Beep boop - this is a robot. A new show has been posted to TWiT…
What are your thoughts about today’s show? We’d love to hear from you!
Beep boop - this is a robot. A new show has been posted to TWiT…
What are your thoughts about today’s show? We’d love to hear from you!
I agree with a lot of what was discussed around cyber security and recruitment. Those who know their subject are often lousy communicators and can’t write a decent CV; it might be better to sort out the good CVs and just look at the lousy ones. OK, not really, but they shouldn’t be discounted out of hand.
As to the subject of insurance not paying out on crypto and other cyber attacks, I think this is a positive move. As long as the executives think, “oh, we’ve got insurance for that,” there won’t be any improvement. With health and safety, they have insurance for employee compensation, but they also have legal restrictions and guidelines on health & safety, and if they break those rules, they will be fined, which shouldn’t be covered by the insurance, and possibly the insurance won’t pay out, if the employer was negligent. This needs to move over into cyber security.
Accidents can happen, but if even the most basic precautions haven’t been taken, the insurance shouldn’t be paid out and the company should face prosecution under data protection laws. Only once they’ve taken things seriously and still fallen afoul of a zero day, that they had no chance of protecting against, should the insurance cover them.
Old and outdated equipment was the attack vector? Only got themselves to blame, no payout. Lack of employee training led to the user opening a phishing email and letting the attacker in? No payout.
Data leaked as part of the attack? Under GDPR, that should lead to a hefty fine.
If the equipment is all up-to-date, the employees have been trained and the attacker used some new, refined attack, yes, that is genuine bad luck and should be covered.
But executives shouldn’t be rewarded for corporate negligence.
And, as to backups, regularly test them! Do a full restore of key machines or restore some random files from a file server on a regular basis, to ensure that the backups are working, if you don´’t test, you only have a process, but you can’t say you have any backups!
Jim made an off-hand remark about Colonial and if they had had a proper backup, it wouldn’t have taken 12 days to recover…
Partly true, but:
Only once all of that has been done, are you really back up and running.
And it isn’t just the servers, you need to thoroughly check every device on the network. Is the malware sitting on a PC, tablet, industrial controller somehwere, just waiting to strike again.
You might be able to recover the data in a few hours, but having a trustworthy and working system is going to take days, no matter how good your backups are.
Brian made a good observation, that the US is looking to treat cyber attacks as terrorism. That is a good start.
He also said, that maybe companies should be required to report attacks. That is already the case in Europe, for any local or multi-national, if their data is compromised, and if the attacker had enough access to the network to encrypt the data, the data is compromised, they have 72 hours to report the attack to the relevant data protection authorities. Failure to report leaves them liable to fines of 25M€ or 4% of world-wide turnover, whichever is the greater.