Category: cybersecurity

CFO & Cybersecurity Experts to Speak at PICPA 2023 Conference

Join Morefield at the Pennsylvania Institute Of Certified Public Accountants 2023 Conference

We are honored to have our Chief Financial Officer (CFO), LeeAnne Stump, and Virtual Chief Information Security Officer (vCISO), Allan Jacks, participate in this year’s conference discussing being a strategic leader and cybersecurity in the financial industry.

LeeAnne will team-up with Elizabeth Wilson, Chief Financial Officer at Valley National Financial Advisors to discuss the role of CFO: The Strategic Leader and Allan will be leading a session on Cybersecurity: What You Really Need and Why.

 

Thursday, March 23, 2023

 

12:25 p.m. – Cybersecurity: What You Really Need and Why

Allan Jacks, Virtual Chief Information Security Officer (vCISO), Morefield

  • Cybersecurity: past and future
  • Discuss a three-pronged approach to cybersecurity: technology, processes, and people
  • Dive into the motivations for cybersecurity; compliance requirements, insurance requirements, privacy requirements (H.R. 8152 (ADPPA), PA HB 2202, PA HB 1126, PA HB 2257) and due care vs. due diligence

3:10 p.m. – CFO: The Strategic Leader

LeeAnne Stump, Chief Financial Officer, Morefield & Elizabeth Wilson, Chief Financial Officer, Valley National Financial Advisors

  • Collaborative strategic alliances – Create, develop, and nurture both internal and external relationships
  • Self awareness – Recognize that it takes a village
  • Knowledge sharing – Get everyone to “think like an accountant”
  • Importance of data – Drive effective decision making
  • Reality check – Viability, value, and resources
  • Stakeholder communication – Know your audience
  • 4 orientations of the CFO role – responder, challenger, architect, transformer

Learn more at – https://www.picpa.org/attend-cpe-events/conferences/picpa-cfos-and-controllers-conference

What Is Cyber Liability Insurance & What It Means For You

Cybersecurity risks relate to the loss of confidentiality, integrity, and availability of information, data, or the systems that are required to support organizational operations. To minimize these risks, there are four paths to treating Cybersecurity risks.

  • Mitigated:  Reduce the vulnerability or associated threat by remediation. Apply the required patch, change the default password, or whatever is required to reduce the vulnerability or associated threat. 
  • Avoided: Take the required measures to eliminate the risk from occurring. An example would be installing an anti-phishing solution to eliminate phishing messages getting to end users.
  • Accept: Acceptance of the risk is when you understand that the cost of mitigation outweighs the advantages of transferring, mitigating, or avoiding the risk.
  • Transfer: Risk is transferred to a third party through a contract such as Cyber Liability Insurance. You pay an insurance company for Cyber Risk Liability Insurance that will pay for losses in the event of a business disruption. Travelers detail Cyber Liability Insurance as “an insurance policy that provides businesses with a combination of coverage options to help protect the company from data breaches and other cyber security issues.” It also provides “access tools and resources to manage and mitigate cyber risk – pre-breach and post-breach”

What is Cyber Insurance?

Cyber Insurance is designed to cover consumers of technology services or products from the financial experience in the event of a breach of sensitive data (Personal Identifiable Information, Protected health information, or personal financial information). Cyber liability coverage includes legal costs, forensics and security consulting, identity theft protection services, data restoration services, and any settlement with victims.

Insurance Requirements

Before businesses can transfer this risk to the Insurance company, they are required to have certain controls to protect and limit their exposure. The level of controls the company has implemented is ascertained in a Cyber Liability Questionnaire which must be filled out by the organization. Questions may include the following: 

Do you have a process in place to regularly download and install patches?

Do you have an incident response plan to respond to a network intrusion?

Is Multi-factor authentication for remote access to email and other systems and programs containing private or sensitive data in bulk implemented?

To further limit risks insurers may not cover any acts sponsored by nation-states or in conjunction with a traditional physical war. Two recent incidents believed to be caused by nation-states are the Wanna-Cry incident and the Solar Winds cyberattack. Wanna-Cry affected companies throughout the world in May of 2017 for 4 days and is estimated to have caused losses in the billions, while the Solar Winds cyberattack is estimated to have cost around 90 million which under these new requirements would not have been covered.

Controls

The Cyber Insurance Underwriters put together a list of controls that are aligned with traffic light colors. Red is the minimum standard required by organizations to implement, Amber being requirements above the minimum and are more attractive to underwriters, while green requirements are the most attractive to underwriters.

Red requirements:

  • Multifactor authentication (MFA) for: 
    • Employee email. 
    • Remote access for users to access sensitive data. 
    • Privileged accounts / privileged access. These include domain administrators, Chief Financial Officer, Human Resources, and any other individual that access sensitive data. 
  • Offsite (Preferably offline) backups of critical data.
  • Endpoint detection and response (EDR) solution on all managed endpoints.
  • Create an audited written plan for patching critical software and hardware.
  • Employee cybersecurity training, including phishing simulations.

Amber requirements:

  • Strong email filtering tools to limit risky emails being delivered.
  • Privileged access account security measures.
  • End-of-life unsupported software and hardware segregated from the network with plans to decommission.
  • Cyber-incident disaster recovery/incident response plan, and segmentation of your computer network by operation function, data classification, and operational risk.
  • Local admin accounts are disabled on endpoints.

Green requirements:

  • Organizational Password management application implemented.
  • Detailed asset footprint of service accounts with domain credentials, services, and monitoring of these accounts.
  • Security information and event monitoring implemented (SIEM).
  • Data loss prevention tools implemented.
  • Follow an information security framework such as NIST Cyber Security Framework, CIS, or other common cybersecurity frameworks.
  • Maintain a 24/7 Security Operations Center (SOC) – internal or external.

What This Means for You

We encourage organizations to put in place controls to protect critical data and systems and align them to organizational accepted risk. Obtain Cybersecurity Insurance to transfer these remaining risks and limit the organizational impact. Insurance is not an alternative to implementing good compliance measures, but for many organizations is the motivating factor for implementing these measures.

Contact Morefield to speak with our team of cybersecurity experts or contact us with any help your organization is facing navigating these fragile waters.

What’s Changing in the Cybersecurity Insurance Market?

Cybersecurity insurance is still a pretty new concept for many SMBs. It was initially introduced in the 1990s to provide coverage for large enterprises. It covered things like data processing errors and online media.

Since that time, the policies for this type of liability coverage have changed. Today’s cyber insurance policies cover the typical costs of a data breach. Including remediating a malware infection or compromised account.

 

Cybersecurity insurance policies will cover the costs for things like:

  • Recovering compromised data
  • Repairing computer systems
  • Notifying customers about a data breach
  • Providing personal identity monitoring
  • IT forensics to investigate the breach
  • Legal expenses
  • Ransomware payments
https://www.pexels.com/photo/a-paper-beside-a-person-typing-on-a-laptop-7688374/

Data breach volume and costs continue to rise. 2021 set a record for the most recorded data breaches on record. And in the first quarter of 2022, breaches were up 14% over the prior year.

No one is safe. Even small businesses find they are targets. They often have more to lose than larger enterprises as well. About 60% of small businesses close down within 6 months of a cyber incident.

The increase in online danger and rising costs of a breach have led to changes in this type of insurance. The cybersecurity insurance industry is ever evolving. Businesses need to keep up with these trends to ensure they can stay protected.

Here are some of the cyber liability insurance trends you need to know about.

Demand is Going Up

The average cost of a data breach is currently $4.35 million (global average). In the U.S., it’s more than double that, at $9.44 million. As these costs continue to balloon, so does the demand for cybersecurity insurance.

Companies of all types are realizing that cyber insurance is critical. It’s as important as their business liability insurance. Without that protection, they can easily go under in the case of a single data breach.

With demand increasing, look for more availability of cybersecurity insurance. This also means more policy options, which is good for those seeking coverage.

Premiums are Increasing

With the increase in cyberattacks has come an increase in insurance payouts. Insurance companies are increasing premiums to keep up. In 2021, cyber insurance premiums rose by a staggering 74%.

The costs from lawsuits, ransomware payouts, and other remediation have driven this increase. Insurance carriers aren’t willing to lose money on cybersecurity policies. Thus, those policies are getting more expensive. This is at the same time as they are more necessary.

Certain Coverages are Being Dropped

Certain types of coverage are getting more difficult to find. For example, some insurance carriers are dropping coverage for “nation-state” attacks. These are attacks that come from a government.

Many governments have ties to known hacking groups. So, a ransomware attack that hits consumers and businesses can very well be in this category.

In 2021, 21% of nation-state attacks targeted consumers, and 79% targeted enterprises. So, if you see that an insurance policy excludes these types of attacks, be very wary.

Another type of attack payout that is being dropped from some policies is ransomware. Between Q1 and Q2 of 2022, ransomware attacks increased by 24%.

Insurance carriers are tired of unsecured clients relying on them to pay the ransom. So many are excluding ransomware payouts from policies. This puts a bigger burden on organizations. They need to ensure their backup and recovery strategy is well planned.

It’s Harder to Qualify

Just because you want cybersecurity insurance, doesn’t mean you’ll qualify for it. Qualifications are becoming stiffer. Insurance carriers aren’t willing to take chances. Especially on companies with poor cyber hygiene.

Some of the factors that insurance carriers look at include:

• Network security
• Use of things like multi-factor authentication
• BYOD and device security policies
• Advanced threat protection
• Automated security processes
• Backup and recovery strategy
• Administrative access to systems
• Anti-phishing tactics
• Employee security training

You’ll often need to fill out a lengthy questionnaire when applying for insurance. This includes several questions about your cybersecurity situation. It’s a good idea to have your IT provider help you with this.

This can seem like a lot of work that you have to do to qualify for cyber insurance. As you review the questions, your IT partner can identify security enhancements. Just like other forms of insurance, if you take steps to reduce risk, it can often reduce your premiums.

So, it pays to do a cybersecurity review before applying for cyber insurance. You can save yourself time and money. It can also fortify your defenses against cyberattacks.

 

Need Help Making Sense of Cybersecurity Policies?

Cybersecurity coverage and insurance applications can be complex. If you answer wrong on a question, it can mean paying hundreds more in premiums than you should.

If you’re considering cybersecurity insurance, don’t go it alone. Give us a call and schedule a consultation. We can explain the policy details and provide guidance.

 

 

 

 

Article used with permission from The Technology Press.

A Guide to Cybersecurity Asset Management

The CIS controls version 8.0 lists Inventory /Control of Enterprise Assets and Inventory/Control of Software Assets as its first and second control.

The first control details “actively [managing] (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing / Internet of things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of [the] assets that need to be monitored and protected within the enterprise.” 

The second control details “actively [managing] (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can [be] executed”. Additionally, it notes ‘that unauthorized and unmanaged software is found and prevented from installation or execution.” 

Importance of Asset Management to Cybersecurity

If you don’t know what you have, where your important data is housed, how it is backed up, and whom the users are accessing it, then it makes it challenging to protect it. It would be like an Airline not knowing where its aircraft were when they need to be maintained next, or its capacity for how much fuel it carries and how many passengers can fly in it. Asset management in the Cybersecurity framework is critical to mitigating risks within an organization.

Asset discovery and management are the foundation of a strong IT program. Asset management is about understanding all your assets and how they interoperate to reduce your cybersecurity exposure.

How Frequently Should I Check My Technology Assets?

The collection of Inventory should not be a once-a-year update of a spreadsheet, but an ongoing collection of assets and a monthly review to ensure they align with business policies. One recommendation is to capture alerts for any new assets that are discovered. It is recommended that alerts are captured for any new assets discovered. This allows for actions to be taken to evaluate if the asset is a security risk or if it poses a threat to the organization. 

Some actions that can be taken include checking to see if it is required for the asset to be backed up, checking if the asset has the correct software loaded (Antivirus, Malware) and if the software is the approved version. Having continuous discovery of assets including classification and assessments will provide complete visibility into your environment and information on your attack surface.

Incorporating the software and hardware in an inventory list will allow you to stay current with compliance and governance requirements. It does this by alerting you on issues and ensuring you have a single source of truth.

Asset Management Resources

NIST Recommendations

NIST released detailed recommendations for IT Asset Management (NIST SP 11800-5b). It is a 237-page document that goes into detail about recommendations for implementing Asset Management in an Enterprise (including how-to guides). Although this may be more information than you require, it provides some great reference material.

Software Scanners

There are also software scanners that can scan your network and check logs for new additions to the network. It then probes devices for information on a regular basis. Implementing an automated system to manage your assets will minimize the time required to manually update the Asset Register. This will also ensure it is current and up to date when needed to be referenced for security purposes. Some even understand the relationships between assets and how they operate within your business. They also look for anomalies that are outside the normal interaction. A good example of this is a server that has a sensitive database on it that is normally accessed by three users. If a new machine comes online and accesses this database, an alert may be raised.

How to Protect My Assets?

We recommend to our clients that they have an asset and software inventory in place and include cloud-based software and virtual machines. Even if you start with something simple and build upon it. This will lay the groundwork for something that will be referenced often, and its value will be realized through the implementation of more advanced cybersecurity controls.

Need help with your asset management? Contact our team of experts today!

 

References

IT Asset Management (nist.gov)
CIS Critical Security Controls Version 8 (cisecurity.org)

Microsoft to Disable Basic Authentication for Exchange Online on October 1, 2022

Starting October 1st, Microsoft will start to randomly select tenants and disable Basic authentication for Exchange Online.

Basic authentication has been used by client applications for many years to connect to servers, services, and endpoints. Basic authentication sends a username and a password with every request and does not require TLS. This can leave user credentials vulnerable to interception by attackers. Furthermore, the enforcement of multifactor authentication (MFA) is not simple or in some cases, possible when Basic authentication remains enabled. Basic authentication is an outdated industry standard and there are more effective user authentication alternatives including security strategies such as Zero Trust (Never Trust, Always Verify).

Microsoft is making this change to switch customers to Modern authentication. Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client and a server. It enables authentication features like multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party Security Assertion Markup Language (SAML) identity providers.

Disabling Basic Authentication will impact:

  • MAPI, RPC
  • Offline Address Book (OAB)
  • Exchange Web Services (EWS)
  • POP
  • IMAP
  • Exchange ActiveSync (EAS)
  • Remote PowerShell

 

**Microsoft will NOT be disabling or changing any settings for SMTP AUTH.**

If you have removed your dependency on basic authentication, this will not affect your tenant or users.

Additional Resources:
Office 365 Reports: It’s Time to Disable Basic Authentication in Office 365
Microsoft: Basic Authentication Deprecation in Exchange Online – September 2022 Update
Microsoft Ignite: Disable Basic authentication in Exchange Online

 

Morefield is here to help you make smart technology decisions and we encourage you to contact us if you have any questions or concerns.

For additional information on our Managed Service Agreements and proactive IT support, please give us a call at 717-761-6170 or email us.

Sign Up for Our Newsletter