Protecting the WC Industry from Cyber Threats: No Time for Penny Pinching – Part 2

Sarasota, FL (WorkersCompensation.com) – If your company’s systems were completely shut down by a cyber attack today, would the InfoSec and IT people know how to get the network back up and running? How quickly could they do it? And what about the data — where would it be stored and what system would be used to run it?

“I think all of this really needs to be looked at as far as what your backup posture is,” said Eduard Goodman, Global Privacy officer for CyberScout. “Business continuity planning around this is really, really important and … really thinking about risks like ransomware and not just natural disasters will give most organizations a bit of a different posture around how they’re backing up their data, where and how they’re storing it and, frankly, how they get access to it in a ransom situation.”

During a recent webinar on Cyber Risk Trends produced by Advisen, Goodman explained that some organizations, for example, don’t back up their data to the extent that would help them recover quickly from a cyberattack.

“They are either overwriting every two or three backups, and keeping it very limited, not going back very far; and so the key being you’ve got to go back to a non-infected backup,” Goodman said. “We’ve had plenty of organizations that their backups only last two or three weeks … they don’t go any farther back and they’ve really got no backup if that’s infected.”

In addition to how the data is backed up, the other key issue is where the backed up data is stored. Putting it on the network is a mistake some organizations make.

“You need to be non-network connected,” Goodman explained. “For years now we’ve seen variants of ransomware seek out network backups on the network and encrypt those as well.”

Using the cloud to store backed up data can also be problematic. “Oftentimes the malicious actors now are targeting the cloud environment, recognizing that that’s where a lot of companies are going to store their backups,” said Sean Hoar, a partner with Lewis Brisbois. “The challenge is if you’re putting all your backups in the cloud and the cloud provider is actually compromised through an encryption attack, then you’re out of luck, and that’s one of the things to look at…clearly a trend we’re seeing on a daily basis with more cloud providers being hit.”

Hoar said entities should use ‘gapped backups,’ a network security measure placed on one or more computers to ensure a secure computer network is physically isolated from unsecured networks such as the internet or an unsecured local area network. “That’s one of the means of prevention of a successful ransomware attack. If you actually have a gapped backup then you’re going to have that readily available to upload to your devices once they are clean.”

Creating ‘off network’ backup copies of data that is stored remotely from the network can prevent hackers from accessing it during a cyber attack, advised Sedgwick in a recent report. “The remote data can then be used to overwrite any encrypted (locked) data following an attack. That can make the difference between a few days of lost network functionality or a major disruption event.”

The ability to access and use stored data following a cyber attack is an issue too few organizations consider, Goodman said. The software and systems involved need to be addressed. “A lot of organizations have their data backed up but they don’t have good network mapping, they have no place in either hard copy or off the system where they’ve kept all of their network settings and configuration, and so they’re having to rebuild their system from scratch. 

Improving the ‘architecture’ of a company’s systems can make it much more difficult for a hacker, and will enable the company to recover from a cyber attack that much faster. For example, the days of having a single firewall are long gone. “That’s an antiques design,” said Gary Anderberg, SVP Claim Analytics Product Manager at Gallagher Bassett. “You have to get very sophisticated about your architecture.”

Anderberg likens it to the redesign of shipbuilding in the 19^th century, when a leak on any part of a ship could bring down the whole boat. “They got smart and put in water-tight compartments so a leak in compartment C would not affect any other area,” he said. “You need to take that same type of approach to how your systems are designed. Your architecture has to have the equivalent of water-tight compartments.”

Additional Considerations After a Cyber Attack

Notifying everyone potentially affected by a cyber attack is strongly advised by the experts. “Notification must be timely, accurate and provide details sufficient to alert those involved of the breach and the steps to be taken. Failure to do so opens up the potential for third-party actions, penalties or even class action litigation,” Sedgwick’s report advised.

Additional issues organizations should address, according to Sedgwick, include: 

• Reputational management. “Quickly managing the reputational impact of a cyber breach can make or break your business.” That may involve internal and external communication, setup of call center resources, and public relations support for media responses.   
• Forensic IT expertise and accounting.  Organizations that have been attacked need to find the source of the breach, fix it, and prevent the loss of additional data. Additionally, experts can help determine the replacement costs and whether the company is still at risk.
• Claims support. Help with exposure and coverage interruption may be needed. Costs may include money for data recovery and restoration, business interruption, cyber extortion, and crisis management, for example.  
• Legal support. “It is important to align with appropriate legal counsel, who must be retained for defending litigated claims, as well as addressing potential regulatory investigations and fines.”

Share This Article: