A MESSAGE FROM THE PRESIDENT AND CEO OF THE SALT LAKE CHAMBER The Salt Lake Chamber is Utah’s voice of business. We represent the state’s 63,000-plus employers, all of which have something in common—they are all at risk of falling victim to a cyber attack. Utah is a state for innovation. Our tech community has been a major component of economic growth and development in our communities, heightening our quality of life and garnering national recognition. However, with this impressive level of innovation also comes risk. In adapting to our high-tech society we tend to embrace the convenience of technology at the expense of security. At an ever-increasing rate, criminals are targeting our computer networks and critical infrastructure, stealing proprietary information from our businesses, and violating the privacy of internet users. Ultimately, cyber attacks have the potential to disable air traffic controls, railroads, power grids, oil refineries, water supplies, internet and telephone service, financial and health records, police protection, and the list goes on. The business community needs to be wary of the potential dangers they will inevitably face. No matter the size of the organization, cyber attacks hurt. The financial burden, loss of customer trust and hassle of data recovery are bad for any business. More and more small and medium-size businesses are targeted because they lack the resources to adequately defend themselves. Cybersecurity is no longer just an IT problem, it’s an organizational problem that needs to be addressed by CEO’s across the state, in every industry, and companies of all sizes. Our government also needs to be proactive when it comes to cybersecurity. The state has made impressive efforts through the Department of Public Safety to curb cyber crime, and the state’s Department of Technology has enhanced security protocols. However, there will always be a need for more innovative solutions and improvements within our cybersecurity frameworks, regulations and information sharing protocol. In our increasingly digital society, we must all be continuously vigilant of cyber threats. Our cybersecurity posture involves not only the technology used to combat threats, but also the people and processes that keep our systems safe. The internet has always served as a channel for economic growth, but its potential vulnerabilities could lead to economic paralysis. The cybersecurity of businesses, governments and individuals alike is a shared risk and ultimately a shared responsibility. Sincerely,
Lane Beattie President & CEO
CYBERSECURITY CHECKLIST Use strong passwords and enable two-step authentication where possible. Long passwords are typically better than shorter, complex ones. Avoid using the same password on more than one website. Keep your software updated. For user devices, enable automatic updates to ensure you get the latest security patches as soon as possible. For other services, make sure your administrators monitor vulnerabilities and patch regularly. Educate your employees about cybersecurity through workshops and monthly email updates. Incorporate a section about information security in your employee handbook. Be skeptical about urgent emails requesting money, even from colleagues. Verify over the phone or via another channel in case their email account has been compromised. Do not open attachments that you are not expecting. If you have to regularly receive attachments from outside parties, consider using a separate computer to download and scan them. Disable macros on your Microsoft Office products. This additional functionality is often involved in malware and other attacks. Keep good backups of your data in multiple places. Make sure that your backups are protected from malware that may infect your computer. Create a data breach response plan and know how to report the incident to the Statewide Information & Analysis Center (SIAC). Familiarize yourself with available resources from reputable organizations including the Salt Lake Chamber’s cybersecurity toolkit at slchamber.com/cyber
CYBERSECURITY LEADERSHIP COUNCIL This document was commissioned by the Salt Lake Chamber’s Cybersecurity Leadership Council in an effort to provide an educational resource to the business community. The Council is composed of both public and private partners with a vested interest in building a more secure economy.
TABLE OF CONTENTS
01
CYBERSECURITY FOR UTAH’S BUSINESS COMMUNITY
03
BEST PRACTICES TIMELY PATCHING DATA BACKUP BEWARE OF SOCIAL ENGINEERING EDUCATE YOUR EMPLOYEES DEVELOP A DATA BREACH RESPONSE PLAN
07
DIRECTORY OF KEY STAKEHOLDERS STATE CYBER RESOURCES CYBER INSURANCE PROVIDERS CYBER LEGAL CONSULTANTS CYBERSECURITY SERVICE PROVIDERS
CYBERSECURITY FOR UTAH’S BUSINESS COMMUNITY Cybersecurity is on many people’s minds today. Almost every week, we hear about a new breach. A massive breach at Equifax exposed 143 million people’s confidential information to cyber criminals. That was followed by revelations that the Security and Exchange Commission’s system was compromised in 2016. And before that, the WannaCry ransomeware infected hundreds of thousands of computers across the globe. It’s likely threats such as these are only going to grow in frequency and sophistication. It is important that every business and every individual recognizes that Utah is not immune to these attacks. We have a large number of technology companies and many small and medium-sized businesses that make for attractive targets. While Utah-based businesses have mostly escaped large-scale data breaches, many Utah business and residents have been victims of cyber attacks and fraud, even Sundance had its box office shut down in 2017 in a cyber attack. Unfortunately, many businesses do not report cyber attacks, either because they are not sure of how to do it or or they are simply too embarrassed that they were hacked. This makes Utah-specific statistics hard to come by. To improve Utah’s capacity for analytics and law enforcement, please report any cyber attack you experience to the Statewide Information & Analysis Center which allows businesses to make complaints about cyber attacks for review. They will not open a criminal complaint or use your personally identifying information without your consent. While you may choose not to pursue criminal charges after reporting to the SIAC, it is important that you make the initial effort to report any incident so that trained professionals can track and protect other Utahns from experiencing the same attack. Information sharing is key to annihilating the threat. Learn more at https://siac.utah.gov/. The FBI’s Internet Crime Complaint Center (IC3) reports that in 2016 alone, 2,295 complaints came from Utah residents. The greatest loss came from what is known as business email compromise (BEC) scams. BEC scams involve attackers sending an email, typically from a CEO or another executive, to someone in accounts payable or anyone else with the authority to wire money. There are two common methods used to create these emails. The first is creating a fake email that appears to be from the person in question. For example, if the Chamber were a target and the attackers wanted to impersonate John Smith at the Chamber, they might register a domain that looks similar to the one used for emails. Instead of coming from jsmith@slchamber.org, the email comes from jsmith@s1chamber.org or jsmith@slcchamber.org. Without a keen eye, these emails look close enough to fool many people. Dean Sapp of Braintrace responds to many BEC scams along the Wasatch Front. Sapp says that many of these incidents involve either phishing or infected documents where an email containing a link to a phishing site or an infected document is sent to the target. The target is prompted to enter their email username and password. Upon hitting submit, the credentials are sent to the attackers, who use the victim’s own email system to send the messages. In some cases, the attackers have been known to read emails to find the most opportune time to send their message.
1
The message sent to accounts payable typically has some sense of urgency and is often tied to current activities in the company. The email may look something like this:
From: jsmith@slcchamber.org To: accountspayable@slchamber.org
Subject: Urgent! Need funds wired for US Chamber dues! I am in DC at the US Chamber event and was just informed that our membership will be suspended tomorrow if we aren’t current with our dues. I’m not sure what happened, but this needs to be resolved now. Wire $15,000 to ABA 123456789, account 9876654321 ASAP. I’ll be in meetings for the next four hours, but will call after my meetings to confirm this is taken care of. Thanks for your prompt attention! John -John Smith Executive Director SL Chamber
In 2016, Utahns reported 133 BEC scams. Forty-three of these scams were successful, causing losses of $2,657,372. Braintrace has investigated BEC scams from industries as diverse as legal firms and financial services, to construction and manufacturing. Including all the associated costs with remediation, these businesses incurred losses averaging around $200,000. Utah businesses are not alone in being attacked. Utah’s SIAC reports that the Utah state government’s network sees an average of five million attacks each month. Last year, the Salt Lake City Police Department reported that there was an unsuccessful attack against their network. The group claiming credit said it was in response to an officer-involved shooting. Utah is working hard to develop the workforce to address these cyber attacks, and cybersecurity remains a fast growing career path. According to the Department of Workforce Services, the cybersecurity analyst job compound annual growth rate was measured at 13.39%, over four times the projected rate. In July 2017 alone, there were 49 unique new job postings in Utah. In response, higher education is creating new career pathway programs, including the Master of Science in Cybersecurity at Utah Valley University.
2
BEST PRACTICES Timely Patching Let’s take a look at the breach that has been on everyone’s mind: Equifax.
MARCH Apache Struts, a web application framework used by thousands of companies, reveals a security flaw and issues a patch. Organizations are encouraged to apply this critical update.
MAY 13
JULY 29
JULY 30
Attackers compromise Equifax’s network using this known Apache Struts vulnerability.
Equifax detects suspicious traffic.
Equifax takes the website offline to patch the vulnerability.
AUGUST 2
SEPTEMBER 7
SEPTEMBER 8
Equifax hires Mandiant, an incident response company, to investigate.
Equifax announces the breach to the public and reveals 143 million records were stolen.
Equifax’s stock drops from $142 to $123 per share.
SEPTEMBER 15
SEPTEMBER 26
The Chief Information Officer and Chief Security Officer for Equifax both announce retirement. Stock drops to $93 per share.
CEO Richard Smith announces retirement.
While an organization like Equifax has many moving parts, the takeaway from this breach is simple. Equifax failed to update publicly facing software that had a known critical vulnerability. This vulnerability cost three executives their jobs, exposed 143 million people to identify theft, and will cost Equifax millions in remediation. All of this occurred because a patch was not applied. This was not an obscure vulnerability known only to a few select hackers and security pros. The announcement of this flaw and the associated patch resulted in headlines in technology publications declaring “Hackers exploit Apache Struts vulnerability to compromise corporate web servers” and “Apache Struts 2 needs patching, without delay. It’s under attack now.” These warnings were issued in early March, more than three months before the breach was detected and the patch was applied. Businesses need to keep an active inventory of software and systems in use. It is also vital to know when critical security updates are available and how to apply them in a speedy manner. 3
Data Back-Up Ransomware is an increasingly common threat to businesses large and small. Recently, an anti-malware vendor released a report showing the growing number of attacks on small businesses. One of their conclusions was that smaller businesses are even more at risk, simply because they don’t have the IT resources to deal with ransomware. A business continuity provider reporting that between Q2 2016 and Q2 2017, small and medium-businesses paid $301 million in ransoms for data. Ransomware encrypts your data, offering to decrypt it for a fee. The interesting thing about ransomware is that the only real threat they have is to not give you back your data. If your organization has current backups of the data, ransomware is a nuisance, but should have no lasting effects. On the other hand, if you don’t have good backups, you may experience what happened to a police department in Cockrell Hill, Texas. In December of 2016, one of their servers was infected with ransomware. At after consulting with the FBI, they did not pay the ransom. This resulted in the loss of files, bodycam video, and other evidence dating back to 2009. Having a secure backup could have prevented this mission-critical data from being lost.
• Identify all information that is critical to your business operations as well as any potentially sensitive information. • Copy your data onto an external drive, network drive, or onto the cloud. • For extra data security, back up your information in several different locations. • Remember to regularly update and test your backups.
BACK UP SYSTEM
CLOUD STORAGE
NETWORK DATABASE
4
Beware of Social Engineering The Business Email Compromise (BEC) attacks described earlier in this document are a great example of social engineering. These attacks do not focus on exploiting a flaw in software; they take advantage of human nature. Recent high-profile attacks include a British “email prankster” impersonating Mr. Trump’s advisor and son-in-law Jared Kushner, well-known politician Jon Huntsman Jr., and former White House Chief of Staff Reince Priebus. The victims, including then White House Director of Communications Anthony Scaramucci and Homeland Security Advisor Tom Bossert, responded to the emails in a very candid manner, seemingly fooled by the well-crafted phishing lures. Even more damaging was the successful phishing attack against John Podesta, Hillary Clinton’s campaign chairman. Reports allege that a hacking group associated with a Russian intelligence agency compromised Podesta’s email account by simply getting him to type his password into a fake Gmail security alert. This social engineering attack resulted in thousands of emails being published on WikiLeaks. Detecting and avoiding social engineering can be difficult. It is important to be skeptical of email messages, especially when they are unexpected and indicate of a sense of urgency. Avoid clicking links in emails, particularly for sites that require authentication. If an email seems out of the ordinary, such as a sudden wire transfer request, verify the request via a channel other than email. Likewise, remember that many of these rely on either fear or greed. If an email is threatening or promises something too good to be true, be extra cautious.
Educate Your Employees Education and cybersecurity awareness are key to the success of any cybersecurity program. While technical controls are important, people often provide the opening that attackers use. You may be required to do training annually for compliance reasons, but that may not be enough. Consider having additional reminders throughout the year. Monthly emails with tips and relevant, recent examples will keep cybersecurity on people’s minds. It can be difficult for non-technical employees to feel empowered to do anything to improve the cybersecurity posture of the company. Stress the importance of strong authentication, being aware of phishing emails, and not opening unexpected attachments. It is important to make sure it is relevant to these employees. Too much technical jargon tends to detract from the message. Vague admonishments are not nearly as effective as concrete examples of how cybersecurity is essential in our connected business environment. Information technology personnel in smaller businesses may feel overwhelmed with the added responsibility of securing systems as well as keeping these systems running. Show an interest in helping them secure the systems. Ask them if they have signed up for security alerts for the software products in use. Provide cybersecurity training for the employees. There are affordable cybersecurity conferences that take place right here in Utah. Sending employees to these conferences will not only provide them with some of the latest information, but will also help establish professional networks. Finally, those in charge need special training to identify threats that will target them. Spear phishing attacks and business email compromise attacks are among those that specifically target business owners and executives. Educating the leaders fosters a culture of cybersecurity in the organization. 5
Develop a Data Breach Response Plan Unfortunately, despite best efforts, a data breach may still happen. It is crucial that businesses have a plan for how to respond to a breach. This plan should be a dynamic document that is reviewed and updated at least yearly. In many cases, a plan is developed for compliance reasons and is then left in a binder on a shelf, gathering dust. As a business grows over time, employee roles change and information systems are implemented, upgraded, and retired. All of these changes should be reflected in a data breach response plan. Internal resources need to be identified. If a breach is suspected, who should be contacted within the company? Who makes the decision when to contact remediation services or law enforcement? Who drafts the messaging to customers? Identify the people who will be back-ups in case any of these individuals are not available. These are all questions that need to be answered. Keep a list of external resources available and updated. Ideally, these relationships are established long before the plan is ever needed. Have contact information for legal representation, law enforcement, public relations firms, and incident response companies readily accessible. As part of the review process, run through a tabletop simulation to evaluate the processes. As shown in the NIST Cybersecurity Framework below, responding with a plan is an essential step in securing your business operations:
A ST
H RT
ER
E
IDENTIFY
YOUR ASSETS
PROTECT
YOUR ASSETS
RECOVER
NORMAL OPERATIONS
NIST 5-STEP APPROACH DETECT
INCIDENTS
RESPOND
WITH A PLAN
6
DIRECTORY OF KEY STAKEHOLDERS
STATE CYBER RESOURCES
8
Do you have innovative solutions to combat cybersecurity threats? U S TA R S U P P O R T S I N N O VAT I O N I N C Y B E R S E C U R I T Y
Cybersystems is a new focus for USTAR programs this year. If you have ideas to improve cybersecurity, USTAR competitive grants and entrepreneur services are available. Find out more at ustar.org or email ustar@utah.gov.
™
REPORT SUSPICIOUS ACTIVITY
to local authorities.
Call 833-DPS-SAFE If You See Something Say Something™ used with permission of the NY Metropolitan Transportation Authority.
9
(833-377-7233)
CYBER INSURANCE PROVIDERS
?
ARE YOU THE NEXT
TARGET
Insurance Solutions
Protect your business with data breach insurance. Your Partner In Breach Prevention and Response You have the unique opportunity to purchase data breach insurance through Univantage Insurance Solutions. Policies cost as little as $25 a month. Coverage includes: · Legal assistance · Notification costs · Credit monitoring
· Fraud resolution · Risk-management research · Loss-prevention software
To obtain details, contact your WCF representative or
Univantage at 888.864.8268.
www.univantage.com
Cyber Security
It’s Not Just a Matter For Your IT Department Moreton & Company’s Executive Risk team can help you find an insurance plan to protect against lost or stolen personal information, forensics and notification costs, and data restoration. Coverage can also be structured for network extortion or other first party cyber related exposures. • Economic security and national security are linked • Business leaders need to be committed to managing cyber risk • To protect themselves, businesses should have: Ź An incident response plan Ź A practice data breach session Ź Proper procedures and protections in place Ź An insurance policy
www.moreton.com
10
CYBER LEGAL CONSULTANTS
PROUD TO SUPPORT THE SALT LAKE CHAMBER OF COMMERCE
CYBERSECURITY & PRIVACY PRACTICE OUR MISSION: RQN’S CYBERSECURITY TEAM HELPS ASSESS AND MANAGE DATA SECURITY RISK AND RESPOND TO DATA COMPROMISES
RQN CYBERSECURITY PROFESSIONALS:
WHAT WE DO: Pre-breach, breach, post-breach services, including: CREATE INFORMATION SECURITY POLICIES PREPARE DATA BREACH RESPONSE PLANS RESPOND TO DATA BREACHES PROVIDE EMPLOYEE TRAINING
JOHN A. ADAMS (801) 323-3301 jadams@rqn.com
ELAINA M. MARAGAKIS (801) 323-3315 emaragakis@rqn.com
MR. ADAMS AND MS. MARAGAKIS ARE CERTIFIED INFORMATION PRIVACY PROFESSIONALS/US
11
ASSESS THIRD PARTY VENDOR CONTRACTS CONSULT ON PRIVACY NOTICES
SALT LAKE CITY | PROVO
www.RQN.com
CYBERSECURITY SERVICE PROVIDERS
CYBERSECURITY
BEYOND REDUCING RISK
ALWAYS-ON
PREVENTION, DETECTION AND
INTERVENTION
Managed Detection and Response Integrated best-of-breed solutions fine-tuned for your business Proprietary SYNAPSE SUITE protects on-premise, off-premise and in-cloud Layered technology fortified by experts in our Security Operations Center Advanced 24/7 automation and orchestration technology
WE PROVE OUR SYSTEMS BY STOPPING BREACHES EVERY DAY. 866.508.5471 | BRAINTRACE.COM | INFO@BRAINTRACE.COM BrainTrace_Generic_SLC HalfPage.indd 1
HOW ABOUT YOU?
Get your free assessment 9/25/17 5:19 PM
12
Your Data Your Business Partnering to Protect What’s Most Important •
No one can afford to ignore information safety, especially when it involves documents.
The Competitive Edge Office Systems, a Xerox Partner, can work with you to insure your document and compliance processes are secure.
•
The stakes for Small & Medium Sized Business are even higher than for large corporations.
•
The average total cost of a data breach increased 23% over two years to $3.79 million.1
Don’t underestimate what’s at risk! The security of your document domain can’t be taken for granted. There are Simple and Cost Effective Solutions to Secure Your Documents.
2015 Cost of Data Breach Study: Global Analysis, IBM and Ponemon Institute, May 2015. 1
Learn how the networked imaging systems in your enterprise can become allies instead of risks. Call Today for a Document Security & Compliance Analysis.
The Competitive Edge Office Systems Inc . 307 West 200 South . Salt Lake City . Utah . 84101 385.359.0917 . www.xcompedge.com . larry@xcompedge.com
UNPARALLELED SECURITY COST EFFECTIVE WHITE GLOVE SERVICE Offsite Digital Storage
Unparalleled Security
The Perpetual Storage vault has remained one of the world’s most trusted and safest facilities offering maximum security off-site storage of digital records since 1968.
Cost Effective
Have peace of mind knowing your is data stored inside an impenetrable solid granite mountain vault. We offer competitive pricing. A simple pricing structure with no hidden fees. White Glove Service
Granite Cloud, enhanced cloud storage Data resiliency is at your fingertips with Granite Cloud. It offers simple, cost-effective cloud storage services, with unparalleled security and all-inclusive pricing.
13
We value our clients which is why we are expeditious and responsive.
SCHEDULE A TOUR OF THE UNIQUE FACILITY PerpetualStorage.com
800.753.2200
Securing the cyber landscape Now more than ever, businesses of all sizes as well as federal, state and local government need to evolve security practices to help keep their information safe from cyber attacks. At AT&T, we use the power of our network to help build a better, safer tomorrow. Security is at the core of our networks and central to everything we do.
Š 2017 AT&T Intellectual Property. All rights reserved.
14
Authored by Robert Jorgensen, Cybersecurity Program Director Utah Valley University uvu.edu/cybersecurity
Book presented by The Salt Lake Chamber