Watch: Operational Technology Risk

Date March 19, 2021
Article Authors

Join me and cybersecurity expert Max Borovkov, CEO of Julie Security, at noon on Wednesday, March 24, for a webinar discussion of the gaps created when controls for Operational Technology (OT), including environmental, industrial, and telecommunications systems, and Internet of Things (IoT) technologies are not implemented. We’ll explain why these technologies should be secured, the threats plaguing them, and what you can do to proactively protect your organization.

The cost of cyber-crime is projected to grow significantly year over year reaching $10.5 trillion by 2025. All companies—not only healthcare providers, manufacturers, and utilities—should implement OT system controls, just as they do for information technology (IT) systems. The top reasons for doing so are as follows:

  • Cybersecurity Attacks

    The recent and now infamous SolarWinds supply chain attack demonstrated the extent of devastation an attack can cause, and we know that the incidence of cyber-crime continues on the rise. As well, we’re seeing a greater variety of types of attacks, from the sophisticated Advanced Persistent Threat (APT) to hackers working from their basements using “script kiddies.”

  • System Malfunctions

    Computer networks are not immune to Murphy’s Law. Computers are mechanical devices and prone to failure over time. It is wise to monitor them as well as implement controls, such as frequent backups, that ensure system availability.

  • Internal/Insider Threats

    According to the Verizon Data Breach Investigations Report, 30 percent of data breaches in 2020 involved internal actors. Such threats are not all malicious; errors and mistakes account for a portion of the total.

  • Third-Party Risk

    Our initial 2021 Risk Advisory Webinar stressed the importance of attending to third-party risk. Contractors and vendors with remote access and connectivity to your systems should be monitored. It was access obtained through an HVAC vendor that led to one of the largest credit card breaches in history.

Watch Now.
Speak to one of our professionals about your organizational needs

"*" indicates required fields



SolarWinds Cyber Attack: February 24 Webinar Will Address Lessons Learned

Date February 22, 2021
Article Authors

The SolarWinds cyber-attack impacted the U.S. government and some of the largest companies in the world. Join HBK’s Bill Heaven, and cybersecurity law expert and best-selling author Joe Brunsman of Chesapeake Professional Liability Brokers, Inc., at noon this Wednesday, February 24, for a webinar on lessons we learned from the hack and the protection against cybercrime afforded by cybersecurity insurance.

“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack that the world has ever seen,” Microsoft President Brad Smith characterized the December SolarWinds cybersecurity hack on the February 14, 2021 episode of 60 Minutes. As such, the attack on the Austin, Texas-based software developer replaced the 2013 Target data breach as the most heinous cybercrime yet discovered. The enormity and nature of the attack hold lessons for us all.

The “supply chain attack” was executed through an “advanced persistent threat (APT)” vector. The supply chain attack is considered the most intrusive third-party breach because it impacts trusted, highly integrated computer systems of multiple organizations within a supply chain. APT attacks are perpetrated by the most sophisticated cyber adversaries, such as nation-states, organized crime, and activist groups. APTs are often long-term, multi-phase attacks that focus on reconnaissance while using obfuscation techniques that allow them to operate undiscovered for months or even years.

The SolarWinds attack, suspected to have been launched by the Russian Government, was a so-called “Trojan Horse,” where malicious software, or “malware,” was disguised as a software patch, that is, a fix for a vulnerability identified by the software developer. The “ingress attack,” which focuses on intrusion into computer systems, gave the hackers backdoor access to the computer networks of approximately 18,000 customers of the SolarWinds Orion platform. Likely initiated in March 2020, the ATP was not discovered until December 2020, giving the hackers nine months of “dwell time,” that is, nine months of undiscovered access to those 18,000 computer systems.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



New Year Ushers in Enhanced Cybersecurity Threats

Date January 15, 2020
Article Authors

The new year brings with it an opportunity for a fresh start. From a cybersecurity perspective, a new year is also a typically dangerous time. Cyber hackers and cyber criminals often take advantage of the opening of tax season—January 7 for businesses, January 27 for individuals—to unleash social engineering campaigns. The campaigns can be digital, or phone based. They’re looking to steal login credentials or PII and will stress the need for you to respond urgently to an important communication, typically from your financial institution or accounting firm, about a problem with your account, a law you may have violated, or something else that requires your immediate attention.

As if such risks are not enough to wrestle with, the dawn of 2020 brings with it additional cyber worries rooted in the recently increased tensions between the U.S. and Iran. The Iranian government suggested its response to the killing of General Qasem Soleimani “concluded” with its January 7 missile launch. But according to The New York Times, cybersecurity experts are picking up on ongoing malicious cyber activity from pro-Iranian forces. And while Iranian cyber capabilities are not on par with those of Russia, China or the U.S., Iran does have the capability to inflict damage via a cyber attack.

The Cybersecurity and Infrastructure Security Agency (CISA), which was created through the Cybersecurity and Infrastructure Security Agency Act of 2018, is charged with protecting the nation’s critical infrastructure from physical and cyber threats. The agency’s January 6 Alert AA20-006A “Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad” suggests that employees as well as the IT departments of organizations adopt a heightened sense of awareness and increase organizational vigilance.

What you should do:
*Use known contact methods instead of those provided in an email or voicemail
*Do not open attachments or click links unless you are certain they are from a verified “trusted source”
*Do not divulge sensitive information unless you have verified the recipient
*Be sure to use approved solutions for transmitting sensitive information with clients or third parties

Cyber criminals continue to ramp up efforts to disrupt organizations and their ability to function in a digital society. Organizations must continue to enhance their efforts to keep themselves from becoming victims of cyber crimes.

Attend Our Cybersecurity Webinar
On Wednesday, January 22 join HBK Risk Advisory Services Director Matt Schiavone for our first webinar of 2020, “Security Awareness Programs: What You MUST Know to Protect Your Company & Workforce” at Noon EST. Register for the free webinar here.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Cybersecurity Insurance: Consider Your Options

Date November 26, 2019
Article Authors

As a cybersecurity professional, I’m often asked by clients if they should buy cybersecurity insurance. My answer is “definitely,” but not without considerations. For one, you should determine the value of what you are trying to protect. And when evaluating a policy, ensure that you are clear on exactly what the policy covers—and maybe more importantly, what it doesn’t.

Cybersecurity insurance policies come in many forms, from a “quick” cyber policy, where applying requires you only to answer three or four questions, to a full-length application policy. The protection level and policy costs vary accordingly; quick policies may include multiple coverage exclusions or costly gaps. For example, lack of applying security patches may trigger an exclusion pertaining to your coverage. If you implement a recognized cybersecurity control framework, you will likely be able to find policies with more coverage at lower costs. This could also help lower your probability of later being denied coverage under your cyber insurance policy by inadvertently answering a crucial application question incorrectly.

A follow-up question I often get: Can I mitigate my business’s cyber-risk through a cyber policy, or should I implement cybersecurity controls to improve my cybersecurity posture?

I posed the question to Joseph Brunsman, author of multiple published cyber insurance articles, and a book on cyber insurance, he stated, “Cyber insurance is a crucial component – but arguably the last component – in the defensive posture of business. I would prefer, as would the regulators who can bring sizable fines and consent orders, cyber insurers, and attorneys who specialize in post-breach litigation, that businesses do everything in their power to avoid a breach. After that first breach occurs, insurance companies begin to take a hard look at internal cybersecurity postures. Increasingly insurers are demanding specific controls be implemented as a prerequisite to coverage. If businesses fail to adopt the correct posture, they could quickly find themselves with no recourse but to pay for every breach out of pocket. Taken as a whole, businesses need to consider their cybersecurity posture now; while it’s convenient, and before it’s mandatory.”

HBK Risk Advisory Services can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Call us at 330-758-8613, or email me at wheaven@hbkcpa.com for more information or to schedule an assessment. As always, we’re happy to answer your questions and discuss your concerns.
Speak to one of our professionals about your organizational needs

"*" indicates required fields