July/August 2017 – BizVoice/Indiana Chamber
67
incredibly interested in getting a graduate of our program to come in
with knowledge of the psychological, the criminological business and
technological sides of cybersecurity and bringing that in one package,”
he summarizes. “The technology piece is just the ability to speak the
language. We want our graduates to work hand-in-hand with IT
people, but what we’re developing here is the idea that we don’t want
your IT person trying to solve behavioral issues.”
Cohen points to positive trends and lauds organizations that have
made data protection a priority by reorganizing their workforce.
“We’re starting to see companies hire chief information security
officers, not just chief information officers; it’s a different skillset,” he
delineates. “We’re also seeing companies recognize the need to have
pre-existing relationships with law enforcement entities so they’re not
cold calling State Police, the FBI or the Fusion Center. They have a
relationship and part of our job is to have that with those companies.
And we want relationships not just with the chief security person, but
the person in charge of the networks.”
Should you pay the cyber piper?
“We don’t negotiate with terrorists” has long been the preferred
posture by some governments across the globe. But when your
company is hacked, should you apply that hardline stance as well? Or
should you pay up and get it over with?
A large Los Angeles hospital did just that in 2016, paying about
$17,000 in Bitcoin currency to regain access to its network following
an attack.
“It was unique because it was one of the most public ransomware
incidents,” Bose says. “It put hospitals and the health care industry on
the front lines and brought scrutiny to their security practices.”
Experts generally advise not to pay in these situations, but Bose
understands why a hospital with such vital operations would feel
pressured to give in.
“Yes, the general sentiment is that you never pay hackers but
sometimes that sentiment is overcome with business need,” he points
out. “For example, let’s say a company has just been hit with
ransomware. Ideally, the company would have backups of its systems
to recover and have minimal impact to its operations. Let’s say,
however, that those backups are not viable. In such situations, if the
ransom is reasonable enough in view of the circumstances, then
payment might be the simplest out.”
Yet he reinforces why the best advice in the long run is to avoid
succumbing to hackers’ demands.
“We always counsel clients that there is no guarantee that your
data will be released upon paying the ransom,” Bose discloses. “And it
could be bad precedent. After paying, your organization might become
known to pay ransoms, which can put you increasingly at risk for being
targeted. Also, paying up plays into incentivizing such attacks to begin with.”
Are you protected? Are you sure?
Security is coveted but a false sense of security can be devastating.
“Nobody can stop it 100% but all it takes is one weak link,”
Mackey surmises. “A problem we see is that a business may have taken
great steps toward security and computer hygiene but their vendor
hasn’t. Those people have access to their systems so that’s indirect
access through the weakest link. It’s good to talk to your vendors
before you hire them and ask what they’ve done for cybersecurity.”
Bose concurs that risk evaluation is critical.
“It’s really important to be able to understand your risk exposure
and how you want to mitigate that,” he says. “What level of risk are
you willing to accept? Just because you have a type of risk, maybe
implementing something to address that is cost prohibitive. Some
small companies can’t do what the big guys are doing – or they can’t
do the industry best. I was talking to a company (whose
representative) said, ‘I don’t have to be in the front of the pack; I just
don’t want to be in the back of the pack.’ ”
Cyber risk insurance has grown in popularity in the last couple of
years, according to Bose. He touts its benefits but cautions businesses
to be fully aware of what they’re buying.
“I’ve seen situations where companies thought they were covered
for a certain type of event and they weren’t at all,” he advises. “It’s
important to make sure the coverage they have contorts to their
specific type of risk.”
While hospitals or financial institutions are obvious targets, many
sectors are at risk.
“Ransomware has impacted a lot of different industries across the
board,” Bose offers. “In other areas, you have specific problems
affecting specific industries. In financials, you have things like business
email compromise and sophisticated phishing attacks. In the energy
utilities sectors, you have nation-state threats as well.”
Unknown resource
Cohen reinforces that the IIFC exists to help the citizenry and
businesses. The first step in prevention, however, begins with
cultivating that relationship.
“The vast majority of businesses don’t reach out to us or know we’re
there as a resource,” he imparts. “Giving them (examples of) IP addresses
that distribute malicious code, for example, is something we can do. We
want to be giving bulletins out to as many organizations as possible, but I
can’t be putting it out in the media. So we need that relationship.”
However, if hacking occurs, Cohen says the attack should be treated
as a crime and a company’s first response should be to contact police.
Ransomware Tips
The state of Indiana’s Information Sharing and Analysis Center offers
the following information on removing ransomware from your computer:
One method is by using “system restore” to load your system’s last
known working configuration. There may be variations in the exact
steps to be followed depending on the manufacturer of your
computer, but the following is a process that sometimes works on
many systems using Windows:
• Restart the computer and press F8 repeatedly as soon as you see
anything on the screen
• Use the arrow key to select “safe mode” and press enter
• Open “system restore” by clicking the “start” button. In the
search box, type “system restore,” and then, in the list of results,
click “system restore.” If prompted for administrative access,
provide confirmation
• Choose a restore point and then click “next”
• Review the restore point and then click “finish”
• Restart your computer and let Windows start normally
If “system restore” doesn’t help, one may try running Microsoft Safety
Scanner, Windows Defender or other antivirus software. To do that,
once you are in the safe mode, try to run the antivirus software –
performing a full-system scan to detect any malicious activity.
RESOURCES:
Sid Bose, Ice Miller, at
www.icemiller.com| Chuck Cohen, Indiana Intelligence Fusion Center, at
www.in.gov/iifc| Bill Mackey,
Indiana State University, at
www.indstate.eduIndiana Vision 2025
: Superior Infrastructure