A Compliance Week survey, “Cyber-risks and data privacy in the age of COVID,” canvassed 145 cross-industry compliance practitioners and found 75 percent enhanced their cyber-security efforts since the start of the global pandemic in March 2020.
The past year showed many that necessity is the mother of invention: Organizations needed business continuity amid the shuttering of brick-and-mortar operations, so they made it happen remotely. Companies enhanced their cyber-security systems in response to pandemic-prompted work conditions, and flexibility became the name of the game.
But with flexibility comes new vulnerabilities, says Marcus Christian, a partner in Mayer Brown’s cyber-security and data privacy practice group.
“When companies go remote, their attack surface grows. Some companies are now relying more heavily on employee-owned devices, with whatever vulnerabilities that may introduce,” explains Christian. Companies “have made efforts to adjust to that reality and mitigate some of the risk,” he adds, but there are still reasons why organizations should refrain from patting themselves on the back just yet.
False sense of cyber-security
The CW survey posed a sentiment question wherein nearly every respondent indicated they felt fairly well-insulated from threat actors: In fact, 93 percent declared they were somewhat or very confident their companies’ critical data and systems were sufficiently protected from hackers.
Yet, cyber-security experts express a respectful skepticism toward the optimistic findings. For one, some respondents might not be well positioned in their organization to really know, says Christian. While the survey captured a wide distribution of compliance roles, from compliance managers (10 percent) to auditors (9 percent) to chief compliance officers (5 percent) to general counsel (5 percent), just 1 percent identified as cyber-security specialists.
For another reason, a surge in antiquated security technology, coupled with blind faith in third-party cloud-based services, might lull practitioners into a false sense of security about the efficacy of their organizations’ cyber-protection. There are vulnerabilities out there escaping their attention.
Take virtual private networks (VPNs), for instance.
“VPNs are 24-year-old technology. They came out the same year as the PalmPilot, and Derek Jeter was a rookie for the Yankees,” says retired Brigadier General Greg Touhill, who was the first federal chief information security officer for the U.S. government. Touhill is now president of AppGate Federal, helping government organizations modernize and secure their information systems.
“The US-CERT, FBI, NSA, and Cyber-Command put out well over a dozen VPN vulnerability alerts in the last 12 months,” Touhill adds.
Further, a significant number of companies rely on cloud-based services like Salesforce, Office365, Google Workspace, and ServiceNow to host and process their data. When they sign the contract, they accept the risk that the third party will properly secure that data, says Touhill. In doing so, these companies are merely “outsourcing their trust to others without the ability to adequately bring in an independent third-party auditor to check whether they are really getting the security they think they are getting,” Touhill warns.
Presented with an array of hypothetical cyber-crimes, survey respondents were asked to identify their scariest scenario. A ransomware attack came out on top, with 30 percent of respondents indicating it represented the most nightmarish scenario.
Why is a ransomware attack perceived to be more chilling than, say, an attack on the supply chain? The finding is particularly puzzling in the aftermath of the SolarWinds hack, in which thousands of organizations suffered data breaches due to a supply chain compromise.
The reason, notes Christian, is that “a ransomware attack can bring a company’s operations to a halt immediately.” He adds: “A supply chain attack can happen gradually and, depending upon what the company’s business is, what kind of inventories they have, they may be able to make temporary adjustments to address it.”
Further, as evidenced by the SolarWinds hack, “a supply-chain attack might not only affect Company A; it could also affect Companies B, C, and D, so your competitors could be similarly affected, whereas with a ransomware attack, it happens company by company,” Christian points out.
Another distinguishing characteristic of a ransomware attack that might ratchet up the fear factor, according to both Christian and Touhill: It can happen in a very public way.
“There are reputational harms that can be attached to a ransomware attack as well as regulatory harms and litigation that could result from it,” says Christian.
“Ransomware continues to be a pernicious threat factor because it’s in the news. Because it’s in the news, senior executives are saying: ‘Hey, what about this? What happens if we get hit? How much is that going to cost?’ It’s up close to the windshield,” says Touhill.
Should a company find itself the target of a ransomware attack, Christian’s advice is “to respond as quickly and efficiently as possible. Get your counsel and forensic companies lined up. Communicate with them. If you have backup data, make sure those backups are intact and available, because you want to be aware of all the relevant factors that will inform a decision about how to proceed. If the data backups are relatively recent, then the ransomware attack may not necessarily cripple the company,” says Christian.
Should a company ever pay a ransom?
The FBI would say no, agree Touhill and Christian, for you could unwittingly be funding criminal organizations that wreak havoc in other ways, like human trafficking. Or the attacker could be a terrorist organization, in which case, an acquiescent target could be subject to a sanctions fine for cooperating.
The key is to implement upstream controls and countermeasures to lessen the risk of a ransomware attack ahead of time.
Malware “often comes through phishing attacks. I can use DMARC [Domain-based Message Authentication, Reporting and Conformance] to authenticate whether an e-mail is coming from a legitimate place. Sweat the stuff you can’t control more than the things you can,” Touhill advises.
Variable of control
From a behavioral standpoint, the fallacy of control holds that “we tend to undervalue risks that we perceive ourselves able to guard against,” says Kate Manning, author and former adviser on victim rights for the Department of Justice. Manning is president of Blackbird, which provides training and consultation on trauma and victimization. Cyber-crime is one such example of an antecedent to trauma.
Manning’s new book, “The Empathetic Workplace,” draws attention to the fallacy of control as a crutch people rely on, often irrationally, to buffer themselves against the fear of senseless crime. The theory goes if you have a sense of control over a threat, you are less afraid of it. Perhaps one contributing factor, then, to how respondents selected their worst-case scenario was the degree to which they perceived their organization to be in control of the cyber-threat.
Touhill argues the survey finding isn’t reflective of that. “A supply-chain attack is largely out of a company’s control,” he points out. “What could a consumer of SolarWinds Orion have done to prevent that attack from occurring?” he asks. Because a company cannot control a supply chain attack, it is imperative they adopt a zero trust security strategy. Under zero trust principles, you assume that you have been breached and take proactive action to limit the risk associated with a breach from inside or outside your enterprise. The SolarWinds incident should be a wake-up call that accelerates zero trust adoption.”
In the survey, respondents ranked a supply chain attack as the third scariest scenario (16 percent).
Christian says controllability is, indeed, a factor in people’s calculations, but not the only one.
“If you have no control over something that would have a miniscule impact on your company, you don’t care much about it. But if you don’t have control over something negative that will put you on the front page of a newspaper, that’s going to get your attention because the consequences are greater,” Christian explains.
“So, the probability of something happening is a factor, but another big part of the equation is: What’s the consequence? Even if you don’t have control, if it has a small consequence, companies aren’t going to be as concerned about it—if they’re rational,” Christian says.
Getting back to ransomware, for example: Insurance companies sometimes advise organizations to pay a ransom, Christian explains. The calculated decision depends on how costly it would be for the company to recover in the absence of paying it. Companies pay when they cannot recover lost data without paying the ransom or when they believe that it would be less costly to pay the ransom than not to. In the case of a double extortion ransomware attack, in which the threat actor also threatens to disclose stolen data to the public, this calculation will include an assessment of the reputational and other harm that such a disclosure would cause.
Pulse on data privacy
The survey also asked respondents whether they were in favor of federal data privacy legislation in the United States. The majority, 82 percent, said yes. Among compliance practitioners who indicated their organizations beefed up cyber-security efforts in the last year (i.e. 75 percent of all respondents), 84 percent championed a federal law.
“I wish it were higher,” says Touhill. “Here in the U.S., we’ve got a balkanization of privacy law now,” he says, citing the California Consumer Privacy Act, the forthcoming New York Privacy Act, and others. “For my business as well as many others, we don’t want to have to track 50 different privacy regulations across the U.S. We’d like to have just one for the entire U.S.,” Touhill says.
Frustrating as it may be wrapping one’s arms around a patchwork of state-driven privacy laws, over 90 percent of respondents said they felt somewhat or very confident in their company’s compliance with data privacy rules and regulations. Better still, 96 percent of respondents whose organizations enhanced cyber-security this year conveyed the same message.
But are these findings around adherence to data privacy laws well-founded?
“I think it’s fair and honest, and it’s consistent with conversations I’ve had with my peers and different organizations to which I belong,” Touhill affirms.
Christian says the finding is good but not great: “Compliance [with data privacy rules and regulations] is necessary but not sufficient,” he says, adding: “What companies do today may not be deemed to be compliant tomorrow. Compliance does not mean perfection.”