Cyber forensics panel: Storing data & the human factor
Companies need to tighten up their data storage practices and plan ahead for deletion, an Intelligent Insurer panel found.
Our focus on cyber month brings us to digital forensics and cyber incident response (IR) plans. Intelligent Insurer invited four experts in their field to offer their insight into the world of post-cyber attacks.
George Chaisty, partner at Kennedys and Gwenn Cujdik, manager of AXA XL’s North America cyber IR team, joined Anthony Hess, chief executive officer of cybersecurity firm Asceris and Jonathan Rajewski, North American head of cyber IR for Aon, on a virtual panel to discuss the finer details of the cyber insurance landscape.
In this second report of four, we focus on the challenges of protecting sensitive data in the digital age and the crucial role of humans in cybersecurity
‘Fort Knox, please’
With a lower percentage of ransomware victims paying up, according to ransomware recovery first responder Coveware, threat actors have diversified their methods and are becoming more sophisticated.
“Data should be stored under the strictest lock and key that can be segregated from everything else.” Gwenn Cujdik, AXA XL
Consequently, there’s a need for more vigilance with the way data is stored to deter access or face potentially exorbitant ransom demands and class action suits.
“Fort Knox, please, for your data,” stated Cujdik. “Data should be stored under the strictest lock and key that can be segregated from everything else behind every single security tool and multifactor authentication (MFA).”
Data is a valuable asset—if a threat actor chose not to steal it but simply to alter some of that data, the consequences could be disastrous, said Cujdik.
“You need to build a security programme for your organisation.” Jonathan Rajewski, Aon
Rajewski highlighted the need for a layered defence approach to security, including alarm systems and proactive risk management.
“One of the things that keeps me up at night concerns healthcare records databases. You need to be able to detect changes in that database in case a threat actor infiltrates and impacts on people’s lives.
“There is no one-size-fits-all solution,” he continued. “You need to build a security programme for your organisation and ensure that your risk level is appropriately quantified and qualified for the business.”
Don’t blame the humans
“There are organisational measures that don’t cost very much to ensure compliance.” George Chaisty, Kennedys
Companies must implement policies and procedures to ensure data security, and Chaisty advocated for more compliance when it comes to data retention and deletion. “There are organisational measures that don’t cost very much to ensure compliance,” he said.
“Many companies say ‘we hold that data for only 10 years’. After 10 years and one day, is there an automated process to reconsider the need to keep that data? Very often the answer is no. But there are many simple steps you can take, short of the technical measures, to ensure security.”
The human factor can very easily compromise a company’s cyber resilience, so proper training and awareness are essential to mitigate risks, especially as security measures must be balanced with usability.
“Most attacks are linked back to a human making a decision that ultimately allowed the attack to continue or to be initiated. Some other controls in the infrastructure should have alerted or blocked the actual connection,” Rajewski said.
“There’s a lot of focus and emphasis on human training and education and awareness, but we also need to make sure we have controls around that, so we’re not blaming the people. Technology is important, but humans play a factor as well.”
“I’ve seen people being fired for issues that were not their fault.” Anthony Hess, Asceris.
Hess emphasised the need for technology to support people and mitigate the consequences of human mistakes.
Sharing his experience of a social engineering scam, Hess noted: “I’ve seen people being fired for issues that were not their fault, after very sophisticated social engineering campaigns led to large amounts of money being stolen.
“You think to yourself that anybody could have fallen for that scam. It’s very unfortunate.”
Worst-case scenario
In the event of a cyber attack, having an IR plan helps to mitigate the severity of an event, minimise stress and reduce risk.
With social engineering and deep fake scams on the rise, Cujdik believes it’s important to implement simple policies to prevent misdirected funds or wire fraud.
“A trend we’re seeing is very sophisticated social engineering attacks that can get around your tried and true MFA,” she said.
“These are very particularised attacks like Sim swapping, or smishing, also known as targeted spear phishing. It’s very hard to deal with all these different attacks, but we can counter them with training and backup technical solutions.”
What about those companies without an IR plan? “The worst-case scenario is that you go out of business” said Hess. “At best, you have a delayed investigation, unqualified experts and a strain on resources.”
Ensuring a company has reviewed its data storage and retention policies will contribute immensely to a business’ cyber resilience, but it’s not enough.
The human factor will also make a difference, as Cujdik explained. “If you have the right experts in place who are doing the work day in and day out, they know how we can get through an event. They’ll say ‘It’s okay that you didn’t perfectly plan this out. We’ve seen it and we know how to get you through it’.
“One of the biggest pitfalls I’ve seen is not having a plan in place,” she continued. “If you choose advisors who don’t do this work, you’re ill-advised from the outset, and you’re missing major things on both technical and legal perspectives.”
To watch a video recording of the discussion click here.
