Protecting Your Business: What Happens During a Cybersecurity Breach

Announcer:

Welcome to J Mark Business Innovation Technology Experience.

Christina:

Today’s episode is protecting your business, what happens during a cybersecurity breach? A few key points we’ll hit are incident response plan; having this plan in place beforehand will determine the success of your business after a breach.

Christina:

Insurance. This is a step that’s often overlooked, but is super vital. You need those experts on your side to be able to figure out the damage that’s really been done and what needs to happen.

Christina:

Last, is reputation. Even if you do make it through the breach, if your reputation is destroyed, your business could be as well. Okay, here we go.

Todd:

Welcome, everybody, to the J Mark Business Innovation Technology Experience. We’re excited to get kicked off with Eric Lingendorfer, our security expert at J Mark, and talk about what happens during a breach. We’ve skated around this topic during a lot of episodes, but we’ve ever really dived into what happens.

Todd:

I don’t think people really realize the in and outs of what happens. It can be quite scary and nerve-wracking for an organization. We brought in Eric, and the idea is to dive through what happens. For those that think breaches don’t happen to me, we’re not a target, that’s just not the case. Christina, what was the number? Every 11 seconds there’s a breach?

Todd:

There are … The number of breaches since COVID- IT security breaches since COVID has increased phenomenally and it just is happening every day. In recent weeks, we’ve seen a huge fallout from the Solar Winds breach that has hit government organizations and enterprises throughout the world. It’s just everybody’s really a target.

Todd:

And so, that’s why it’s important to understand how to protect yourself and understand how the process works so that you can better prepare for the potential.

Todd:

The one thing I’ll also say before we dive in is, what is … Eric? It’s something like 90 days that a … Or 120 days that a breach is in the network before most people know about it. What’s the …

Eric:

I don’t remember the statistic exactly, but yeah, it’s a scary amount of time.

Christina:

This is a little bit old, but it’s from 2019. It says the average time to identify a breach in 2019 was 206 days.

Todd:

Wow. That just goes to show there’s a lot of people that are probably thinking that all is well and that things are hunky-dory in their network, and they don’t know that a hacker is just waiting for the right time to let loose the hounds, so to speak.

Eric:

I think Solar Winds points to that too, because that was in an enterprise environment and federal environment since March, potentially. And so, if an enterprise can miss it for that long with the tools they’re using, then in the SMB market, how much more scary it is for us on how long it could be in that environment before we see it.

Todd:

Yeah. The enterprise and government, the security tools we’re talking about are not cheap. They are extremely expensive, and to see organizations that are that secure just become victims is a shame.

Todd:

Eric, let’s assume that a breach has occurred. Let’s assume that the typical scenario; somebody receives a phishing email, they click on that email, and all of a sudden, all of their clients, and customers, and vendors are receiving a phishing email from somebody within the organization, or multiple people, and data is lost. Or, not lost, but data is compromised. Could be a number of different scenarios, but what happens? Where do we start?

Eric:

First, you got a freak out moment where you hear that happened. You know? An employee tells you-

Todd:

Step one is to freak out.

Eric:

And so, we see … Different companies you’ll see handle that differently, too. Some get that first notification that someone was phished. They’re pretty casual about it and they don’t realize the ramifications. It’s, “It’s just my email. Oh, they’re just spamming other clients of mine, or they’re spamming my vendors. We’ll get them out and move on.”

Eric:

And then, others realize just how much data is in their email systems, or maybe other Office 365 apps that that person potentially had access to when they had given up their credentials.

Eric:

That’s the first thing, is stepping back and saying, okay, how did it get to me first? Sometimes, you’re third or fourth person in before you hear about it, too. It’s possible that you had another employee that was patient zero that got it, and then they were used then to pivot off into a couple other accounts as well, and then you’re finding out about it.

Eric:

You have to go back and retrace those steps, see how bad it is, and your first step is going to be how do I contain it? How do I stop this from continuing to go outside of my organization, send email? How do I stop the person from going any further inside my organization? How do I stop other employees from continuing to fall victim to the phishing? Taking those initial steps to do that containment.

Todd:

Assuming that this happens and you’re suddenly getting emails from people saying it is a phishing attempt, or I think your email’s been compromised, or something, what do people do? Do they turn off their computers? Who do you call? How do you know if there’s a breach?

Todd:

What I’ve seen is, and we’ve talked about this before, is I sent a lot of prospect emails out and I get a lot of phishing attempts that come into my inbox. A lot of times what happens is, I’ll get it, I’ll report it to Eric, and then I’ll get an email from them again, saying, “Please ignore the email that was just sent and don’t click on any links.”

Todd:

That’s not enough.

Eric:

Your question is around how to react in that situation as far as what you tell your …

Todd:

Yeah. Well, how to react and what do you do? Do you shut down your computer? Do you … How do you determine what was breached? What are the next steps that people need to follow?

Eric:

If it’s something like an email attack like that, then the first step is definitely to shut down Microsoft Outlook, but it usually is being done within Office 365. That’s not going to do anything at all for you. You can shut off your computer, and that’s not going to have an effect either.

Eric:

In most cases of what you see happening today, with businesses when it’s something that initiated off of phishing, that’s a lower level, lower sophistication-type attack, like these phishing ones that we’re talking about right now, then making sure your employees know how to call someone that can do something about it.

Eric:

If you’ve got an IT provider, making that phone call. If there’s someone in your organization that’s supposed to be in charge of instant response or investigating a security incidence when it happens, that would be someone that everyone in your organization needs to know.

Eric:

When I have something weird, odd happen on my computer, when I’m getting notices that I’ve had a bunch of emails come back and I don’t remember sending them, those kinds of things, anything fishy, how do I report that? I got a phishing email, but I didn’t click on it. I still need to have a way to report it because you want someone in your organization able to know what’s constantly coming in, what are they trying to phish right now? How do phishing emails look, so that you can tell when they change and when they get a little more sophisticated, when they’re more targeted at your company. Then, you really need to step up your education efforts with your employees, too.

Eric:

It’s going back … Probably the first step is making sure that you’re prepared ahead of time for your employees to know exactly how to handle that situation, who to contact. And then, that person that’s contacted has to start down a process of figuring out the best step to recover and contain.

Todd:

I think you mentioned what I was looking for, I just couldn’t figure out what the word was, is incident response. Essentially, that an incident has occurred, and a company needs to prepare beforehand, and have this process created and trained, so that they know what an incident is, and they know what are the next steps to an incident.

Todd:

Typically, what does an incident response look like and what are some of the steps in it?

Eric:

You think of incident response and maybe you only think of a major incident needs to go through it, but if you design a incident response plan right, it’ll help you even in small things like the phishing that we’re talking about.

Eric:

The first step in these is usually preparation. That involves what you’re already doing ahead of time to try and protect yourself from something like this. But then, it’s going to have steps that say how do I identify something quickly? What are the steps we take there? How do we contain it? How do we limit the damage that can be done? How do we eradicate it, how do we get it out of our environment? How do we recover, get our business back up and running, get the data back, limit damage in that way?

Eric:

And then, finally, you loop around and you say, okay, what is it that we learned in this lesson? What worked well, what didn’t work well? What are some steps we should have had in place in the preparation phase so that this doesn’t happen again to us?

Christina:

I have a stat around this very topic. 77% of security and IT professionals indicated that they do not have a cybersecurity incidence response plan. That’s a high number.

Eric:

And it’s going to be the key to your success or not, is whether you know the steps to take, and how you’re able to even assess how serious this is for your organization right from the start.

Todd:

You kick off the incidence response plan, and you determine so-and-so’s email account was compromised, and that inside their email, you’ve verified the data that potentially was leaked. Maybe they have some HR information in there. Maybe there’s other confidential stuff in there, client information, confidential information.

Todd:

You know now that there is data that has been breached. Can you just reset your password and move on?

Eric:

You can. That’s definitely one option to go with. It’s not one that we would recommend, for sure.

Todd:

[crosstalk 00:12:05] Not the legal.

Eric:

Yeah. There will be consequences, in various forms, that come from that. When you … That’s where when we’ve helped some companies through these situations, they sometimes will find surprising amounts of data in that email box. We try and train our employees how to use tools correctly. This is where our confidential data should be in this system, and you have a breach that’s outside of that system, and you may think that it doesn’t contain much data.

Eric:

Well, it’s still important that you check into it, you look at it, you look at what data was actually taken or at least looked at, and through that process, you might discover things that either you have legal obligation to report, there’s some sort of governance agency that you need to report to, or you have a responsibility maybe to … If you’re healthcare, for instance, to specifically make that notification out to those that you lost healthcare information on.

Eric:

There’s a lot of factors that way, but then there’s just … We’ve seen larger companies sometimes, when they notify about a breach, they’re very vague or they try not to notify, and it backfires on them. It needs to be something that you have to be able to communicate correctly what’s happened, and unless you investigate it a little bit, you will not know.

Todd:

When we get into all of these steps of determining the severity of the data, and the legal aspects, and compliance aspects of needing to inform certain people, before you get to that, if I’m not mistaken, I believe there’s some forensics that are involved and I believe insurance is involved.

Todd:

Can you talk a little bit about that mess that …

Eric:

It’s one of those areas that … I don’t know, Christina may have some stats on this as well, in regard to how many companies or percentage of companies that have cybersecurity insurance, but it’s often overlooked insurance. It can be extremely helpful in these situations.

Eric:

The reason mainly is, your IT staff, this isn’t something that they deal with day in and day out. How do you dig through 10,000 emails in someone’s mailbox to see if there’s anything that was really important, or not. That’s the challenge you’re going to have.

Eric:

Having a cybersecurity insurance company that you can lean on, they’ll usually bring in legal experts to tell you what you have to do and what you don’t have to do. They’ll bring in the forensics teams, too. These are companies that do this day in and day out. They’ll come in and they have the tools to look at what they think was reviewed or accessed, and give you an idea of whether that contains sensitive information, or not.

Todd:

I think that’s the part that’s important to understand, is I think a lot of people think that when data is breached, that okay, I need to call my lawyer, I need to call my insurance guy, I need to do this, I need to do that. Well, that’s not exactly true because insurance is going to have their own people.

Todd:

If you have a cybersecurity policy, they’re going to have their own lawyers, they’re going to have their own forensics people. If you don’t have cyber insurance policy, then you may just be told to go find a lawyer and be paying all that yourself.

Eric:

Yeah. I think that’s the team they bring are the ones that are specialized in this. That’s the key, is that it’s going to be legal that knows exactly the laws in regard to some sort of cybersecurity event.

Todd:

I think what’s important too is, you may look at the breach and go, “This has sensitive information. We need to inform our customers, and whoever.”

Todd:

But the forensic auditors may look at it and go, “It’s sensitive, but by law, it’s not to the degree or severity that you need to inform your customers.”

Todd:

While … We’re not saying don’t be transparent with your customers, but when you’re talking about your reputation and you’re talking about thriving in a chaotic world where things are changing every day, you don’t want to be set back, so to speak.

Todd:

Taking the time and the money to go through that forensic audit ultimately could be better for you in the long run by not having to report certain things.

Todd:

What happens next? The auditors get involved, lawyers get involved. How do things progress?

Eric:

At that point, they’ll also help you identify whether they think this is something that has gotten bigger within your organization. We talked about the containment phase a little bit earlier, and that’s something that they can help with as well, is to bring in the right people that know is this as simple as just a phishing event that happened in Office 365 and it didn’t go any further, or is there actual malware on machines in my organization that I need to get cleaned up?

Eric:

In the case of ransomware events, where you walk in and a number of your computers have ransomware screens on them, that’s a different type of containment and recovery aspect that has to be looked at. That’s, again, where these guys are the ones that can help identify how far this went, but they’re not the ones that are going to necessarily be able to help you recover that.

Eric:

They’ll have the tools to help you contain and eliminate that. You still have to make sure that you have, in your instant response plan, everything you need to bring back your systems, then, in that case, after the event.

Todd:

We’ve learned, too, that getting the data back isn’t always as easy as you think it is. A lot of people are relying on their back-ups, and a lot of these hackers are going in, and encrypting the back-ups, and putting malware on the back-ups, and so you have nothing unless you pay out a bunch of money.

Todd:

I think that’s part of the reason why it’s important to prepare ahead of time and to have back-up disaster recovery plans, incidence response plans, and to organize your strategy in a way that you can get ahead of some of these things.

Todd:

What are- Oh, go ahead.

Dax:

I was just going to say, I think that’s a good point, Todd. We’ve talked about this a couple times in some other podcasts that we’ve had, where people don’t look at this holistically. They look at security as one thing and maybe back-up as another thing, and recovery as maybe something else, and then they don’t even look at recovery as an equal part in this equation where all of these three things need to work together.

Dax:

I think that it’s really important that companies do that when they’re looking at their incident response plans, and finding out their security that they’re going to have, that all of these things go hand-in-hand in this idea of business continuity whenever there is a breach.

Eric:

Yeah, those plans really work hand-in-hand. You need both, and you need them tested in your environment, make sure that they do work as anticipated. Todd mentioned that they start … Attackers and attackers have continued to figure out ways to make their ransomware events worse and worse for companies, so yeah, they started targeting back-up systems.

Eric:

They know these back-up systems really well. They know what settings to disable so that it doesn’t fire alarms for people, and that they won’t know their back-ups haven’t been running lately, or they’ll be able to find exactly how that back-up system is connected to the network, and they’ll be able to encrypt it, as well.

Eric:

Companies go, and go to restore their back-ups, and they’re just as encrypted as the rest of the machines on the network.

Dax:

I know you had something, Todd. I don’t want to pull away if you were rolling, but another word Eric just said that I think is worth highlighting is testing. Testing your incidence response plan and testing these things. How often should companies be doing this?

Eric:

When you look at your back-up systems, if you’re not testing, to some degree, on a monthly basis, that would be really concerning. As far as what you’ve seen with some of these groups that get in and they’re willing to be more patient than they used to be. They’ll get into the network, and like I mentioned, they’ll change some of the back-up settings, and then they’ll wait. They’ll let the back-ups archive off, and then they’ll launch their attack, things like that.

Eric:

It’s not that you got malware in the morning and your ransomewared in the afternoon, necessarily. Monthly, at a bare minimum, of making sure that you can pull your back-up files and ensure that they come back, but even more frequent than that, you need to be able to make sure that someone hasn’t turned your alerting off, that you’ve taken steps to isolate that back-up network as much as possible so that it can’t be part of your main system breach, as well.

Eric:

And then, at least annually, you need to choose some key things that you want to test. Some bigger tests. You need to have a plan for those. That’ll help you, then, with your incident response plan too, be able to reference your back-up in disaster recovery plan, to say okay, if we have this incident type happen, where we have a significant amount of our network we have to bring back from back-ups, we’ve already tested that process, or we’ve gone through a simulation of it.

Eric:

That’s where you have a lot of different options on how that test happens, but from talking through it to actually fully executing a fail over event.

Todd:

I was just thinking about, Eric and I, we’ve worked together on compliance and security stuff for many years at J Mark. It is often extremely tedious, boring, not fun and exciting. Spending three days writing or updating our back-up disaster recovery plan, we do that every year. We’ve spent … Every year, we spend multiple days rewriting our policies to make them better.

Todd:

Right now, you and I have been working on, and we have many meetings scheduled, to do an access review for who has access to different things. Writing processes and policies, and all these things, it’s not fun and exciting, but that’s the part we’re trying to prevent. Or, what we’re trying to prevent is the really not exciting thing of being breached.

Todd:

You wonder whether you have a company. You wonder whether you’re going to be able to survive. There’s the stress and anxiety of am I going to be able to pay for this? Is insurance going to be able to cover this? Are we going to be able to get our data back? Is the data going to be current? Are we going to have to do data entry for the last year or last three months to get our data in because we don’t have a current back-up?

Todd:

How are our customers going to react to this? Are they going to say we’re not professional and we can’t … They don’t want to go with us? There’s a lot of mental baggage that goes along with something like this that is not light. It’s very costly and stressful. That’s why these things are important.

Dax:

Yeah. I was just going to say that, when it comes to security, I think you probably want your life to be boring, and you can either spend those three boring days getting everything set, and getting your plan together, and making sure that you’re in a good spot, and that will lead to all those long, boring days of not having to have all the stress that you just described, Todd.

Todd:

The CEO of Solar Winds, I’m sure, would concur with that … The ex-CEO of Solar Winds, I’m sure, would concur with that statement.

Eric:

I think it’s so hard to put a number on something that hasn’t happened. You sit there and you spend all these days working on the compliance side and your business disaster recovery and business continuity plan, and your incident response plan, and nothing happens. You don’t know how much you’ve prevented with some of your prevention techniques.

Eric:

When something is intangible like that, it can be hard, business-wise, to maybe keep the budget for it, keep the time commitments from everyone that’s involved, because they don’t always see it as just as a priority on their list. We fight that challenge too, that just … The important thing is, each year you do just a little bit more, too.

Eric:

You have to get to a certain point fast, but then you just need to keep improving it each year.

Todd:

I think that a lot of people, too, don’t quite realize how … We talked about how technology is so woven throughout every part of a business. That’s good, from the standpoint of innovation, and being able to adapt, and go faster, and be more efficient. But from the standpoint of your data being breached, I think people don’t quite realize if this piece gets breached, how many other things have been touched now?

Todd:

With everything being technology now, even that point of Office 365, or somebody’s, or multiple, computers having ransomware on them, there’s so much that happens on computers. There’s so much that flows in the network. There’s so much that flows when you have Office 365, it’s never just email.

Todd:

That’s why I think it’s so important that people understand that when there is a data breach, being able to truly understand, that’s why the forensic auditors are so important, because they look at all of these different data points and try to figure it out, but before all that, what you and I have done, and other people at J Mark, is we’ve gone through and we’ve mapped where all the data goes. We’ve looked at who has access to all the data, so that were that thing to happen, we could be prepared, and shut certain things off, and stop it in its tracks.

Christina:

I have a question. I was doing some research to pull some stats and things, and I came across this one. Healthcare spent the most time in the data breach life cycle; 329 days. What does that mean exactly? What is the data breach life cycle?

Eric:

Usually when you hear those terms, it’s how long it’s taking you when there is a breach to deal with that breach, and how long you’re involved in that incident. It starts as one little thing, but the amount of time and process you have continues on for quite some time to contain it, to notify clients, to do the investigation side, to get your data back to where you feel your network is you’re comfortable with it again, that it’s completely out of your system, and that you guys can close that incident off, and move on.

Todd:

Yeah. I think that’s one of the reasons why we wanted to do this topic on the podcast, is because if you can get it wrapped up in 90 days, that’s super, super fast, but that’s an oddity. There are generally … There’s data that has to be recovered, or data that has to be re-entered, there’s legal, there’s insurance things happening.

Todd:

It can take a lot of time. That’s …

Eric:

If it’s too short, then you might end up with fallout where you miss something, and something comes back to you. You don’t want … The goal, definitely, you would not want to make it as short as possible; you definitely want it to be thorough.

Christina:

Yeah. That’s pretty crazy. That’s almost a year, and then this stat goes along with it, since we’re talking healthcare. Hospitals spend 64% more annually on advertising over the two years following a breach, because it goes along with their reputation.

Todd:

That’s interesting. I hadn’t even … That’s another data point. How do you calculate the costs of your marketing, and your sales, and your public relations after a breach? That is … It’s a lot better to prepare.

Eric:

That was a hospital, right? You don’t think of having many choices where you need to advertise for a hospital. What would the stats be for a business that they can drive their customers to another business pretty easily in a breach situation?

Dax:

I’m going to think about the impact on your reputation that comes to smaller businesses, where you really deal … Like a legal business or something, where you really deal with very sensitive data, everything that you have, and I think that impact that Todd just mentioned carries on. That’s one of the things that is easy to overlook when it comes to security, is how it touches and goes beyond just the actual breach, the consequences of that are … Run throughout your entire business.

Todd:

We talked about this a little bit and we’ve been throwing this word around, “breach,” quite a bit. Eric, can you talk a little bit about what is actually considered a breach in the security world, insurance world?

Eric:

It’s going to depend a lot on your organization and what data you have. You don’t want to throw around “breach” too quickly. It’s a security incident. I always start with a security incident, and you’re investigating it until it becomes to the point where you want to legally call it a breach.

Todd:

Well, you don’t want to call it. You’re forced to call it that.

Dax:

Right.

Todd:

Right?

Eric:

You hope it stays a security incident the whole time.

Todd:

Right.

Eric:

When it comes to your company’s data and what you consider confidential, just from a company standpoint, some of that you can still maintain it as just a security incident. When you talk about the word “breach,” “compromise,” some of those … In certain situations, those have certain legal consequences.

Eric:

We talked about some of the governance consequences around it too, when it comes to maybe HIPPA or PCI. Different scenarios like, when you use that word “breach,” it’s going to mean that you have to do X, Y, and Z. There’s going to be a definition of what is truly a breach. Is this a breach of credit card information for someone? Is this a breach of PHI information, and to what level has that PHI been breached?

Eric:

All of that will come into play on whether it ends up truly being called a breach or not, and then that specifies some of the actions you have to take because of it.

Eric:

In any case, you can still have company data that you lost that you’re not happy about in a security incident.

Todd:

In a breach then, we’re generally talking about data related to individuals. Right? Like health data, or Social Security, or financial information, passwords to sites, things like that? Is that accurate?

Eric:

Right, yes. The true breach definition that we’re talking about right now, where it comes into play on the legal side, or governance side, would definitely be more individual focus, usually.

Todd:

But you can still lose a whole mountain of really important data and not call it a breach, but it’s still not going to make you feel any better.

Eric:

Right. A lot of what we talked about today, it applies even if just a security incident. We were using the breach word generally throughout this conversation, so far.

Todd:

I was thinking as we wrap this up, we’ve talked about a lot of different things to do to prepare yourself, so to speak. We’ve done this in the past a few times, but how about we just throw out a rapid fire of some of the things we heard, in terms of what to do to prepare, so that if a breach were to … Hopefully you don’t get breached, but if it were to occur, things like we talked about doing a back-up restore every month, making sure you have a back-up. Storing your data in a place that isn’t connected to the internet, so that if something does get breached, you have that data.

Todd:

Eric, you talked about employee training and making sure people really understand how to operate in an incident. What else?

Christina:

Cybersecurity insurance, have that in place.

Eric:

Spend a lot of on that prepare. What are you protecting? How are you going to protect it? What technology is that going to be? We talked about the education side, as well. If something’s off on someone’s computer, how do they get that information conveyed to the right people as quickly as possible?

Todd:

Write your policies, write your incident response plan. What have you got, Dax?

Dax:

I was just going to say, reach out. Your IT provider should be helping you with this, and if not, reach out to an IT provider. Find one who does have specialties in security. You mentioned … I can’t remember if it was you, Todd, or you, Eric, that mentioned how hard it is to sit down and write that plan, and understand the … Put values on things.

Dax:

That’s where an IT provider with a good security background can help you, because they’ll already have the beginning of the knowledge that can help you write these plans and ask the right questions about your own company.

Christina:

All right. Well, I am going to try to wrap this all up with a nice little bow with three main topics that we talked about today. The first thing I wrote down, we talked quite a bit about incident response plan. There’s a lot of steps to this, and like Eric mentioned, it’s going to determine your success of your company after a breach, and then like I saw, a shockingly high number of security and IT professionals don’t even have one.

Christina:

Next would be, what I just mentioned, insurance. I think Eric said it’s a step that’s often overlooked, and if you have a cybersecurity insurance company to lean on if, God forbid, this happens, that’s huge because they’re going to bring in legal and forensics experts that actually specialize in this, day to day. They’re going to be able to dive in and figure out really the full damage, what’s been done, and what needs to happen.

Christina:

And then last, I put reputation, because especially if you’re in an industry like many that we work with that deal with sensitive data, even if you’re able to, at the end of the day, come through all these things data-wise and financially, if your reputation is gone, your business very well could be next.

Christina:

That’s pretty much that. Thank you everyone for joining today. Thank you, Eric. And, see you next time.

Announcer:

Thank you for attending this podcast. We hope it has been informative and help convey that, at J Mark, we are people first and technology second. To learn more and discover additional content relevant to your business, please visit us online at jmark.com, or at LinkedIn, Twitter, Facebook, and Instagram.

Announcer:

You may also call us at 844-44-JMARK. Thank you for your time and we look forward to seeing you again.