If there’s an attack on the country, the military mobilizes. When a natural disaster strikes, recovery plans go into effect. Should an infectious disease start to spread, health officials launch a containment strategy. Response plans are critical to recovery in emergency situations, but when it comes to cybersecurity, a majority of industries are not paying attention.“The reality is no matter how amazing you are with your prevention capabilities, you’re going to be hacked,” said Mohammad Jalali, a research faculty member at MIT Sloan whose work is currently focused on public health and organizational cybersecurity. “Then what are you going to do? Do you already have a good response plan in place that is continuously updated? And communication channels are defined, and stakeholder responsibilities are defined? Typically the answer in most organizations is no.”To help address cybersecurity weaknesses in organizations, Jalali and fellow researchers at Cybersecurity at MIT Sloan Bethany Russell, Sabina Razak, and William Gordon, built an eight aggregated response strategies framework. They call it EARS.
Jalali and his team reviewed 13 journal articles involving cybersecurity and health care to develop EARS. While the cases are related to health care organizations, the strategies can apply to a variety of industries.
The EARS framework is divided into two halves: pre-incident and post-incident.
Pre-incident
1 — Construction of an incident response plan: This plan should include steps for detection, investigation, containment, eradication, and recovery.
“One of the common weaknesses that organizations have is they put together an incident response plan, but the problem is that documentation is usually very generic, it’s not specific to the organization,” Jalali said. “There is no clear, specific, actionable list of items.”
Make sure that everyone in the organization knows the plan, not just the employees in the IT department. Set clear channels of communication, and when assigning responsibilities, make sure they are clearly defined.
2 — Construction of an information security policy to act as a deterrent: Clearly defined security steps establish and encourage compliance.
“Many companies think that compliance is security,” Jalali said. “[That] if you just follow the information you’ll be taken care of.”
Don’t set the bar so low that the organization is not secure. Regulations should ensure an understanding of cyber threats. Establish motivational reasons for the response teams to follow reporting policies. Compliance should go hand in hand with continuous improvement.
3 — Involvement of key personnel within the organization: No matter the size of an organization, key leaders need to be educated on the importance of cybersecurity and be ready to act according to the response plan.
Leaders don’t have to be cybersecurity experts, but they need to understand the impact an incident will have on their organization. The more informed they are, the more involved they can be in a response plan.
4 — Regular mock testing of recovery plans: Recovery exercises help organizations stress-test plans and train employees on proper response protocols.
If the organization only tests its recovery plan during an actual emergency, it’s likely to run into serious issues, which could increase the amount of damage caused by the cyber incident.
The shift from a reactive to proactive stance can help an organization identify weaknesses or gaps in its recovery plan, and address them before an incident occurs.
Post-incident
5 — Containment of the incident: Containment involves both proactive and reactive measures.
It’s easier to cut off infected devices from a network if they’re already segmented from other devices and connections, prior to an incident. The researchers concede that it’s not always possible to segment networks, nor to immediately disconnect it from the whole system. At the very least, immediately report the infected device to the organization’s IT team to contain the incident.
6 — Embedded ethics and involvement of others beyond the organization: It’s important to remember that all of an organization’s stakeholders could be impacted by a cyber incident.
Promptly notify legal counsel and relevant regulatory and law enforcement agencies. Consider help from external resources and share information about the cyber threat.
7 — Investigation and documentation of the incident: Be timely and thorough; every step of the pre- and post-incident reaction should be documented.
The investigation should aim to find the root technical cause of the issue, as well as weaknesses that could prevent future attacks. Proper documentation is a necessity for this analysis.
8 — Construction of a damage assessment and recovery algorithm: Organizations should self-evaluate after the incident.
While computers are where cyber attacks happen, they can also be used to help with recovery. Organizations can leverage the power of computers, especially artificial intelligence, for real-time detection and containment of incidents.
“The commonly used frameworks for incident response strategies often miss this essential step,” Jalali said, “even though there are already AI-based products for this very purpose.”
Have you ever been in the room when someone suggested doing scenario analysis? Did you see everyone in the room cringe at the thought?
I have, and I felt pity for the person who made the suggestion.
Most likely, everyone in that room has gone through the endless “what if” scenario analysis that takes 4 or 5 hours and ends without any solid conclusions.
But if done correctly, scenario analysis can be extremely effective in its support of decision-making.
Personally, I prefer to use the term “scenario planning” instead of “scenario analysis” for the simple reason that “scenario analysis” sounds painful and very computer-driven. On the other hand, scenario planning is human-based and sounds like the effort and results will be useful for the participants and the final audience.
At its core, scenario planning is a “creative and structured process to guide deliberate thinking about risk,” as defined by Aries de Geus in his book TheLiving Company. De Geus, as the corporate planning coordinator at the Royal Dutch/Shell companies, used scenario planning and described its effectiveness in this Harvard Business Review article…from 1988!
So, with all that being said, how can scenario planning support decision-making?
1. Tests and validates assumptions being made as part of the planning process
When corporate planning occurs, whether called strategic planning, annual planning or something else, management believes that a certain set of assumptions will become true. How many times has management stated an assumption as fact? But what if they are wrong?
2. Provides management with the tools to proactively prepare
Risk management activities are supported by scenario planning, which looks at possible events. While most people inherently want to say the most positive event will occur, proactively preparing for events is always better than being reactive. Being proactive rather than reactive is a key difference between traditional risk management and ERM.
3. Encourages innovation
Scenario planning helps people to think outside of their comfort zone, taking next steps to a big innovative moment. Sometimes that innovation is triggered by the proactive preparation. An organization that is constantly innovating is a step ahead of its competitors.
4. Gives the organization a competitive advantage
Being prepared and innovative are two enormous parts of a competitive advantage. What company would not want that?
Management improves its way of making decisions simply by using scenario planning. It will take time for this way of thinking to take hold, but it stands to reap immeasurable benefits in both the short- and long-term.
After all, de Geus believes that scenario planning is the reason there are companies that last for 200 and 300 years. From the same Harvard Business Review article,
Sociologists and psychologists tell us it is pain that makes people and living systems change. And certainly corporations have their share of painful crises, the recent spate of takeovers and takeover threats conspicuously among them. But crisis management—pain management—is a dangerous way to manage for change.
Once in a crisis, everyone in the organization feels the pain. The need for change is clear. The problem is that you usually have little time and few options. The deeper into the crisis you are, the fewer options remain. Crisis management, by necessity, becomes autocratic management. The positive characteristic of a crisis is that the decisions are quick. The other side of that coin is that the implementation is rarely good; many companies fail to survive.
The challenge, therefore, is to recognize and react to environmental change before the pain of a crisis. Not surprisingly, this is what the long-lived companies in our study were so well able to do.
All these companies had a striking capacity to institutionalize change. They never stood still. Moreover, they seemed to recognize that they had internal strengths that could be developed as environmental conditions changed.
Don’t you want your organization to be around for 300+ years? Embedding scenario planning into management’s decision-making processes will help make that happen.
An often overlooked part of the massive losses suffered by businesses, academic institutions, and other organizations as a result of fires, floods, and other severe weather is the damage to critical records and documents. By not protecting and ensuring these documents, organizations can face significant business continuity losses and compromised client services. There are several important steps that prudent risk managers can take to ensure that their critical documents are managed properly and protected as much as possible from a potentially damaging event.
1. Understand Document Retention Requirements and Dispose of Unnecessary Documents
Document retention requirements are determined by city, state and federal regulations, and can vary by document type. A general rule of thumb is that financial records should be kept for seven years. Health records for children must be retained for 25 years. Deeds and loan documents must be kept permanently. Establishing a consistent base volume of stored records and documents can help determine the necessary level of insurance coverage. The longer the retention period, the greater the risk so purging those documents that are not necessary to retain can reduce the risk that damage will occur.
2. Assess Document Exposure
Determining the level of document exposure depends on the answers to several questions. First and foremost, what is the volume of critical documents? The more documents stored, the greater the cost to insure them. The more densely they are stored, the greater the localized risk.
What type of recovery service is necessary? This answer will vary from business to business. If original documents are required, they will likely be returned after drying and cleaning with visible signs of damage, such as stains and bleeding of ink. This may be fine for archived files but may cause problems for businesses such as medical facilities, law and accounting firms, and their clients. In another instance, a mortgage title company may likely want a drying, sterilization and cleaning option even when their documents are affected by Category III water (highly contaminated water such as sewage or floodwaters, also known as blackwater). Faced with the same dilemma, a medical facility is likely to prefer reproduction or imaging.
Is immediate access to documents important in the wake of a calamitous event? This will determine which of the two basic techniques for document drying is most appropriate. Vacuum freeze drying provides the best results for books and clay-coated paper. However, capacity is limited by the size of the drying chambers and backlogs can quickly develop if a document recovery specialist relies solely on this method. Desiccant drying effectively processes large quantities of documents, but causes wrinkling and requires trained technicians to avoid secondary damage to documents during the recovery process.
The information gleaned from the answers to these questions can be extremely useful in determining the potential cost of document and record restoration. However, there is no standard formula or computer model to generate cost estimates. Instead, the number of documents required for retention and the qualitative requirements of that retention is used to develop a hypothetical, industry-average cost estimate for a worst-case scenario loss.
It is important to remember, however, that any assessment of this kind cannot determine the cost of a total loss. Establishing the cost of drying 100 boxes of documents submerged in water for two days is doable. Understanding the cost of recovering those 100 boxes after they have been burned to ash is not.
3. Ensure Adequate Insurance Coverage
The cost of insurance is typically determined by the cubic feet of stored documents and records to be covered. A range of $100 to $1,000 per cubic foot can provide a general low-to-high estimate of coverage needed. Depending on the potential needs within that range, the type of coverage is another critical consideration.
Many insurance policies will specifically exclude coverage for documents under the contents verbiage of the policy. Instead, insurers want customers to address specific coverage of documents under the valuable papers portion of the policy. Valuable papers coverage is often described in the policy as the time to research, verify, and recreate files or information that have been damaged in a loss. Valuable paper coverage is broad and often will address the issue of document reproduction or imaging.
Valuable papers coverage is a reasonable “extension of coverage” on insurance policies, with coverage amounts ranging from $25,000 for standard coverage to several million dollars for specialty classes of businesses. Standard limitations may be adequate for small losses, but most likely will not be adequate to cover a major loss that would require the treatment of large numbers of documents. Ironically, the rule of thumb in the document restoration business is that the average client is under-insured.
Often, the key variable is how the adjuster will interpret the policy. Some adjusters will allow drying and cleaning documents to fall under business personal property coverage because the documents are tools used for conducting business. This enables the original documents to be dried and/or cleaned and returned to use. The argument is documents such as medical charts are not just valuable papers or papers per se. The information on them is organized, regulated in how it can be amended or altered, and the charts must be bound in a specific manner.
An important element of adequate insurance coverage is the quality of the claims handling process, which can be defined as the immediate response to the loss. Specific wording to this effect in the insurance policy will help, as will periodic meetings among the insured customer, insurance professional, and document restoration firm over the course of the policy period.
4. Preselect the Right Document Recovery Firm
There are only a handful of qualified document recovery firms in the United States. Preselecting one of them is not a process that should be taken lightly. Risk managers, who are serious about defining their exposure, should conduct in-person interviews with key document specialists — as opposed to area representatives or salespeople — from the firms they are considering.
There is no standard pricing in the document recovery industry. Basic services are typically measured by the cubic foot. However, one firm may charge $40 per cubic foot for drying and $35 per cubic foot for labor, handling, and packaging, while another will charge an all-inclusive $72 per cubic foot for these services.
There are a number of differentiators among these firms in addition to price. Do they have the capability to handle a document restoration project on-site if necessary? What security measures do they employ — both on-site and in their plant? How quickly can they respond to a loss and provide a complete quote for the work? What is their backlog? Can they provide access to documents during the recovery process? Do they do the work in-house, which is preferable to ensure a timely response and open lines of communications between client and document recovery firm, or do they subcontract to another vendor? Do they itemize invoices, including all services and supplies? Are they appropriately insured, including sufficient pollution coverage?
Lastly, there are a number of external signals about a document recovery firm’s qualifications. Firms that are preferred vendors with well-known national insurance carriers have qualified on the basis of security, financial stability, quality control and accountability. Letters of recommendation from previous clients is also a good indicator of past performance.
First, it was the Ticketfly hack in May. My email was among the 27 million accounts stolen from the events company.
According to the website Have i been pwned?, which monitors data breaches, my personal email has also been found in records stolen from sites like Tumblr and LinkedIn.
By the time the Ticketmaster and PageUp data breach notification emails landed in my inbox weeks later, my attitude had devolved from concern to extreme digital nihilism.
Am I suffering from data-breach fatigue?
Peter Singer, a strategist and senior fellow at New America who writes about cybersecurity, is worried that after all the hacks, data dumps and servers left unprotected, we may be tuning out.
Data breach fatigue
Troy Hunt, who runs Have i been pwned?, has seen the rate and size of data breaches grow since he founded the site in late 2013.
Rather than becoming fatigued, he suggested people simply accept such incidents are now “a normal part of online life”.
“I’m actually finding … that people are judging companies less on the fact they’ve had [a data breach], and more on how they’ve dealt with it,” Mr. Hunt said.
What should I do after a data breach?
Change your account password and get a password manager
Report financial losses to the Australian Cybercrime Online Reporting Network
Check your bank account for unusual charges
If your credit card details have been lost, contact your bank
We don’t yet know much about “data breach fatigue” as ameasurable phenomenon, agreed Cassandra Cross, an online fraud researcher at the Queensland University of Technology.
“I don’t really think we know … whether people are making choices to do things differently, [or] whether they’re just ignoring it,” she said, suggesting more work needs to be done.
Rui Chen, an information systems academic at Iowa State University, investigated consumer attitudes after online security incidents.
In 2015, the US Office of Personnel Management (OPM) lost more than 4.2 million personnel files, among other sensitive documents.
Dr. Chen and his team used sentiment-analysis tools to track the emotional content of 18,764 tweets containing the hashtag #OPMHack.
After events associated with the hack — from the initial breach announcement to the OPM director’s resignation — they saw a large drop-off in reaction.
In other words, Dr. Chen said, “we can see that the public is gradually losing interest in reacting to this news”.
The effects of ‘fatigue’
If people don’t take breaches seriously, they may not follow instructions to protect themselves, such as changing passwords or using credit-monitoring services.
But our understanding of how people do respond is limited.
“One thing could be there are just so many incidents of data breach happening … people consider it typical,” Dr. Chen speculated.
“It’s the norm of this digital world.”
These incidents can also feel quite abstract, Dr. Cross added.
Consider the compromising of more than 359 million MySpace accounts or more than 164 million LinkedIn accounts — these are almost unimaginable numbers.
For victims, there’s also a difference of perception between your details being lost or stolen and actual misuse of that information — in the form of identity theft, for example, which is estimated to cost Australia $2.2 billion each year.
“They’re just one small individual within an entire group, and they don’t feel that they are particularly valuable in terms of a target,” she said.
Real-world effects
New America’s Peter Singer suggested we won’t see decisive action from the government on these issues until breaches begin to have a dramatic impact in the physical world.
Connected devices, from fridges that can be accessed online to driverless cars, will make this more dangerous — and likely.
You might start caring more when a hacker uses stolen credentials to turn your lights on and off remotely.
“I think … what will inevitably happen is some type of bad outcome,” Mr. Singer added.
A badly handled data breach can also dent a company’s reputation.
Take Uber, which initially tried to cover up the exfiltration of the names, email addresses and mobile phone numbers of 57 million users.
Mr. Hunt also sees companies being judged harshly if a breach exposes their poor security posture, such as storing passwords in plain text without cryptographic protection.
On the flip side, he cited the Red Cross Blood Service’s reaction as “the gold standard” after it lost donor information in 2016.
The group was swift to act and tell the public — and was apologetic throughout.
As data breaches continue, Mr. Hunt hopes people will avoid fatigue and take control: get a password manager, make all passwords unique and turn on two-factor authentication.
“These are really basic things that we can all do, and they fundamentally change the impact of a data breach,” he said.
The hacking of medical clinic employee’s email account during travels overseas demonstrates the risks posed to data when workers travel – and the need to mitigate those risks.
Billings Clinic in Montana – which includes a multispecialty group practice with a 304-bed hospital and a Level II trauma center – says in a breach notification statement it became aware on May 14 of “unusual activity” within one of its employee’s email accounts.
The employee was traveling overseas on a medical mission at the time of the hacking incident, according to the statement.
What Happened?
Billing Clinic says it took immediate action to disable access to the email account, launched an investigation to determine what happened and took action to further secure its email system.
“As a result of the forensic investigation, we learned that an unauthorized individual had access to emails and attachments within that one account, some of which included patient information.”
The types of information on 8,400 individuals included in the affected email account include patient name, date of birth, contact information, the medical record number, internal financial control number, diagnosis and limited information about medical services received, the clinic reports.
“Each patient had different types of information, included in the emails, and no one email contained all of these types of information,” the notification statement says.
Earlier Incident
As of July 16, the hacking incident was not the Department of Health and Human Services’ HIPAA Breach Reporting Tool website – commonly called the “wall of shame” – that lists breaches affecting 500 or more individuals.
That breach tally, however, lists a different hacking/IT incident reported in April by Billings Clinic that impacted 949 individuals.
In a notification statement posted on Billings Clinic’s website about the earlier incident, the clinic says that on February 26, it also became aware of unusual activity within its email system, and immediately took action to disable the account.
A Billings Clinic spokesman tells Information Security Media Group that the two breaches were separate incidents, but declined to discuss further details, including the steps the clinic is taking to bolster security in the wake of the breaches.
The spokesman also declined to discuss whether the traveling employee in the latest breach was traveling with a Billings Clinic laptop or other mobile computing devices, or whether the employee had been accessing Billings Clinic’s email system while using a personally owned computing device or smartphone.
Overlooked Risk?
Data breaches occurring during employee travel are a common but often overlooked problem, says Rebecca Herold, president of Simbus, a privacy, and cloud security services firm, and CEO of The Privacy Professor consultancy.
“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it.”
—Consultant Rebecca Herold
“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it,” she says. “People are often unaware of what is going on around them when they are traveling. They are using any charger station they can find, they speak loudly and they use free Wi-Fi,” she says.
Cybercriminals routinely scan free Wi-Fi networks and copy unsecured transmissions, including emails, she says.
“Shoulder surfing is also still very common; it’s a decades-old tactic that still works effectively today. And the skimmers on charging stations are increasing in use. Don’t think that if you are in a frequent flyer lounge that these things do not happen there; they happen in those exclusive lounge areas possibly more than in other places,” she warns.
Cybercriminals often target travelers, Herold says, because “it is easy for them to commit their crimes without getting caught because there is usually no digital evidence created.”
Mac McMillan, CEO of security consultancy CynergisTek, offers a similar assessment: “Any time you travel overseas you may be at greater risk as local cybercriminals will have access to your mobile devices, the locations where you are staying or the ISPs their networks and your traffic is traversing.”
Healthcare entities and other organizations – and their traveling staff members – should review information from the Federal Communications Commission, Department of Homeland Security, and other agencies for tips on securing their computing devices while overseas, McMillan stresses.
“The problem is that most private businesses don’t educate their employees on these risks,” he says. Government agencies “routinely brief employees on foreign travel risks and are always aware that overseas we are potential targets.”
Steps to Take
McMillan advises workers on vacation to “leave the work computer at home. Temporarily suspend access to sensitive apps and work email, and do not permit mail forwarding.”
But if remote access is absolutely required, he says, “employ two-factor authentication on both apps and email, and strong encryption on all devices. Use different passwords or pins when you travel. Do not make online purchases or go to your online banking site. Clear your cache regularly. Turn off auto-join on your Wi-Fi. If traveling for more than a few days, reset your settings. Above all keep your devices with you at all times and shielded from view.”
Keith Fricke, a consultant at tw-Security, notes that some companies issue a laptop specifically for overseas travel that is locked down more than normal and has fewer applications on it.
There have been reports of some private airplane flights having “hidden cameras” in them recording information on the screens of laptops passengers used laptops during the flight, he says. “Stories also exist of hidden cameras in hotels of certain foreign countries or people entering hotel rooms when the occupant left the room for meetings or a meal. The intruder looked for ways to obtain unauthorized access to information,” he notes.
Herold advises organizations to take a number of precautions to reduce the risk of breaches while individuals are traveling.
“Implement policies for employees to not use public Wi-Fi,” she stresses. “Provide secured virtual private network or similar types of solutions for remote access. I carry my own device that I use to establish a private VPN connection. I never use public Wi-Fi, or the Wi-Fi in the hotels or restaurants either.”
Organizations should also require that data be encrypted in transit and in storage, she says. “That way, if someone gets access through a network, the data is not accessible. If they get access to the device, the data is not accessible.”
Herold also advises employers to “provide information security and privacy reminders and awareness communications of other types prior to employee travel so that they have the need to practice safe mobile computing at top of mind.”
