Check your Antivirus

We’ve been involved with multiple organizations in the past three weeks that have responded to a serious security incident that was exacerbated by a lack of up to date anti virus. Each case took a very different turn:

  • one required significant effort by the company, their IT vendor and a forensic analysis by CDI;

  • the second is looking at probably $100,000 in lost business and professional remediation services;

  • a third instances caused a hospital about 80 hours of IT work, and countless time in lost productivity;

  • and the fourth business is trying to figure out how to pay $30,000 in Bitcoin, and how to stay in business.

The Common Threads

31115332341_b6db2b18f1_z.jpg

In each of these three cases, the company had premium, traditional antivirus, all from reputable vendors. However, in each case, at least one system, and in some cases many, were not properly protected. During the investigation of these companies, some systems had no antivirus, and some had out of date antivirus. In one case, the licensing had expired and the company was not receiving updates.

In all four cases, antivirus did not protect the systems and did not detect the issue. In two of the cases, Security Incident and Event Monitoring (SIEM) solutions detected and alerted the problem AS IT HAPPENED. In the other two cases, hours or even days went by before someone noticed the issue.

In almost every case, a email phishing attack was the culprit. This reinforces the cliche that you’re only as strong as your weakest link.

What you should do

Here’s a checklist you should perform right now, before it’s too late:

  • Verify that your antivirus is licensed and up to date

  • Check every computer, including especially your servers, to make sure that antivirus is enabled for real-time protection and is up to date

  • If you have more than 10 PC’s or server’s you should have a centrally managed antivirus solution that allows you to see what everything is up to date/protected (Symantec, TrendMicro and Sophos Central are good options).

  • Always PAY for antivirus. Free antivirus isn’t good enough. Trust us, your business depends on it.

  • Run Windows Updates

  • Again, if you have more than 10 machines, you should be using Windows Server Update Services (WSUS) or a similar product to centrally manage windows updates (it’s free folks with Windows!)

  • Remind every employee of the importance of using caution with emails and potentially dangerous websites. Limit casual web browsing.

  • Check your backups! Test that you can restore data.

Over the next few weeks you should:

  • Look into “Next Generation Anti-Malware” products. These provide additional coverage beyond what the “traditional” antivirus companies provide

    • Malwarebytes, Sophos Intercept X, Carbon Black, etc. all fall into this category

  • Perform phishing exercises and security awareness training

    • Call Cyber Defense if you are interested in such a product/service

  • Review, update, and tabletop your incident response plan

  • Get a copy of your backups off site. Preferably 30 miles away or more.

  • Call Cyber Defense with any questions. We’re here to help prepare you for a big incident, but can get you started if something bad does happen.

Policies and your Information Security Program

Information Security Policies are like guard rails on the highway.  They keep you "on track"

Information Security Policies are like guard rails on the highway.  They keep you "on track"

Regulations and standards almost universally require an "information security policy," which would make us believe they must be rather important.  For example, New York's Department of Financial Services "Cybersecurity requirements" say "Each Covered Entity shall implement and maintain a written policy or policies... setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems" (23 NYCRR 500.03).  Another example is the PCI Data Security Standard which has 12 requirements, one of which is "maintain an information security policy."  As for the other 11 requirements of PCI they all end with a question asking if policies are "documented, in use, and well known."  But what's a piece of paper going to do for you to improve security?

The short answer, and to borrow a phrase from the medical field, "if you didn't document it, it didn't happen."

The long answer is that well documented information security policies provide us, among other things:

  • Direction
  • Accountability
  • Protection

Direction

Think of information security policies as guard rails on a highway.  Without them, we might find ourselves flying off a bridge or cliff.  To use another analogy, policies form the foundation of our information security program and are often overlooked.  As staff turns over, or the business changes, our policies set forth the way we will manage our security program. 

For example, a common information security policy is a "data retention policy" which outlines how the organization will manage its data, and for how long it will make the data available.  As IT administrators change (keep in mind the average employee tenure is 3.68 years), or IT consultants change, a data retention policy provides them the direction on what is required to maintain your business data. 

Without it, staff have to either guess; or your data gets deleted early; or never.  Under all three of those scenarios, you lose.  Deleting business data early is usually considered a data breach because it impacts the "availability" of the data.  Having it too long costs you money.  And I'm sure you can guess what "guessing" does.

Accountability

The HIPAA Security Rule specifically requires a "sanctions policy," and this makes complete sense.  Policies provide the written, documented expectations of employees and vendors within your organization.  If someone isn't meeting these expectations, for example one of your employees CONSTANTLY clicks on phishing links, your information security policies, as well as your discipline policy, give you the ability to address the issue.  Without a policy outlining your expectations, an employee can claim ignorance.  At best, you might be able to get them on insubordination because you told them to stop.  However, I'd bet a lawyer could fight that argument.

Therefore, policies set up a system of accountability.  The "guard rails" that tell us what we can and can't do are established and are made clear to everyone.  Those that don't follow the policies can be addressed.  Even if it means the employee gets additional training, or a write-up, the policies give us the ability to work together.  By working together, we're able to reduce risk.

Protection

When I say protection, I pretty much mean "liability."  When it comes to policies and liability this can go a few different ways.

First, without a policy, you could be considered non-compliant for any regulations that require a policy.  However, even if you're not required to have a policy by law, you're required to have a policy by precedent.  In the 1939 Supreme Court case "T.J. Hooper v. Northern Barge Corp" it was established that companies owe a "duty of reasonable care" even if there is no standard or regulation requiring you to do something.  It's very well established in standards and regulations, even if they don't apply to you, that a policy is a basic thing to do to help protect data and systems.  Because of that if you experience a breach, and you don't have a policy, you're probably on the hook for negligence.   Even without negligence, a breach is an expensive proposition.

Second, a policy provides you (some) protection from negligent or careless staff.  If you have a well-established policy, and you follow it, your risk in case of a breach is reduced.  Beyond the risk reduction that people are doing the right things, should you have a breach that is caused by a staff member the organization will probably fair better (disclaimer: I'm not a lawyer and this is not legal advice).  In such a case, you have your policy and the evidence that the policy has been implemented to back up your claim that the event was far outside the normal standard practices of your business.  Without the policy, you've got nothing.

Lastly, I would be remiss to not point out that a policy can actually HURT your business.  I worked with a compliance officer at a hospital who frequently said "there is nothing worse than a policy you don't follow."  I would bet that hospital compliance officers would know from experience in malpractice cases the merits of that statement.  If you want to hand a cut and dry case of "negligence" to a legal opponent or regulator, document what you should do, and then don't do it.  By demonstrating that you know what you're supposed to do, and then to not do it, is probably the legal definition of negligence (I'm not a lawyer, so I'd have to guess here...).  So, when you create a policy, make sure you follow it!

Conclusion

Information security policies may seem like a burdensome exercise on your "check the box" path to compliance. That doesn't have to be the case though. Policies can communicate valuable information on how you protect your sensitive data, and provide you with the means to ensure that it actually happens.  Without policies, staff must assume what is intended and when they assume wrong, you're left holding the bag.

I use this statistic all the time, and it's not meant as a scare tactic, but 60% of small to medium size business close after a data breach.  For small business owners like ourselves and the employees and clients that depend on us, we have an obligation to protect them because it makes good business sense.  Having a well documented and thoughtful information security policy is a great step on that journey towards risk reduction.

If you need assistance with creating an information security policy, contact us today.  We take policy creation seriously, and have created policies for many businesses.  We can start with a baseline policy that meets your specific regulatory requirements, and tailor it to work for YOUR business.