On Wednesday, June 28, Bay Planning Coalition held a workshop on Confronting Bay Area Cyber Risk, where experts in cybersecurity and information technology discussed the cybersecurity issues facing businesses and utilities in our region and the steps that organizations can take to address them.
Topics covered included:
- What is a “cyber event”? Panelists discussed what counts as cyber event and there are many things that count as one but which never make the headlines, such as the rampant hacking of unprotected residential wireless routers. Also, terms like “breach” actually have very specific meanings, and can cause problems if used too readily.
- The importance of preparing and practicing a plan for what to do in the event of a cyber attack. All of the experts stressed how critical it is that organizations have a plan in place for what should happen if they detect that their system has been compromised. Having relationships with key experts, from outside counsel and law enforcement to PR professionals familiar with cyber issues – and knowing who will call them when – is very important. Also important is practicing the plan enough that it is familiar to everyone involved and can be enacted quickly if needed.
- When to involve law enforcement. Whether and when to alert law enforcement of a cyber attack is a complicated question. The patchwork of state laws in effect throughout the country related to obligations to inform law enforcement (and consumers) makes this issue even more tricky. One benefit to contacting law enforcement when there is a true breach is that their involvement can “stop the clock” on the time requirements for consumer notification, but there are also negatives like the fact that law enforcement will need full access to your systems and they will essentially be treated like a crime scene, which could greatly impact operations. One clear suggestion was that organizations develop relationships with law enforcement in advance so that there is open communication and the response by all involved can be most effective.
- Quantifying your cyber attack risk. There are a wider range of costs associated with a cyber attack than most organizations realize, even in cases where there is not disruption to operations. Examples include investigation costs and staff time. Properly evaluating the costs of addressing a cyber event also make it easier to secure a more effective cyber risk insurance policy.
- The evolving nature of the cyber risk insurance landscape. As cyber attacks increase and become more complex, so do the options for related insurance coverage. At the same time, securing this type of policy is becoming more affordable. Some of the things that can be covered by cyber insurance policies include ransom payments, wages paid to employees who spend time addressing a cyber event, and the cost of outside experts. There are attorneys who specialize in helping their clients negotiate coverage that best suits their needs. Additionally, insurance companies are now offering a growing number of “pre-breach services” that help clients reduce the risk of an attack happening in the first place.
- Cybersecurity requirements for outside vendors. Organizations sometimes overlook the risk they undertake when working or sharing information with an outside vendor, such as a law firm. If the outside organization does not have effective protections in place against cyber attacks it could put your organization at great risk. More and more vendor contracts are requiring proof of sufficient safeguards.
- The importance of strong, regularly updated passwords. In and out of the office, all of us need to be vigilant about the strength of our passwords. It is critical that they are unique and long enough and also that we update them on a regular basis. Additionally, organizations should eliminate general system accounts that multiple people can use, such as “admin” accounts. Port of Oakland has made this a priority and has tried to make certain that credentials are created for and used only by specific individuals.
- Employee training. Some of the simplest and least expensive options for reducing an organization’s cyber risk is basic training of its employees. Several examples were given of “test” emails being sent to employees that include links that should not be trusted and then monitored to see how many people clicked on the link when they should have known better. In one example, people who clicked on the link for free Washington Redskins tickets are then directed to a conference room in the office to pick them up. What they received instead was a surprise cybersecurity training session…
- Today’s cyber criminals. Many of today’s cyber criminals are people who used to be involved in more traditional types of crime (guns, drugs, etc.) but have found it easier and more profitable to engage in hacking, identity theft, and other cybersecurity-related crimes. They are not necessarily technologically savvy, but that doesn’t seem to be a requirement for them to be successful since so many organizations and individuals are not vigilant about protecting their information. Also, many of the cyber criminals are well-organized into groups with leaders; almost like actual businesses.
- The issues faced by school districts and other public entities. It is especially hard to protect the networks of school districts and, very likely, other public entities like libraries, both from attack and from use by criminals to stage attacks on others. There is technology available that could help, including some that blocks the use of certain problematic apps, but it is unfortunately still very costly. This is an evolving issue that may require more attention as the problem spreads.
- The difficulties and increased risk faced by smaller public utilities. While large public utilities, as well as larger refineries and ports, are all able to build an effective information technology and cybersecurity team and approach, many of the smaller organizations are at greater risk since they do not have the funds or manpower to do so. This is something on the radar of government agencies like the Department of Homeland security, but it is a growing issue as the overall cyber risk threat level increases.
- What to focus on more – preparedness or response? There were differing views among the experts about whether preparedness or response capability demands more attention and resources. On one hand, focusing on preparedness and prevention may help reduce the risk of a cyber event from happening or help an organization reduce the impact of one that does happen, but on the other hand there is more and more evidence that cyber events are simply inevitable and being able to effectively respond to them may be most important.
Bay Planning Coalition thanks Marsh & McLennan Companies for hosting the event at their San Francisco office, as well as all of the speakers and audience members who participated in making this such a valuable event. A great conversation has been started and we look forward to bringing more attention to the topic of cybersecurity and its connection to the stability of our region and its infrastructure.
- Click here to see the agenda and speaker biographies from the event.
—
“The Bay Planning Coalition is a non-profit organization well known for its advocacy and credibility in the San Francisco Bay Area corporate and environmental community. When we speak about an issue, legislators and regulators listen.” – John A. Coleman CEO