This article was originally published by the San Diego Business Journal on May 27, 2024 and is republished here with permission.
Whether the game is football, baseball, hockey, or Indy Car racing, no team goes into their major championship matchup without training. Companies need to train as well if they intend to operate on the internet and expect to be resilient in the face of hackers and other bad actors. Some of those bad actors are in it for the money; others are agents of nation states.
Training, tabletop exercises, incident response, and contingency planning were top of mind when San Diego’s Cyber Center of Excellence (CCOE) and the San Diego Business Journal presented their latest quarterly installment of Cyber Trends 2024 on Monday, May 20, 2024.
Panelists included Matt Murdock of Synoptek, Kim Young of the City of Carlsbad, and Steve Millendorf of Foley & Lardner LLP.
This month, Eric Basu moderated the discussion. Basu is a founding board member of CCOE, an entrepreneur, and the CEO of Haiku, a maker of cybersecurity training software.
The full recording of the panel is embedded below alongside selected excerpts:
Volume of Cybercrime Complaints Grows
The FBI reports a 150% increase in cybercrime complaints across all industries in the last five years, totaling over US$37.5 billion in losses. In addition, the global cost of a data breach climbed over US$4.5 million on average, according to IBM.
More than half of the costly attacks are aimed at small and medium-sized businesses: businesses that often aren’t well-prepared and may not even understand the magnitude of the danger that they face. They’re also our region’s economic engine. There is a global shortage of cyber professionals to thwart these attacks. The latest numbers show Cyberseek.org has 448,000 openings in the United States and 5,000 alone in San Diego.
It’s mission critical to address the systemic risk. San Diego is leading the charge with more than 1,000 cyber firms and the Navy’s Information Warfare Systems Command, NAVWAR. The cluster of cybersecurity accounts for more than 26,000 jobs. It has a total economic impact of US$4 billion annually, which is the equivalent of hosting 24 Comic-Cons. The collaborative ecosystem is developing new technologies, defenses, and cyber warriors to combat this ever-evolving threat landscape.
IBM’s data breach report reveals that an alarming 95% of studied organizations experienced more than one data breach in 2023. And as was discussed in the last panel, attacks are only getting more sophisticated with evolving AI.
The Reality of Third-Party Risk
Basu: What contractual best practices do you recommend for technology transactions that could help companies mitigate those risks?
Millendorf: If we’re just focusing on supply chain and critical infrastructure now, because I think in any deal where they’re touching any sort of information, certainly personal information, IP, accessing computers, you’re going to want something. But focusing mostly on the supply chain and critical infrastructure, you want to make sure that we’ve got some pretty solid, pretty prescriptive security measures.
Generally, I recommend that any of these agreements require that the vendor have a written information security program, preferably one that’s based on some common standard, either NIST SP 800-53, the NIST Cybersecurity Framework, ISO 27001, or something along those lines. And overall to require ongoing independent audits in penetration testing or vulnerability scans for these types of industries, again, kind of supply chain critical infrastructure, we probably want those testing and vulnerability scans to be as often as once a week. We would have contractual obligations to require that.
If software is in the supply chain, which it quite often is, I would ask for terms and conditions for secure software development processes and testing for vulnerabilities. On top of protecting their IT infrastructure, as I just mentioned, with vulnerability testing for their systems, I also want vulnerability testing for the actual software itself.
Getting to Know the CVSS Score; Penetration Testing
Millendorf: Another thing that I typically require is continual monitoring of the CVE database, and patch anything that’s got a CVSS score of 7 or higher. For those who don’t know, CVE is a database of vulnerabilities. It’s run by Mitre these days. It’s open to the public; you can go get access to it. CVSS scores are the scoring method that they use to rate the criticality of a vulnerability, with 1 being not very critical and 10 being a big flashing red light. You can subscribe to a daily feed of these.
It’s really easy to require this for vendors who are in this space. Again, I would require this not only for the software that they’re developing through their IT systems to again, the SolarWinds attack is a great example of a third party getting in, mucking with the software, and then having that software go into a bunch of other products for their own customers. You’ve got vulnerabilities that should have, could have been caught at the software level, and you’ve got vulnerabilities that should have been caught at the IT level, where the software was being developed and distributed.
Another thing I often ask for is the ability to do our own penetration testing. To be fair, that’s a pretty hard pill for most vendors. Like, ‘Hey, we’re, we’re going to purposefully attack your system, and we’ll let you know if we actually get in.’ It’s White Hat hacking without necessarily notifying them, which can be a little bit of a problem if you start sending them off on alerts. They should be getting alerts. But if they don’t know that [you are testing them], that can be a hard pill to swallow.
At a minimum, you should be able to get your own independent audits. And at least if you know, whatever they’re providing through their own independent audits are unsatisfactory, or they’ve had a breach in the last 12 months or so, we want to be able to go in and make sure that you fixed all the things that you said you fixed.
I also quite often will ask for a notification of any security breach. I don’t care how critical it is, what’s going on. I want to know if there’s some risk there, particularly if they’re hosting my data and trying to get some indemnification and hopefully limited liability or at least some sort of a super cap on liability for security breaches. Hopefully, any security breach, but at least if it’s a failure for them to meet their own security obligations, they should be responsible for it.
All this kind of brings up another thing which I think we kind of touched on. All businesses should have some sort of an incident response policy and make sure that they test and refine it at least annually through some sort of a tabletop exercise.
Basu: Do you see value in requiring vendors to have some sort of standardized compliance like SOC 2 or something like that?
Millendorf: I do. SOC is always a more difficult question, I think, than ISO. I think ISO is a little bit of a higher standard. But at least there’s a standard set of controls that they’re going at. They’re not just, ‘Yeah, this looks good. Thumbs up.’ Put your thumb in the wind and make sure it’s blowing in the right direction.
SOC gives you something. ISO gives you something. Basing it on the NIST cybersecurity framework or SB 853 gives you something. At least there’s some baseline there.
Regulating Cybersecurity and Privacy
Basu: Unlike the European Union, the United States doesn’t have any single laws, as far as I’m aware, regulating cybersecurity and privacy. Several states also, in addition to that, have their own cybersecurity data breach and notification laws. So, there’s a lot for a company to try to get around. For small businesses, in particular, this is difficult because they’re just trying to run their business, make payroll, and get customers. What advice do you have for the SMBs who are also the targets of all these breaches to get their arms around the privacy and the cybersecurity requirements?
Millendorf: Even in the EU, generally the law there is called GDPR. However, there are some variations under it. Each country can make 60 changes in its provisions and, in some cases, determine what’s notifiable and what’s not. So, it sounds uniform in Europe, but it’s not as uniform as it actually sounds like.
And in the United States we also do have some sector-specific laws. The financial sector has the Gramm-Leach-Bliley Act, and the health sector has HIPAA. There are a bunch of other laws, many of which have their own breach notification laws that the state-level ones exclude. So, if you’re in a health care sector, got personal health information, it’s covered by HIPAA, that gets breached, you don’t have to deal with the state level ones generally. You’re really just dealing with one federal one.
The state ones all have their own variations, and that’s one of those places where, if you do have a breach, get decent privacy counsel or privacy coaches who really know what the various laws are.
In terms of being prepared, again, I would look at the NIST cybersecurity and privacy frameworks to get a good idea of what the best practices around their requirements are and hopefully avoid a breach and deal with the incident response and the effect that there actually were. I do like these because they are frameworks. They’re not specific requirements. They do pretty well when we’re talking about smaller businesses as well as doing pretty well in the really large organizations.
The other thing I would mention, particularly for small businesses; I find this to be a problem. Data minimization is key. Small businesses, for whatever reason, either don’t have the time to think about it or don’t really have the resources to purge all data. They keep data around for years. I had a client who had a breach. They thought it was only going to be 50 current employees. Well, no, they actually had data going back 20 years for every employee and their beneficiaries that had ever walked into the place. And we wound up notifying like 800 people. And that’s because, do you really need this data for the employee who was an employee in 2000? Probably not. So I think getting rid of data is probably one of the key things for small businesses to do. If you don’t have it, it can’t be breached.
Final Thoughts: Adjusting to the Hacker’s Point of View
Millendorf: I think the first thing for organizations when you’re talking about cybersecurity is to really think out of the box and like a hacker. That’s really hard. We think, ‘Here’s the rules, and so we’re all going to follow them.’ Hackers don’t follow the rules. That’s why they’re hackers. That’s probably a key thing in trying to think about the vulnerability and the impact and whether or not something’s ultimately going to be material.
Training is hugely important for anyone who’s touching any sort of IT equipment, whether it’s the secretary or the CEO. I do training for organizations. I actually don’t train it from the corporation’s perspective. I train it as individual identity theft training. Because if you can do that and you’re thinking about it for yourself, then you’ll start applying that in your business. But if you go into it thinking about it as your business, you’re like, ‘Ahhh, that’s their problem. What do I care?’ Which isn’t a good way to think about it, by the way, but it’s just what happens.
We also mentioned a couple of times incident response policies and procedures, training, and reviewing them every year on tabletops.
No football team goes in and just plays the Super Bowl without any practice. It is the same thing when it comes to not only training but particularly the incident response and the tabletop exercises: Go in well-practiced, well-oiled. In this way when the inevitable does happen, you know what to do. It’s now just regurgitating what you’ve already learned instead of trying to learn on the fly.
The Cyber Center of Excellence (CCOE) is a San Diego-based nonprofit that mobilizes businesses, academia, and government to grow the regional cyber economy and presence, as well as create a more secure digital economy for all.