Each month during our Allied Business Breakout Sessions, we spend one hour discussing one topic sharing insights amongst our Allied Community. In July 2021, we discussed with every passing day the threat and consequences of a cyber security attack are growing in scope and complexity.
An Allied Executives member, Pat McCready, President of TSI Plastics, Inc. shares his experience, what they learned from it and how he is protecting his business today.
TSI Plastic had two locations in 2017, they were hacked and unable to conduct business until they paid a bitcoin ransom. The hackers had infiltrated their systems approximately 9 months prior to blackmailing them for the payoff. TSI Plastic was shut down for a week while negotiating to get their data back. Employees were unable to work for that week. Pat had no choice and paid the ransom to restore business. In 2017, bitcoin was $1,500 a bit so the payoff was not as bad as it could have been with the costs of bitcoin today.
Since then, Pat has hired a different service provider for IT Services increasing security considerably. Because TSI provides products to the Department of Defense along with the aerospace industry, they have also been pursuing a Cybersecurity Maturity Model Certification (CMMC) and should have that by the end of 2021. This is considered a level three certification with the Department of Defense, the criteria to obtain this certification is difficult and TSI has worked diligently to obtain it.
Allied Executives Platinum Partners, Mario Paez, Director of Cyber and Technology Errors and Omissions Insurance with Marsh & McLennan Agency (MMA), Jamie Wolbeck, Vice President of Operations with Success Computer Consulting and Jeff Olejnik, Principal leading Cybersecurity & Managed IT Services at Wipfli LLP have all agreed to share their expertise and provide us with ways to protect our businesses.
- What is a common way people are getting hacked?
Ransomware – there was a time where you would open an email, and then it would encrypt your laptop, you would pay a couple $100 in bitcoin. If you could not recover the laptop the damage was minimal. Today attacks are sophisticated, the adversaries are the criminals, and they are taking over entire networks.
- What are other ways businesses are being infiltrated?
Email Phishing Campaigns – these are used to try to get access to a username and passwords. If you are not using multi-factor authentication you are vulnerable to email phishing. The email will trick the user into disclosing their username and password which gives the hacker access to the entire network. From there they determine what data is most valuable.
- What are some of the things a hacker does after gaining access to a network?
- Change the administrative passwords – this allows them to have complete control.
- Disable the backup system – without a backup you are going to have to pay.
- Disable real time detection – remove capabilities to see that somebody is on your network. The average time it takes between a network being compromised until it is discovered is over 200 days. This needs to decrease to hours.
- What are some of the best practices for insurance coverages for companies?
We've seen some movement to restrict coverage. Two highlights of a cyber insurance policy is to cover first party expenses: legal forensics, notify offer of credit monitoring services, public relations expense and business interruption.
The other bucket is third party liability. That is defense indemnification to allow your organization to defend itself.
PROTECT YOUR BUSINESS
- Know what normal behavior is on your network - who has access, what information and what database is most important. Without having some of the instrumentation in place to look at that behavior, your businesses are completely blind.
- Make sure that you can see what type of activity is going on with your cloud services. (e.g., Office 365)
- Require Multi-Factor Authentication – apply to all access to network.
- Understand the weaknesses and responsibilities of your third-party service providers.
- Create an Incident Response Plan – no one is 100% secure. Test the plan with different scenarios, include all contact information needed (Incident Response Team, Insurance, IT Management, HR, third party providers, etc.), protocols to preserve evidence, train employees on communication restrictions, and recovery process for each type of potential breach.
- Employees Awareness Training - data breaches are usually a result of human error so take action to prevent it.
- Implement Real Time Detection and Response - helps you identify indicators of compromise early.
- Software and Security Patches – keep all software and security patches up to date.
- Replace end-of-life software - get rid software no longer supported with security updates.
- Have an encrypted backup data plan – implement multiple backups: on premises, second location, in the cloud and offline. Test backup to ensure you can restore data in the event of an attack.
- Get Cybersecurity Insurance – make sure you understand your policy and what it covers.
- Print a paper copy Incident Response Plan – all technology will be shut down during breach, so it is important to have materials printed.
If you have a breach, the first steps that you need to do is stop it…cut communication and take everything offline forcefully. That might mean unplugging the firewall, internet connection, whatever it is, to try to sever the communication that they have into your network.
Next…take a deep breath…the knee jerk reaction is…how do I fix this? But it is important you do not act until you have had time to think things through.
You do not want to lose any evidence, ask yourself what do I need to retain? Contact your insurance provider legal team.
Rely on your tested Incident Response Plan to guide you through restoring your data and business.
Most importantly, do not try to start business back up too soon. Determine where the breach took place to prevent a re-occurrence, this can take days if not weeks.
Be patient and good luck!