like other insurance policies, some items are not covered, such as the loss of future profits and theft of intellectual property.  

Just a Piece of the Puzzle: You may consider cyber insurance a part of, but not a replacement for, your cybersecurity business strategy.  Insurance companies have been known not to pay out if they find negligence on the part of the insured. Covered companies are supposed to implement industry best practices, policy, and training.  Some underwriters will require company-wide training programs prior to issuance of the policy. 

What About Me: You might be wondering, “Does my business need cyber insurance?” If you lived in a flood plain, would you get flood insurance?  Your business “lives” on a cyber flood plain. One out of every five cyber attacks are against small- and medium-sized businesses.  Of those that suffer an attack, over 60% cannot recover from the residual financial loss.  So, it’s not only big companies that need it.  Small businesses have been flooded right out of business from cyber attacks, when not properly covered.  

Transfers Risk: Cyber insurance transfers the financial component of cyber risk from your company to the insurance carrier.  If your organization deals with a reasonable volume of Personally Identifiable Information (PII) or Protected Health Information (PHI), you should look into insuring it.   The cost of an attack could shut your doors.  So, if you are a health provider, a utility, or a government organization, it would be sensible to get a quote.  If you run an AirBnB or a small-repair shop, you may be OK without it.  Several local organizations have been impacted by cyber attacks, so don’t think it only happens in the big cities.   Calculate the risk. If your company was attacked, what would be the impact?  There could be stiff penalties from the Department of Health and Human Services — or worse, government scrutiny! So, is your organization prepared for the risk of the cyber world?  Would you be like Rockville Center or  like UCSF?  Consider the options, then … choose wisely.