If you have been following our cyber-resilience blog series, it may come as no surprise that yet another cybersecurity attack is making national headlines. On May 7, 2021, cybercriminals managed to breach Colonial Pipeline’s systems with a ransomware attack, halting 5,500 miles of pipeline carrying refined gasoline and jet fuel from Texas up the East Coast to New York. The pipeline carries 45 percent of the East Coast’s fuel supply, leaving consumers scrambling to obtain fuel over the six days of the shutdown. The shutdown was Colonial Pipeline’s effort to help minimize the impact of the breach, and lucky for us, they were able to rectify the situation and restart the pipeline within a week. However, that week caused significant damage and left us with questions about the security of our energy infrastructure.
As mentioned in the first blog post of our cyber-resilience series, determined hackers can eventually get into your systems no matter the size of your business. Even with the resources of a larger company like Colonial Pipeline, hackers infiltrated and caused harm. With this in mind, small- and medium-sized businesses (SMBs) must remain vigilant when it comes to cybersecurity as they remain an attractive target to cybercriminals. To increase cyber-resilience, we recommend implementing deterrence-based/preventative controls. As a reminder, our first two blog posts in this series cover these deterrence-based tactics, and our final post will provide strategies to reduce the impact of a cybersecurity breach. Our initial blog post focused primarily on email security, but there are other pieces of the cybersecurity armor that you should have in place to increase your cyber-vigilance. Let’s start with patching.
There is no excuse not to patch servers and user endpoints on a defined and consistent cadence. It is a critical part of your cyber-vigilance armor and could decimate your environment and ability to conduct business if not put in place. As an example, if your company is heavily dependent on business during the holidays, and you want to disable patching (to ensure systems are in a known, steady state) – it’s a good bet that the bad guys are thinking the same thing and will potentially take advantage of the opportunity.
While we are discussing patching, be sure to upgrade all sunset versions of applications and operating systems (e.g., Windows 7, Windows Server 2008). Sunset versions are no longer supported by the vendor, and current patches to identified threats are not available. Therefore, these applications and operating systems are extremely vulnerable to exploitation. For quick reference, Microsoft’s website offers information about all of their products’ lifecycles.
Password Management Tools
Saving passwords inside your web browser is a known “what not to do.” However, most employees resort to saving passwords this way because it’s easy and built right into the browser. Consider providing licenses for enterprise-grade password managers (as little as $3 monthly per user) to give staff members a better option for generating secure and randomized passwords for both work and personal websites. Many of these tools provide work and personal containers for passwords, so when employees separate from the company, the SMB can remove access to those work passwords.
As discussed in our previous blog post, your SMB should have already enabled Multifactor Authentication (MFA) for email. Now, focus on enabling MFA throughout your enterprise for every hosted application. If the application doesn’t support it, consider making a change. The same rules apply here for hosted apps as they do for email MFA. Where possible, require the use of an app for MFA and disable texts or calls.
Secure Your (User) Endpoints
Think of user endpoints as workstations, laptops, phones and tablets. All workstations and laptops should be encrypted. Further, those devices should have antivirus and anti-malware software that is automatically updated. Consider removing local administration rights from those devices to prevent the installation of unapproved software.
For phones and tablets where access to corporate email is allowed, security should include Mobile Device Management (MDM) via a software solution or other group policy that enables remote wipe and locks the device after x number of incorrect attempts (you get to determine the “x”). Additionally, the use of antivirus and anti-malware software on phones and tablets is more commonplace these days and should also be considered.
Go Beyond the Cybersecurity Questionnaire
When it comes to cyber-resilience, it remains essential that SMBs use cybersecurity assessments as part of their deterrence strategy. Cybersecurity assessments will always begin with a questionnaire to document what cybersecurity controls are believed to be in place. BUT, how do you ensure this questionnaire is accurate? Often answers are provided by IT team members who are juggling a multitude of tasks. That may leave you with a questionnaire based solely on inquiry that was completed quickly and doesn’t accurately reflect your environment and its configuration.
To validate that your security is as expected, consider going beyond the questionnaire and implementing “targeted” reviews of controls believed to be in place. These reviews include reviewing the actual design and implementation of any of the areas identified above as well as others like password configuration, number of administrators, wiring configuration, firewall rules, etc. You can help defray costs by doing targeted/mini-reviews over a period of time, which will also assist with getting your SMB into the cadence of assess, remediate, validate and repeat.
Where to Go From Here
Now your cybersecurity toolbox should include a variety of deterrence tactics to help your SMB maintain cyber-resilience. Our goal here is to deter the predators and push them to more susceptible prey. Supplementing the items listed above with cybersecurity insurance is another best practice to research and implement. Stay tuned for part 3 of this blog series, where we will discuss reducing the impact of cyber breaches.
Jon Powell, CPA, CITP, CISA, is a Partner in Moore Colson’s Risk Advisory & Compliance Services Practice. In addition to leading the cybersecurity initiatives, Jon leads the IT audit practice for the firm, including Sarbanes Oxley initiatives, internal audit co-sourcing partnerships, SOC audits and other compliance engagements.
Jon is part of Moore Colson’s Convenience Store Industry Leadership Team, which also includes Todd McMullen, CPA, Partner; Steven Murphy, CPA, Partner; and Stacey Martin, CPA, Tax Senior Manager.