Article written by:
Doug Davidson, CISA
Director of Information Technology Services
Late December 2019, you may have read a Columbus Business First article describing the shutdown of a 12-year-old Inc. 5000 Dublin, OH business, Idea Buyer. In short, Idea Buyer, an information-intensive business that served entrepreneurs and innovators in packaging, buying and selling ideas with enough success to be a frequent member of the Inc. 5000, had been dealt such a blow from a cyber attack that the business had to close and lay off its 15 employees. While the story did not identify the impact on each client, the impact is likely high due to the fact Idea Buyer maintained the intellectual property of many of its clients.
The article had GBQ all abuzz with conversation surrounding the fact that cyber risks are among the highest, and potentially most lethal, to a business and its value.
We weren’t involved in this business, nor did we respond to the event. What we know about what happened comes from published reports and online conversations from some of those impacted. Our knowledge of the news is certainly informed from the work we do day in and day out, protecting clients from the bad guys (good work) or helping clients investigate and recover from the bad guys’ attack (work we are good at that is never fun).
Though short on details since the FBI investigation is still ongoing (and the girding for a legal war of many client lawyers, most likely, begins) the story is pretty simple. The company put all of its information in the cloud without properly validated security and protection. A hacker found the weak site and either ransomed (encrypted) or ransacked (stole) the data. The company did not have good backups available and lost client data including web sites, intellectual property and application code, among other things. It is unrecoverable. Fifteen people lost their jobs during the holidays. Given that they were a support service for entrepreneurs building new businesses, there are a large number of client businesses likely impacted. The owner of the company likely has years of litigation nightmares to live through.
And it didn’t need to happen. It was preventable. So were most of the events our digital forensic and incident response team responded to last year.
Could it happen to your firm? Not if you take steps to minimize your risk.
GBQ IT Services recommends the following cybersecurity imperative:
1. Through informed collaboration between management and IT, select and implement a security program using an established security framework to build consensus for what you must do to secure your business, as well as to potentially enjoy the legal benefits of the Ohio Data Protection Act.
- Identify and understand your key cyber assets:
2. Conduct an annual independent risk assessment against an industry-accepted control framework (ideally the framework selected above) including:
- Vulnerability assessment of network, cloud infrastructure and other technology assets
- Application assessment of any company-built applications at least annually, if not each time, a new release is published
- Some companies are using digital footprinting technologies to provide visibility for how their firm presents its security posture to the rest of the internet community
3. Have a plan for 3rd party IT Provider
- If your firm uses a 3rd Party IT Provider, assess their work against their contract. Many times firms that rely on 3rd party providers are weak because the provider is not meeting its contract commitment and the customer only finds out after something bad happens. Trust, but verify.
4. Have a written business continuity/disaster recovery/incident response plan that aligns with your cyber liability coverage, including:
- Documented plan that details who to call and what do when bad things happen
- Test back up and other recovery systems regularly
- Test the incident response plan annually with a tabletop test
5. Provide cybersecurity awareness education and training programs for all employees to develop a real cybersecurity culture
- Include training for employees handling protected information and cash
- Consider routine security awareness training and self-phishing tests of your entire employee base
6. Once the risks from the risk assessment have been remediated, conduct an independent adversarial penetration test of the business. (That’s where we get paid to try and break in just like the bad guys would.)
7. Conduct a cyber liability insurance coverage adequacy evaluation to discover what is covered and what is not covered, and understand the cost of cybersecurity remediation actions versus the cost of the cyber insurance premium.
8. Repeat the process next year because this is never going to go away. We recommend creating a “security calendar” so that all of your necessary security activity becomes just as routine to your business as your annual tax work, audit visits, company holiday parties, etc.
Most businesses, regardless of size, are not doing the bare minimum and are sitting targets to be the next story. Based on the results of the risk assessment, other testing and the type of business, there may be other actions or controls recommended or suggested, but this is the bare minimum. Without the assurance of the annual routine, your firm is exposed. If you need help plotting your safe course in the cyber world, contact us.
GBQ IT Services is one team of builders, breakers, operators and auditors with access to a consortium of 50 experienced IT, cyber and assurance professionals delivering IT risk, cybersecurity and productivity solutions. We build value through IT strategy, protect value with information risk and cybersecurity services, measure value and improve productivity with data analytics and process automation and assure value through IT audit services.