Hello, everybody. Thank you for joining today's presentation on how to plan for a data breach. My name is Kamran Salour. Today, I'm gonna talk to you about ways to plan for a data breach, and we're gonna talk about it really in in two directions.
One, in terms of limiting the likelihood that your organization is going to be breached, And then the second component is gonna be, okay. Once there is a breach, how can we limit the damage, that can be done to the organization when a breach has occurred? One of the common themes when we're talking about cybersecurity and cybersecurity defense is to have a layered approach. You never just wanna have one barrier to entry to the threat actor.
And if the threat actor is able to penetrate or overcome that barrier, then the threat actor is able to have access to all of the goods in your organization.
And so having multiple layers, multiple barriers is one of the themes that we're gonna talk about, and that's how we're gonna approach this presentation here today.
Now one of the things that's gonna be important as we go through this presentation is knowing what the term breach means, and that's why you'll see here on this slide, this first page, we have the term breach used in quotes. And I'm gonna use the term breach imprecisely today just for ease, because we're gonna talk about it in the more of a practical sense. But the term breach has a legal definition that we're gonna talk about as well. So I just wanna flag that for for the audience here.
So as we start, as I mentioned, we're gonna we're gonna first talk about, you know, defining what a data breach is because people may have different definitions of a data breach. And, of course, as I just mentioned, the term breach itself has a legal definition, which we'll which we'll talk about. And then we're gonna talk about the common types of breaches. Now you can have an almost an infinite list of types of breaches in terms of how they occur and the impact that they have.
But as you as you see and and the research or evidence will show, there's generally two main types of data breaches that encompass the vast majority of breaches, certainly the ones that you hear about and certainly the ones that I, experience for or my clients experience on a regular basis. We'll talk about those. And it's important to talk about each of them because, there are gonna be some distinctions in terms of how to protect, or in terms of how to minimize the damage of a breach based on the type of breach that it that it is occurring.
And then we're gonna talk about really the heart of this presentation. Right? One, how do we limit the likelihood of unauthorized access? And unauthorized access is just a fancy word of how does a bad guy get into your environment.
Right? That's the unauthorized access. And then we wanna limit the harm or the damage that can occur in the event there is unauthorized access. And those are really the two main components that we're gonna focus on today.
Now, before I get in too deep, you probably wanna know, you know, who who's who's telling you about all this stuff, and am I qualified, to speak on these issues? Well, as I mentioned at the outset, my name is Kamran Salour. I am a data privacy and cybersecurity attorney. I am, a cochair of our, data privacy and cybersecurity group here at Lewis Brisbois.
On a daily basis, I I help clients respond to all types of data security incidents. Could be as simple as, you leave, your phone in an Uber, what do you do there? Or you leave your laptop in your car and you go to dinner and somebody breaks into your car and steals your laptop. What do we have to do from a legal standpoint? What do we have to do from a business standpoint? It can be as complicated as having, a multinational, organization be completely shut down due to a ransomware attack, and helping figure out how to get back operationally, how to message, organizations, clients, and customers about what happened, what to say, what not to say, a whole realm of different things, that go into play with those types of situations.
Probably in a given year, I do about, you know, close to a thousand of these types of incidents and events. And so what I'm talking to you all about today is really, a high level because a lot of the approaches are gonna be different based on not only the type of industry you're in, not only the type of data that you have, but also, how much money you have, to devote to some of these, resources that that you really need in terms of maximizing your cybersecurity defense and in turn minimizing the likelihood of, a bad guy getting into your environment. But what I counsel all my clients is no matter how much security you have in place, there's always the likelihood that somebody gets in.
And so that's why we're gonna talk about the second component later on in this presentation where, okay, now somebody's in, we wanna we wanna make it not worth their while where they're not able to get anything of value from the organization, where they're not able to upend any business operations, and that's why how we're gonna minimize the impact of any unauthorized access, on behalf of the organization. So So those are gonna be the really two main points that I want you to all take home after today's presentation.
Now let's start with the basics. Right? What is a data breach? Right? And when we're talking about, a data breach, we're gonna talk about, you know, we're really talking about unauthorized access here.
Right? And the term breach is defined by the applicable law. Here in here in the US, we have fifty four different data breach notification statutes. Right?
The fifty states, DC, and three territories.
They all have some varied definition, but at bottom, it's usually gonna be defined as either unauthorized access to or unauthorized acquisition of personal information. So most states are gonna require acquisition of personal information to constitute a breach. A few states are gonna require unauthorized access to personal information to constitute a breach. But the reason why I wanna flag this definition is, as you'll see, you can certainly have unauthorized access, right, without there being a breach. So think of, a state like California, for instance, that requires unauthorized acquisition of personal information to constitute a breach.
You could still have a situation where a bad guy gets into your environment. Let's say just access his personal information doesn't acquire any of it, and legally, that's not defined as a breach. So the reason why I I bring that up is you can certainly have areas or instances of unauthorized access or even unauthorized acquisition without it constituting a breach. And so when we talk about preparing for a breach or, making sure that our organization doesn't get breached, it's it's I wanna make sure that that's shorthand.
We just don't want unauthorized access into our environment because, well, if we have unauthorized access but not to personal information or we're an acquisition state and there's unauthorized access to personal information, that may mean we don't have breach notification obligations. But it still means that we have a cybersecurity type of incident or a data security incident, and we still wanna make sure that our environment is clean and safe, and we wanna obviously limit the likelihood of a bad guy getting into our environment. So a breach is a lot more narrow in terms of a data security incident.
Data security incident can happen without there being a breach. Conversely, you can't have really a breach without a data security incident if you wanna think of it that way. As I said earlier, we're probably gonna use the term breach and data security incident almost interchangeably during this presentation. That's imprecise, admittedly.
But for our purposes here, we may just use them interchangeably. So I just wanna emphasize here we're not doing the notification analysis or anything like that because I would bore you all to death if, if that was gonna be part of this presentation. So we're definitely not gonna touch upon that process here. Now to complicate matters, of course, personal information has, a different definition under most of the, state statutes as well.
In general, it's gonna include Social Security number, driver's license number, and financial account information. Although more often than not, it's not just the financial account information, it's the financial account information plus the means to access that account. So think of a a check where you have, at the bottom of the check, you have the routing number and the account number. That, generally speaking, by itself is not going to be personal information because, really, a check is is publicly available in the sense that one person is sharing it with somebody else.
And with the check itself, you're not able to access, that individual's account.
Same with just a credit card number.
Just the the sixteen digit number on the credit card, generally speaking, is not going to trigger notification. It's not gonna be defined as personal information.
What would be defined as personal information would be the means to act access that credit card. So it would be the number plus the expiration date plus the CVV, let's say, or a bank account, with a username and password to get into, you know, the online banking. So you'll need that means of access as well.
And, again, just to close out this breach point, it's really not a breach unless your attorney says so. So, again, we're gonna really talk about unauthorized access into your environment, how to how to minimize the likelihood of that as well as once the bad guy is in, how do we minimize the impact of that unauthorized access?
Now as I said, there's probably a host of of different types of breaches, that we've that we experience or that that it can occur.
As I think I mentioned earlier, we could have a situation where you leave your your laptop, at a coffee shop or you lose your phone, in an Uber. Those those can certainly be data security incidents, and those certainly require legal, you know, legal intervention in in in most in most often situations to assess, how to respond and what legal obligations you have. But most common, as you'll see, you know, from a business standpoint, are two main types of of breaches here. The first is a business email compromise, and that is really unauthorized access into your email environment.
And, typically, you'll think of a business email compromise when you've clicked on a phishing link. Right?
And somebody sends you a link, you click on it, you know, unsuspectingly, and you input some of your credentials, and that gives the bad guy access to your email environment.
Other ways that people can get access to your email environment is you may have, a username and password that was part of another breach. And as part of that breach, your username and password is being sold on the dark web, and people buy that information off the dark web, and they use it to then get access to, your email environment.
Typically, when these guys or the bad guys are trying to get access to your email environment, it's typically to engage in in wire fraud.
And if they so what typically happens is the bad guy gets into your environment, whether it's through a phishing link, whether it's through a compromised password, whether it's through other means, like they're able to bypass your your multifactor authentication. It can be a number of different ways they're able to get into your environment. Once they get into your environment, what they're typically trying to do is they're trying to, commit wire fraud. And when the way they do that is they will, sort of sit and observe and watch communications that you have with a vendor, understand who the players are between you and the vendor, have an idea of the invoice amounts that are being shared between you and and the vendor, and they will interject themselves in that discussion through a number of different ways.
And what they'll ultimately do is try to divert the payment. So if you were going to pay a vendor, they would tell they would pose as the vendor and say, oh, by the way, you know, we have new banking information.
Please make the payment to this account. Then you make the payment to that account unsuspectingly, and what happens is the vendor doesn't get paid, the bad guy gets paid. That's typically what the motivation is for these individuals.
If for whatever reason the bad guys get into the environment and they are not able to find anything, appealing or available for them to commit the wire fraud, what they will again often do is is engage in what's called a phishing campaign. You may have you may have been the recipient of an email like this where somebody you know, you just get an email blast, and and sometimes what'll happen is these guys will get into your environment. They're not seeing anything from a anything lucrative from a wire fraud campaign, so they'll just send an email, to all your contacts with a phishing link in the hope to then, okay. Well, let's try somebody else.
And sometimes you'll see an email from Sabi to say, hey. You may have received an email from me, yesterday.
It had a link that wasn't sent by me. Don't click on the link. Right? And so that's often the two main motives you'll see from that business email compromise. But business email compromise can be very lucrative, in the wire fraud scenario. I've seen wire frauds, you know, exceeding, seven figures, for invoices.
And it's, there's some ways that we're gonna talk about how to minimize that that impact. Right? Because, as you can imagine, it can be very hard no matter how much you educate people to not click on a phishing link. It happens. It happens all the time. And so, the key here is really, okay, if somebody clicks on the phishing link, and somebody gets into your environment, how can we minimize the impact, to your organization? And we're gonna talk a lot more about that, a little bit later on.
The other type of breach, which you're probably well aware of, is is the ransomware.
And usually in a ransomware scenario, it could it could vary. But in general, what happens is the, the bad guy gets into your network, and they do two things. One is they, take, some data from your environment, and that's called the data exfiltration.
And right after they take the data, they encrypt your environment, meaning that they lock it, essentially. And, unfortunately, you don't have the key to unlock unlock the environment. And so the goal there for the ransomware attack is really, it's really financially motivated. Right? And and the reason why they have, the reason why they do the encryption as well as the data exfiltration is it gives the bad guy two chances to get paid. So opportunity one is, okay. Well, your environment is is encrypted.
You don't have access to it.
Their hope is that you pay the, you pay the bad guy for a decryptor key.
That's one way to get payment.
And the second way to get payment is sometimes an organization, even though their environment is encrypted or for whatever reason, the ransomware was not, successful in encrypting the the environment or they only encrypted some servers that aren't very critical to the business operation, there's no need for a decryptor key. And so sometimes then the organization will wanna pay, the threat actor to return the data that they stole and return or delete the data that they stole.
And that's really a second way that the bad guys can try to get money. So one way would be for purchase of a decryptor key. The other way would be for payment of data suppression or data deletion.
We can have an entirely separate CLE on that process in terms of the pros and cons, of of paying for data suppression or data deletion, the strategy involved in that. That's that's a very detailed discussion. But, really, for purposes of today's CLE, really, is to know that the motive for these bad guys is is financial.
And it's important to to pay attention to their motives because, that can help minimize the impact. Right? Again, assume assume the bad guy gets in, we don't want him to be able to take away everything that's of value to your organization. And so that's why we wanna talk a little bit about their motives.
Alright. So we've talked about, you know, the difference between, you know, what constitutes a breach legally versus unauthorized access to your environment. And we've talked about as well the two common types of of of breaches. And, again, there's many more, but the business email compromise as well as the ransomware. And so now we're gonna talk about the planning.
How do we plan for one of these situations? And, really, you know, the short answer is there's lots of things that you can do to position yourself to minimize the impact or excuse me, to minimize the likelihood that a bad guy gets into your environment.
Some of these are gonna be, more plausible and more feasible for certain organizations, but we're gonna lay out, you know, a handful of of items that are ways to, help plan and minimize the likelihood of of your impact. So let's talk about those.
So, again, as I I've I've I've reiterating this this theme here of step one is to limit the likelihood of of unauthorized access. Step two is to limit the amount of harm or the impact should the unauthorized access occur. And I can't emphasize that two pronged approach enough.
In my experience, too many organizations will focus on item one, and they'll be very adamant. They'll do, you know, phishing training and, you know, try to do, you know, all these things with emails and protecting emails and have multifactor authentication.
But there's ways to get around multifactor authentication.
Phishing emails, if if you're successful in terms of not falling for the phishing link ninety nine times, that's great. But if you fall victim to the link that hundredth time, and once you fall victim to the link, the bad guy can get access to all the critical components of your of your business of your business, then you're not doing a good job from your cybersecurity standpoint. Your your employees should not be the the one and only barrier. Right?
Your the the like your organization's cybersecurity health should not depend on, whether somebody clicks on a phishing link. Right? So we wanna have a multilayered approach. And even within each of these, two categories, we wanna have multiple layers within them.
So let's talk first about limiting, the likelihood of unauthorized access.
Okay. So let's talk first about just basic basic protections. And this list that I've created, by all means, is is not exhaustive. It's meant to be high level.
There's gonna be different things that are gonna be available to you based on the type of organization you have, the size of your organization, the type of hardware that you have in your environment, who who is managing your environment, as well as, you know, what type of budget you have for your environment. There's gonna be lots of different, components that come into play. Now this list that I've created is really based on what I see day to day in terms of when I'm dealing with companies that have been, breached for lack of a a a more precise term or have experienced unauthorized access into their environment.
What are some common things that these organizations do not have in place? And so one of the first things we're just gonna talk about, let's have some basic protections in place. And one is, you should have antivirus. Right?
And that should be pretty standard on all of your, you know, servers and and and workstations.
You should have a firewall, and you should have multifactor authentication.
Now usually, most organizations have the antivirus, but what they do is they think, oh, well, I have antivirus, and therefore, I'm protected and safe. Now what antivirus does is it's going to be able to identify known threats and essentially, you know, contain them and and and isolate them. And that's effective for for known threats, but antivirus is not effective, outside of that. And so just relying on antivirus, that is not gonna do a great job in terms of protecting your environment from unauthorized access.
And so if you're just relying on antivirus, you're not doing enough. Right? You need multiple layers. So, same with the firewall.
The firewall is going to be a barrier between your network and the outside Internet. Right? And so you wanna be able to have the firewall in place. But if you have a firewall in place and you haven't done appropriate taken appropriate measures to make sure that the firewall is up to date, in terms of its, its vulnerabilities, you're essentially having a firewall that has holes in it and is allowing public traffic to come into your environment, which, of course, you don't want.
And then multifactor authentication.
Most people have multifactor authentication, but there's still a large portion of of organizations that don't have it for whatever reason. And I can't tell you how many times when we have a a business email compromise, you know, one of the first questions we'll ask is do you have multi factor authentication?
And the answer is no. We were in the process of migrating to, a multifactor authentication, you know, in a few weeks. Or no. We tried it and people didn't like it.
And so multifactor authentication, as I'm sure most of you know, is really, requires two means, of identification for someone to access your environment. So if you were to click on a phishing link, ideally, what would happen is you'll get a text message or some sort of authenticator prompt confirming, hey. Did you click on this? And then, ideally, you could say, no.
It wasn't me.
Now I I lay out these basic protections because, one, everybody should have them from an organizational standpoint with few exceptions, but also to forewarn that just having these by themselves is is not enough because, again, the antivirus is only gonna be limited value in terms of identifying known threats. The firewall, if you don't have a, an up to date firewall, it's not going to be, effective in terms of of of blocking, threats as well as the multifactor authentication. Even if you do have it, there are ways to have it bypassed. And, again, all of this goes back to you need to have multiple layers of protection and not to over rely on any one type of protection that you have.
The other thing let's talk about is, a lot of times when we're talking when I'm talking with organizations or clients that I'm helping, they have some low hanging fruit, if you will, that the bad guys are able to exploit very readily.
One is having open RDP. An RDP is remote desktop protocol, so it allows you to, basically remotely access another device. If you have this, but you don't have the appropriate protocols and safeguards around it, let's say, a a VPN, associated with it, then what can happen is anybody can access your environment. And so a very easy way for bad guys to enter your environment is to have open RDP.
And so this should just be something that you don't have in place. Right? Because it's it's easy. It's low hanging fruit, and we wanna minimize the likelihood of of unauthorized access.
Again, the no multifactor authentication comes up all the time. Although multifactor authentication, by having it isn't an end all be all, it's not a silver bullet, certainly better to have it than to not have it. And then this last one here where we wanna limit, admin access, this might actually be better positioned for the next part of our topic, which is to minimize the harm once a bad guy gets in. But what we don't wanna have happen on I guess I'll give you a a preview here now is what we don't wanna have happen is we don't want the bad guy to get in. And if we and he's able to if everybody has admin access, it's basically giving the bad guy the keys to the kingdom, and he can go wherever he wherever he wants because he's got full admin access. So we wanna limit the admin access as much as as possible and and have it on a limited limited basis.
So these are just a couple of ways that, you know, bad guys are able to get in. And, again, it's usually because we're over relying on basic protections or, conversely, we don't have basic protections in place. So this is really just, you know, sort of a bare minimum that we wanna have in place. But you'd be surprised how many organizations don't have, this bare minimum in place. Just limiting admin access can really, really go a long way. And, again, that's probably better positioned under the second part, but we'll we've we've previewed it here.
Okay. So here's some more ways. One another way is having a password policy.
I talked about a little while ago, one way the bad guys can get into your environment is if you if you have a password, for another account and that has been compromised somehow and it's for sale, and then the bad guys will just use that password on your other account. So if you have different passwords for each account, that is much less likely for the bad guys to be able to purchase, compromised passwords and use them.
And one way to help do that, of course, is, your organization can can, either themselves or through different services, audit the dark web, for sale of compromised passwords.
And by doing so, they can identify, hey. If if your password appears for sale or has been part of a breach, there are websites that you can just use yourself that will tell you if your if your, password has been part of a of of a breach, and you should change your password. Now I know there's lots of different discourse about passwords changing them, how frequently, and, how many characters to have them. You should always go for, you know, a longer character password. I think, I know the the guidelines keep changing, but somewhere between your, you know, twelve and sixteen characters.
And I know the new guidance now is to not change your password as often. It's more to just have a very strong password because, when you have to change your password very often, a lot of times people will, continue to use the same password and repeat the passwords, which is what we don't wanna do. But it's important for your organization to have a strong password policy, enforce that policy, and make sure that there aren't compromised passwords out there that are that are available to be, purchased by bad guys to access your environment. That's a relatively easy way to help minimize, unauthorized access into your environment.
Another thing which is easy to do but often overlooked is is a process called geofencing.
And what geofencing is essentially is you're creating a geographic fence around your around your network. So if you are a a US based organization and you don't do business in Europe, you don't do business in Africa, or anywhere, you're only doing business in the US, then what you could do is block, IP traffic from outside of the US. And so, you because you're not ex you're not doing business with somebody outside the US. So if somebody from outside the US is trying to, you know, enter your environment, they should be blocked because that's that should raise a red flag for you as far as this doesn't look like somebody a legitimate means of access, so let's block it before it could even get in the environment.
That's not always easy to do for an organization that has, international components, But, certainly, there are ways that you can at least eliminate it to for, you know, certain regions. So if you don't do maybe you do business in parts of Europe, but you don't do it in other parts. There's different ways where you can block, different, IP traffic to help minimize the likelihood of unauthorized access.
And with all of these policies that I've mentioned, and will continue to mention, you know, your policy is only as strong as as it is effective. Right? And so a lot of times an organization will have a certain policy in place, but they don't do anything to check if that policy is working. Not only working from a actual is this functional? Is it if in other words, if I've implemented geofencing, is am I in fact blocking IPs from certain locations?
But also, is it working in the sense that is this impeding my business somehow? And so you really wanna audit this. And, ideally, you have a third party come in and audit these things because it's always better to have a third party assess what you've done internally as opposed to yourselves, auditing it because just you're gonna eliminate, just an inherent bias there. But you always wanna have these audited, ideally on a yearly basis just to make sure, a, that it's functioning as it's supposed to, but also that it's it's not impeding business. Because one of the main reasons why organizations don't implement a lot of these cybersecurity measures is because, they tend to interfere with business.
You may have I I deal a lot with clients that have gone to encrypted email. Right? And it's great because your email is encrypted. And so if for whatever reason somebody is able to access your email, they're not able to read the contents of the email.
But as anybody that's received, encrypted email knows, it's a pain to read. You have to, input new credentials every single time, and sometimes, you know, there's MFA involved and you're spending, you know, thirty seconds just to open up an email. And a lot of times, people will overuse the encrypted fashion. So they'll send you an encrypted email that basically says, you know, can we meet, can we set up a call at noon where, you know, that really doesn't need to be encrypted, of course.
And so, you kind of get encryption fatigue, and it's really it's really difficult to run a business if it's gonna take you thirty seconds to open up every email. Right? It just could continue to add up time wise, but also it was just gonna drive, people crazy. And so there's always a balance here involved in terms of what's good from a security standpoint versus what's good from a business standpoint and trying to balance those things out.
So that's why I really encourage auditing, especially when something like geofencing is is concerned.
Okay. Here's another one that's called is your patching policy. You wanna have a patching policy. Every every I think it's every Tuesday, Microsoft implements, you know, identifies new patches for a a lot of, Microsoft, software.
You should always have a patching process in place. A lot of times, we talked about firewalls earlier and keeping those firewalls up to date. A lot of times, vulnerabilities are identified.
And, if you don't patch those vulnerabilities, the bad guys will exploit them, and you have to patch them in a timely manner. A couple of years ago, there was a big Microsoft Exchange, vulnerability.
And if you didn't patch, you were you know, it was gonna be very, very problematic for your organization. And so most of the organizations that I dealt with that didn't patch just didn't have patching policy programs in place. So, there was no, set time, whether it's weekly or monthly, for them to patch. There was no auditing to make sure things were patched. And so it's really an easy way to, help limit unauthorized access because these threat actors, they exploit the low hanging fruit. So if you don't have if you don't have a firewall, if you don't have micros multifactor authentication, you have open RDP, or you have an, an unpatched vulnerability, that's where they're going to, you know, immediately go and access things.
And the other thing I I I suggest is is you conduct third party risk assessments.
Again, it's one thing to structure your environment, your security environment, how how you know, in a in a certain format and way, but it's always important to have a third party come in and try to penetrate the environment. And the third party can identify vulnerabilities or, you know, points of entry or access that you may not be aware of because these third parties are in the business of identifying risks. Right? And so you want them involved.
You want a third party giving you, you know, impartial guidance on how things go, with your environment and identifying areas where, your cybersecurity posture can be improved.
A lot of times, we'll have organizations that think they have things in place, but they don't know that it's not working until, it's far too late. So anything that you employ, you should always assess through third parties to make sure that it is in fact employed.
If you do all these things that I just mentioned, you're gonna find yourself, much further along than most organizations that I deal with in terms of limiting the likelihood of unauthorized access. Now there's a host of other things that we can do here. Right? Another thing that I always like to suggest is having endpoint detection, and response, tools on your in your environment.
We talked a little about, antivirus, right, where antivirus is able to identify a known threat. What the endpoint detection and response tools do or EDR tools, they are able to detect anomalous behavior. So for instance, let's say somebody is logging in. You don't have geotagging.
Somebody or geofencing. Excuse me. Somebody is logging in from an environment that you wouldn't suspect, from the same, you know, from their same, workstation, but now it's in a it's sort of in a different, from a different IP address, let's say. This doesn't this should ring a bell to your, to your EDR tool, and it will identify this and flag this. And a lot of organizations that have EDR tools in place, when they come to me, they've been able to, detect the unauthorized access and really limit the damage that the threat actor, does. Sometimes they are able to catch it once only you know, maybe one server was encrypted or even before any encryption. And that goes a long, long way in terms of limiting the impact of the unauthorized access.
Now before we talk, I wanna shift gears in a moment. I wanna talk about limiting the amount of harm, right, that can occur from the unauthorized access.
And I guess the best way to kind of frame this, at least help visualize really what I'm talking about is I I'd like to tell my clients, you know, if you have a house where the all the lights are on, the windows are open, the doors are open, and there's a a computer just sitting in the, you know, within you can see a computer sitting there from the street, but you don't see anybody else in the house, it's gonna be attractive for a bad guy to come and just snatch the computer and go away. Right?
Conversely, if you have, a house that you have, you know, a gate on the outside, you have, security cameras, around the perimeter, the door is locked, you have gates, or bars on the windows, you know, a guard dog in front of the house. All of these things are gonna make it less attractive for a bad guy to say to try to access that. At the end of the day, these guys are motivated by money, not by how many hours they work. Right?
So they're not looking to, penetrate multiple layers of of, security to get to what they wanna get to. They're gonna go after the most attractive victims, and those are the victims that have the least amount of security or the most open vulnerabilities. Right? So maybe there's a, take that house that I just mentioned that has all those protections in the front.
But guess what?
If you go from the back, there's nothing there's no the doors are unlocked. There's nothing there, and somebody can easily go in through the back, get whatever they want, and leave. Right? So that's kind of the the analogy I like to think of or or comparison I like to think of when we're talking about limiting the likelihood of unauthorized access.
Just as humans, we're not gonna we're less likely to, try to take from something that's hard to take from. Now the second component of that, of course, is let's assume somebody gets in. Well, if somebody gets into the house, we want all of our valuables in one specific location, and we want that specific location locked up. Right?
We don't wanna have, money all scattered around, you know, cash in every different, you know, room of the house where somebody can come in and grab some cash and go because that's gonna create lots of problems for us. One, we don't we're probably not gonna know how much cash we had. Right? And two, we're probably not gonna know exactly how much cash then was taken.
Now I know this sounds silly because we're talking about organizations, but that's what happens when we're talking about organizations often and their data. Because organizations have their data strewn about the entirety of their organization, different workstations, different servers. And one of the big problems that happens is when somebody gets in, if they don't have to go to a very specific fortified location to get the data, they're able to get little bits of data as they're going through your environment.
So not only does that make the threat actor successful because the threat actor is able to steal some data, but, also, you don't know. You don't have a good inventory of your data. You don't know what they took. You don't know how much they took, and you don't know what what what is contained in what they took. And so, just like you wouldn't have a you know, if you're gonna have a safe in your home, you're gonna put your valuables in the safe, you should have that same mentality or or or approach when it comes to your organization.
Now I know that's much easier said than done. It's much harder to manage an organization than it is your household, especially if you have hundreds and thousands of employees and implementing different things. But the goal when you're talking about limiting the amount of harm is to limit, the amount of data because data is valuable not only to the organization itself, but it's certainly valuable to the bad guys. That's one of the ways the bad guys get money from you is by saying, hey. We're gonna publish all of your data. Pay us a ransom. So we don't.
And so if I if I can only impress one thing upon you in terms of limiting the amount of harm is to limit the amount of data that you store, and limit the amount of data that you collect. Right? So a lot of times, companies will collect Social Security numbers for for no reason. They don't need it, but they collect it.
I've had organizations and and I guess the worst thing is now they've kept the Social Security numbers, and they've kept it in spreadsheets. So when I'm doing notification analysis for organizations, a lot of times what'll happen is the organization has spreadsheets that are full and full of former employees, former patients, names, Social Security numbers just in a spreadsheet. And what does that mean? And these are going back, you know, twenty five, thirty years.
The organization doesn't need this information, and they certainly shouldn't store it in an unencrypted format. And so what does this mean is now you have to notify these people, let them know that, hey. We have your Social Security number, even though you haven't done any business with us in thirty years.
Sorry. You know, your Social Security number was was, was misappropriated as part of a data security incident. So you definitely wanna avoid that. But more importantly, aside from the notification cost, you wanna limit what you you wanna limit the data that you have because that's gonna minimize the harm that can occur.
Because when we're talking about a data breach, one of the main harms there's really two main harms. One is gonna be the impact to your business operations, but the other is gonna be the impact to your business going forward based on the, exfiltration or misappropriation of your data. So if you're dealing with a client and you have their, you know, important data and they have it in an unsecured format, they may not wanna do business with you after this. If you have, if you have to give notice to, ten, twenty thousand people that you have their Social Security numbers, you may be victim to a class action lawsuit.
So one of the ways to really limit the amount of harm that can happen, in the event of unauthorized access is to limit the data. And that means limiting how much you collect, limiting how much you store, having a retention policy where you could delete the data that you don't need, and then storing, the important data.
And that could be business important. It could be personal information in an encrypted format, in a secure format, in a very isolated area.
Now I just talked about minimizing how much data you store. I'm gonna tell you something that's gonna basically say, I want you to minimize how much data you store, but I want you to duplicate the data that you do store. I know that sounds a little bit counterintuitive, but we wanna back up the data that we collect. And here's the reason why.
If you recall when we were talking about ransomware, it's just really a two prong approach. Right? Prong one is they wanna they wanna encrypt your data, so you need to purchase a key. The second part is they wanna steal the data.
So, if you don't need a key, then they're gonna try to have you buy the data that they stole. So how do we make it so they don't want so we don't need to buy a decryptor key? The best way the easiest way is that we have the data that was encrypted on our servers backed up at a separate location. So we can then use our backups and basically continue our operations and not need a decryptor key.
I'm obviously oversimplifying it. It's a little bit more complicated than that. But at the end of the day, if you have a backup of your data, then you're not gonna need that key. And depending on the threat actor group, if you have to pay for a decryptor key, you could be paying seven figures, certainly in the six figures.
And that's a good way to minimize the harm is by not having to pay the, the ransom amount. Another way to minimize the harm, of course, is if you're not operational because your servers are down and you don't have backup data, well, now you can't, you can't do business. You may not be able to deliver products to, customers.
And so that's obviously gonna impede your business. You're gonna have high business interruption losses. And so if you have the backups of your data, you're you're gonna avoid those things. So that's another great way to minimize or limit the amount of harm, that is happening in the event of the unauthorized access.
Alright. And so we talked a little bit about backing up the data, but, and I've talked about auditing. Right? And so many times, I've dealt with a ransomware client where, you know, one of the first questions I ask when we're on a ransomware call is, okay.
Is is your has there been encryption? And they'll say yes. I'll say do you have backups? They'll say yes.
Are the backups encrypted? They'll say yes. And the reason why the backups are encrypted is because the backups are on the same network, as your, you know, as as your business operates on. And so you don't want that because if they're going in if the the ransomware actors are able to encrypt your network, and your backups are on that same network, then chances are they're gonna encrypt the backups, which defeats the purpose of the backups. So you wanna make sure your backups are off-site, right, or on a different network. It could be segmented somehow somehow segregated.
Generally, though speaking, you have them off-site. It's it's that's probably the best, most efficient way to go about having your backups. Now the other thing that often happens is I'll have a ransomware client.
Has there been encryption? They will say yes. I said, do you have backups?
They say yes. I said, are your backups off-site? They say yes.
And then they go to their backups, and guess what? It's it was they're the nothing was ever backed up. They didn't check to see if it was actually being backed up. So what they thought, you know, for the last year, they were having daily backups.
In fact, nothing was being backed up. And so now you're basically left with a scenario where you don't have the backups. And that scenario could have been avoided if you did, you know, periodic audits of, okay, is this in fact backing up like it's supposed to? And so a lot of organizations overlook that, and it's a big, big issue if, in fact, you do have a ransomware event because one of the best defenses to a ransomware event is having backups in place.
It really helps in a lot of different areas.
So make sure you have backups, make sure they're off-site, and make sure that you've audited to make sure they are, in fact, backing up.
Now another area that comes up often overlooked is your vendor contracts.
So sometimes you're the organization and you're having the unauthorized access with a ransomware event. More often than not though, it's a customer of yours or a vendor of yours, somebody upstream, to your organization, and they are having an incident.
A lot of times, I will deal with clients that they have let's say, their managed service provider, the the company that's handling their email security, let's say, is is having an incident. And what happens there is now, the bad guy gets in through the MSP and then somehow gets in to your environment, let's say. And you wanna then, you know, sue this, MSP to say, hey. You know? But for, the fact that the bad guy got in through your environment, you know, this wouldn't have happened to us. We're gonna hold you responsible.
And a lot of times what happens with these vendor contracts is the MSP has a very, very strong limitation of liability provision in its contract that basically limits any damage, to really direct damages, meaning just damages relating to the services the MSP provides.
And putting that aside, even from a monetary standpoint, it limits it to usually the monthly service cost for the MSP. So if you're in a situation where your vendor is, the victim of a of a ransomware attack, which in turn impacts you, and you have a strong, or in your in strong in favor of the MSP limitation of liability provision, then you're really, without any recourse. You don't you don't have any recourse. So one thing that I always recommend for organizations is to, one, look at your contracts to see what you've agreed to already from a cybersecurity standpoint and not agree to the strong limitation of liability provisions.
You don't wanna have, if if if it so happens that because of of, any unauthorized access to a vendor that in turn impacts your business, whether it's because now you can't operate or they've got the the infection from your vendor has spread into your environment somehow, you definitely still want to have, recourse contractually to go after these people, to get money back, right, for the loss of business. And so you don't wanna have those limitations in your vendor contracts.
Okay. Here's some other ways that we can limit, harm. Right? We talked about data. We talked about vendor contracts.
Let's think back to our, business email compromise scenario. Right? And if you remember, that's when the bad guy gets into your email environment.
And they're going through your email, and usually, they're trying to commit wire fraud.
And so one way what so what happens there is from an organization standpoint, two areas of harm can occur. Because as the bad guy is going through your email looking for ways to interject himself into a, invoice discussion to commit wire fraud, he may, also, be able to access personal information that's being transmitted through your email. And what does that mean? That means from an organization standpoint, if you're a victim of a business email compromise, you may find yourself responsible in two areas.
One, the money that went, that was supposed to go to the vendor that went to the bad guy, you may be on the hook for that money. And two, you may also have to notify individuals because as part of this access or unauthorized access, the bad guy was able to, acquire personal information. Now you have to notify these individuals. When you notify the individuals, there's always a chance that you can get, sued for a a data breach class action.
You may have to notify regulators. The regulators may try to issue fines, etcetera. You wanna avoid all of that. So one way to help avoid that is you don't wanna you have you wanna have a company policy where you're not transmitting personal information through email.
You wanna use a secure, you know, FTP site.
If if it has to be through email, you want it to be encrypted email, and you wanna have a place to, audit this as well. And I and I know this one can be hard to do because people are gonna do whatever they wanna do ultimately end of the day, but you wanna at least minimize this as much as possible.
The other thing that you can do, that can be very helpful to avoid the monetary harm in terms of the diverted funds when it comes to, a business email compromise, where the bad guys trying to divert payment is to have a policy, well known to everybody that, hey. Our company is not going to change, payment instructions or payment information via email. That way, if if for whatever reason the bad guy is intercepts emails on your behalf and sends new payment instructions to a third party, that third party should be on notice that, hey. This company does not change wire, payments through email, and they should be suspicious.
The second thing you should do always is if anytime your organization receives new, payment instructions via email is to have a policy where you call, somebody at a known number, and a known person to confirm the instructions. Don't call the information, the number on the on the email that has to change instructions. You wanna call somebody that you've spoken to in the past at a number you've used in the past. If people did this very simple thing, we would save hundreds of thousands of dollars, quite frankly, millions of dollars every year, stopping, diverted money through a fraudulent wire transfer.
It's a very simple step. It's often overlooked. But if your organization has not only, an announcement that basically says, one, we don't change email instructions via email and I recommend companies put this in their footers, especially from anybody in their accounts, accounting department. So it's right there front and center.
And two, has a very, has a policy where you're not accepting change, payment instructions without calling somebody you know with a known number, you could eliminate a lot of harm to your organization from a monetary standpoint. Not to mention, I'm helping clients regularly trying to figure out, okay. Well, who's gonna pay? So in other words, if the vendor sent the money to the wrong to the bad guy, instead of instead of the client, the client will will sometimes ask the vendor to pay again, and the vendor will say, no.
Well, I I'm not gonna pay. I already paid. It's your fault that I paid the wrong person. The client will say no to the vendor.
It's your fault. And that can that can obviously increase your legal fees, your legal costs.
It can it can chill your business relationship, All these different things that can put, cause more and more harm to your organization, which you wanna avoid. And you can avoid that very simply by just doing, a phone call.
Alright.
Here's a couple of other things that I that I recommend. Number one is to obtain cyber insurance. And the reason why I recommend you obtain cyber insurance is really for two reasons. One, obviously, if you have cyber insurance, it can cover some or all of the costs associated with responding to a cybersecurity event. Right? That's gonna obviously minimize the actual out of pocket cost to your organization.
But more importantly, I think well, well, certainly, maybe equally as important, it's gonna put you in touch with the right people to help you through this process.
It's dealing with with threat actors, especially when talking about ransomware, negotiating with ransomware situations. You wanna have trained professionals, do that negotiation. You don't wanna do it yourself. You wanna deal with people that experience this day in and day out. And if you have cyber insurance, they're gonna put you in touch with the appropriate people to help you through that process.
That's hugely important. I've I've unfortunately had to come in, and help organizations after the fact where they've relied on the wrong people at the start, and it's cost them lots of money, lots of things that, you know, some missteps they took at the outset and not just because they're not experienced in this. Right? And it's easy to make missteps. It's a fast moving process. And so cyber insurance not only helps cover the cost, but it helps you puts you in touch with the right people.
The other thing I would recommend is you develop an IRP or an incident response plan where you're able to identify what some of the types of threats that you would receive, some of the types of things that would indicate to you that you had some unauthorized access. But then more importantly, what do you do in those events? Right? And being able to prepare, and understand the process and start thinking about things. And then it can also help you identify areas where, oh, we need to make some improvements.
And then, of course, not only as I've mentioned throughout, we don't wanna just have some policy or develop something. We wanna test it. Right? We wanna test the IRP.
We wanna go through the process. We wanna be able to ask the, you know, the C suite. Okay. Well, if you had a ransomware and you had backups, and but some of your data was stolen, would you wanna make a payment?
What and what's the criteria you wanna go through to make a payment? What are the decision points you have to make? Who's gonna make them? How quickly are you gonna make them?
Time can be of the essence when you're talking about a ransomware event. Certainly, if you are not operational, you're gonna have to make some decisions very, very quickly. And so it's important to get an idea of what those types of decisions are are going to be, before you, you know, before you actually have to make money.
Okay.
And so, you know, I'm gonna leave you with just a couple of points here. One is know your data. Right? And so knowing your data is something that I I think if you talk to a hundred organizations, probably ninety five organizations will not have a good handle on their data.
And and that's that's problematic for a couple of reasons.
Number one, going back to the, analogy of of the house, right, where you have cash all around the house and you don't know exactly, what you have where where, you know, where your cash is, you wanna know what where where your data is, and you wanna know what it contains. And you wanna know what it contains because, let's say, for instance, you have a scenario where, a bad guy has exfiltrated your data, and you wanna be able to tell people, hey, customer x, we want you to know we are the victim of a ransomware attack, but the bad guy was only able to access data on server y. All of our data with you is on server x.
You have nothing to worry about. That's a much better scenario than, your customer reaching out to you and saying, hey. We heard you had a ransomware attack. Is our data impacted?
And your answer is, I don't know because we don't know what date of yours we have, and we don't know where you have it. We know, you know, server x was impacted, but we don't know what date of yours is on server x. That's not a great position to be in because now that company is gonna be asking you every day, what about our data? What about our data?
What about our data? And that's not good.
In addition, you may have contracts that require you to give notice to certain customers, in the event of a data security incident. You'd be surprised how many companies don't know what contracts they have, don't even know where their contracts are located.
And so knowing those things is gonna be very important, not only legally because that may trigger, legal obligations, but also from a business standpoint in terms of being able to message to your customers, hey. We had an incident, but your data is safe. We know that because we only have your data here or your data is, encrypted, you know, in a good way. Right?
You've done the encryption. Or don't worry. We had a ransomware attack. We're gonna be we're operational because we have our backups.
Right? You wanna know where that data is.
And probably the biggest question I get is, well, how do you figure out how you know where your data is? And it's a process called data mapping where company a third party company will come in and they will, you know, basically map your data, and they can identify where, certain data is. And then, hopefully, the goal is you've mapped your data and then you've migrated all of your sensitive data to, you know, one or two specific locations, and you've secured those locations. So you have your important data in a centralized location.
Doing that will save you lots of time and lots of money.
So, really, you know, I know we're coming up on on the hour here. So just as a quick summary here, we wanna we wanna take a two two pronged approach, in terms of preparing for a breach. Step one is we wanna reduce the likelihood of the unauthorized access. We wanna eliminate that low hanging fruit. We wanna patch. We wanna not have open RDP. We wanna have multifactor authentication.
We wanna have that house that looks like it's very well protected, so the bad guy is gonna go to the next house. Right? And then part two, we wanna minimize the impact in the event of the unauthorized access. We wanna prepare by minimizing and protecting our data. We wanna have cyber insurance.
We wanna be prepared for cyber incidents. We wanna really minimize the data because the more data out there, the more problems that come from notification, from business interruption, and we wanna have our backups.
So, with that, I think we will conclude our presentation on preparing for a, or how to plan for a a data breach.
Please join me, in the future. We're gonna have a follow-up to this on how to respond to a data breach, and we'll go through the steps of, you know, really walking through the process once a once a unauthorized access has occurred. How do you go through that process? So, thank you everybody. Appreciate everybody's time. That will conclude our presentation.