Cyber Loss Prevention

Greater Wilmington Business Journal

wilmingtonbiz.com

October 1 - October 15, 2021

Cyber Loss PREVENTION PANELISTS

Kim D’Arruda North Carolina’s Special Deputy Attorney General over cybercrime

Rob Duggan Director of Technology Risk Advisory Services at Earney & Company

Michael Nauert FBI Special Agent for cybercrime and intrusion investigations

Peter McClelland Privacy, Data Security, and Technology Attorney at Ward and Smith

William Wetherill UNCW’s Chief Information Security Officer

Cybersecurity has become a front-burner issue for businesses as well as health care, education, government and many other organizations. On August 20, UNCW’s Center for Cyber Defense Education gathered a panel of experts to discuss the growing risks, how to ward off potential threats and how to recover if your organization is breached.

The following are highlights from the conversation that took place at UNCW’s Burney Center.

SPONSORS’ CONTENT BROUGHT TO YOU BY:

Page 13

Page 14

October 1 - October 15, 2021

wilmingtonbiz.com

K

im D’Arruda, North Carolina’s Special Deputy Attorney General over cybercrime, has seen a steady rise in security breaches and attackers’ sophistication. “Watching the technology get more and more advanced, sometimes I feel like it’s a little baby that I watched grow, and now they’re kind of a mean teenager,” D’Arruda said. These breaches in North Carolina, which include unauthorized access and acquisition of credit cards, Social Security numbers and other private information, stood at 293 in 2010. They climbed to 1,644 in 2020, and they were already at 1,307 this year as of August 18. Companies and other organizations often suffer breaches from legacy computer systems they no longer use, but can still be accessed by outsiders. “A lot of times you’re holding more information than you realize,” D’Arruda noted. Hacking breaches in North Carolina, which includes ransomware, hit a record

Peter McClelland Privacy, Data Security, and Technology Attorney at Ward and Smith

“BUILDING (CERTAIN PROTECTIONS) INTO YOUR VENDOR CONTRACTS IS A WAY YOU CAN MAKE SURE THEY ARE LESS LIKELY TO HAVE A BREACH, AND YOU HAVE SOME LEGAL PROTECTION ON THE BUSINESS SIDE OF THINGS.”

Greater Wilmington Business Journal

and third parties that companies use for services can introduce other risks. Rob Duggan Director of Technology Risk Advisory Services at Earney & Company

"WHAT MANY PEOPLE FAIL TO RECOGNIZE IS THEY ALSO HAVE TO BE COGNIZANT OF THE LEVEL OF SECURITY EMPLOYED BY SUBCONTRACTORS AND MANAGED SERVICE PROVIDERS."

610 reported cases in 2019. Last year, it nearly doubled to 1,116 cases, and it was at 971 cases this year as of August 18. “We’re definitely on an upward trend,” D’Arruda said. The same is true nationally. Michael Nauert, an FBI Special Agent for cybercrime and intrusion investigations, said complaints nationally have jumped from nearly 300,000 in 2016 to nearly 800,000 last year, while losses due to cybercrimes have grown from $1.5 billion in 2016 to $4.2 billion last year. Business email compromises, where a criminal gains unauthorized access to email accounts to seek payments of fake invoices or transfer funds, cost nearly $1.9 billion last year. “Bad guys have gotten a lot more crafty with targeting high level executives or financial officers of organizations in crafting those emails to draw an employee to want to click on that link,” Nauert said. Other vulnerabilities for companies include getting access to remote desktop logins and software with security weaknesses. Additionally, managed service providers

“You can spend a ton of money on cyber security, but you’re only as strong as your weakest link,” Nauert said. “If your vendor isn’t up to snuff with their cyber hygiene, it’s a big exposure point.” Peter McClelland, a privacy, data, security and technology attorney at Ward and Smith, said businesses can learn from how the U.S. Department of Defense assesses cyber risks and addresses them. The Defense Department developed a framework called the Cybersecurity Maturity Model Certification (CMMC) with tiers from 1 to 5 that require higher levels of security based on the data being protected. McClelland encouraged companies to use CMMC as a baseline when signing contracts with vendors so it’s clear how risk is being allocated between the company and a vendor. He noted the “gold standard” is requiring vendors to provide third-party certification that they are encrypting data, conducting risk assessments and following other safety

SPONSORS’ CONTENT DISTRIBUTED BY GREATER WILMINGTON BUSINESS JOURNAL

Kim D’Arruda North Carolina’s Special Deputy Attorney General over cybercrime

“WATCHING THE TECHNOLOGY GET MORE AND MORE ADVANCED, SOMETIMES I FEEL LIKE IT’S A LITTLE BABY THAT I WATCHED GROW, AND NOW THEY’RE KIND OF A MEAN TEENAGER.”

Greater Wilmington Business Journal procedures. “Building those into your vendor contracts is a way you can make sure they are less likely to have a breach, and you have some legal protection on the business side of things,” McClelland said.

William Wetherill UNCW’s Chief Information Security Officer

“IF YOU HAVE A RANSOMWARE, YOU MAY NOT HAVE A BUSINESS TOMORROW.”

Having these protections in place can also make cyber insurance more affordable since insurance companies will likely offer lower premiums if high security standards are in place. McClelland warned, though, that cyber insurance should be used to cover measurable gaps in exposure, not as a substitute for putting protections in place. One of the most important steps a company should take is having an incident response plan in case a breach occurs, training employees on the plan and testing it. Rob Duggan, the director of technology risk and advisory services at Earney & Company, stressed that robust cyber awareness training is critical since 60 percent of breaches are the result

wilmingtonbiz.com

October 1 - October 15, 2021

of employees’ unintended actions — often by clicking on email links and attachments. “Make sure employees understand the risks,” Duggan said. He added companies should regularly have simulated email attacks to see if the training worked and address any issues. Companies need to recognize monitoring cybersecurity is now a regular part of running a business. The creativity, speed and sophistication of cyberattacks continues evolving, particularly due to hackers using machine learning and artificial intelligence. “People want to imagine that the online portion of their businesses are like a castle, with lots of available defenses to keep nefarious individuals at bay,” Duggan said. “The reality is that there are multiple points of access.” Having a mature network infrastructure, making sure security updates are automatically installed and

Michael Nauert FBI Special Agent for cybercrime and intrusion investigations

“BAD GUYS HAVE GOTTEN A LOT MORE CRAFTY WITH TARGETING HIGH LEVEL EXECUTIVES OR FINANCIAL OFFICERS OF ORGANIZATIONS IN CRAFTING THOSE EMAILS TO DRAW AN EMPLOYEE TO WANT TO CLICK ON THAT LINK.”

SPONSORS’ CONTENT DISTRIBUTED BY GREATER WILMINGTON BUSINESS JOURNAL

Page 15

getting an independent cyber assessment annually are all important aspects of decreasing risk of attacks. “Most people know they have to manage the security of their network,” Duggan said. “What many people fail to recognize is they also have to be cognizant of the level of security employed by subcontractors and managed service providers.” William Wetherill, UNCW’s chief information security officer, said organizations need to balance the complexity of securing multiple systems, yet making sure users have easy access and don’t employ workarounds to avoid annoying security protocols. “The human element really does matter,” Wetherill said. With more people working remotely due to Covid-19, the risk of company data being on unsecured networks has increased. Companies must be more vigilant to make sure security measures are being followed. “If you have a ransomware, you may not have a business tomorrow,” Wetherill said. “Cybersecurity risk is not different than hurricane risk.” The first step in most businesses is getting all senior leaders to recognize the threats, not just the head of IT. “I’ve run into situations where the president is on Windows 7 because he doesn’t want to upgrade,” Duggan said. “You’ve got to go tell Mr. President that he’s going to be the weakest link, and he’s going to take his own company down.”

Page 16

wilmingtonbiz.com

October 1 - October 15, 2021

Greater Wilmington Business Journal

Earney & Company’s Technology Risk Advisory Services recommends these practices for companies and other organizations to protect themselves: 1. Employee education — cybersecurity awareness training, simulated

Cyber Loss

phishing exercises and information security policy

2. Resilence – Data backup and incident response procedures, data

PREVENTION

encryption and cyber insurance

3. Network security and access controls – Automated updates, multi-factor authentication and advanced firewalls

4. Threat identification and risk management – Annual risk assessment, security planning and vendor evaluations

Takeaways from Ward & Smith’s Privacy and Data Security practice: 1. The past few years have witnessed a significant increase in security

UNCW’s Center for Cyber Defense Education uncw.edu/ccde

incidents.

2. Third parties are increasingly impacted by security breaches targeting business partners and suppliers.

3. Risk allocation between parties is — or should be — governed by a contract.

4. It’s critical to ensure that cybersecurity and legal/risk allocations are included in your contract review process.

5. Having a third-party review to certify your business partners’ security practices is the gold standard.

More Resources: • Ward & Smith — wardandsmith.com

Launched in April of 2018, the Center is dedicated to raising awareness levels of cybersecurity issues and supporting the development of Cyber Defense expertise in all UNCW Students, Faculty and Staff. The Center also strongly advocates a more savvy cyber posture for practitioners of all academic disciplines, occupations and walks of life. UNCW is designated as a Center for Academic Excellence in Cyber Defense Education (CAE-CD) through 2023, a designation given by the National Security Agency (NSA) and Department of Homeland Security (DHS).

(click on Practice Areas and then Privacy and Data Security) • Earney & Company – earneynet.com (scroll over Solutions and click on Information Security & Privacy) • FBI Internet Crime Complaint Center (IC3) – ic3.gov/Home/Ransomware • North Carolina Cybersecurity Incident Report Form – It.nc.gov/report

SPONSORS’ CONTENT DISTRIBUTED BY GREATER WILMINGTON BUSINESS JOURNAL