As Tropical Storm Fred is traveling towards Southeast Alabama, now is the time to take action and be prepared to protect your computers, printers, files and data.

1. ENSURE YOU HAVE A BACKUP

• Backup your files! It's good practice to frequently backup your data files. We recommend a hybrid-cloud image-based backup that can be used to restore data and applications even if your server is destroyed, and that can restore data from different points in time.

• Print a copy of your important/emergency contacts and take them with you if you do not have access to them from your phone or computer, you'll have them available to use via a landline.

• RealTime Clients: Everyone who is on our Business Continuity Service – Your servers are backed up and replicated offsite daily. If there is a problem, we correct that as part of the service. As hurricanes approach your physical location, we’ll be talking with you and confirm things are backed up and replicated prior to you shutting your operations down as part of your storm prep.

2. SECURE YOUR EQUIPMENT

• COMPUTERS

  • Shutdown the operating system.

  • If connected to a surge protector or UPS - unplug from the wall outlet (or unplug power cables from the surge protector or UPS if wall outlet isn't accessible).

  • Unplug Ethernet cable from the back of computer or docking station.

• PRINTERS

  • Power off the printer.

  • If connected to a surge protector - unplug as described above.

  • Unplug the Ethernet cable from the back of the printer.

  • Unplug the phone cable from the back of the printer (if a fax line is connected).

• SERVERS AND NETWORK EQUIPMENT

  • Perform a normal shutdown of the servers. RealTime clients: Please coordinate with RealTime service desk. 

  • Unplug all connections - Take photos to document how things were prior to the event. 

  • Firewalls, Switches, Access Points - unplug them from power. Unplug the firewall from the internet connection as well. Ideally, unplug all the network connections (surges can travel through the network cabling).

  • Battery backups - power these off and then unplug them.

  • Phone systems - Check with your vendor to see what steps you can take to protect it.
     

3. PROTECT FROM WATER/WIND

When a major storm is predicted, elevate your CPUs, printers, servers, and other network devices, as well as other electrical appliances like space heaters, off of the floor.  For high winds, move computers away from windows.  If there is a possibility of water leakage, cover computer equipment with plastic.

4. CONTINUING OPERATIONS AFTER THE STORM

•  If you are in the path, power and internet connectivity may be hard to come by for a few days. Generators can provide enough power to run your critical computer equipment – just be sure you are connecting up to something that can deal w/ the power fluctuations many generators have. Please ask RealTime before connecting things up to generators as they can damage sensitive equipment. Modern battery backups may have the capability to condition the power off of a generator – check with the manufacturer to confirm before trying this.

• 4G USB modems or Mifi can get you connected in an emergency. Everything you do may not work, but basic web browsing.

• Forward your phones – If the office is expected to be out a few days, most phone service providers have a way for you to forward calls to your business to a cell phone or alternate number. Get the steps now, before you need them.

5. BE PREPARED

Knowing what steps to take ahead of time will help you be prepared in the worst-case scenario. RealTime is committed to ensuring our clients are prepared with the proper technology to meet their current/future needs as well as advising them about safeguarding their business from weather-related, cyber and other disasters. 

If you would like further information about RealTime managing Information Technology for your business, contact us at info@realtime-it.com.

Blog: Todd Swartzman, RealTime Chief Information Security Officer

LET’S BEGIN AT THE END

Let’s go a bit out of order and focus on the end of these types of events, the recovery. After all, if your business falls victim to a ransomware attack or some other type of breach, eventually you will get to the recovery phase. In talks with business owners over the past couple of years, no one thinks too much about what recovering from an event looks like for them. At RealTime we hear “I’ll call you guys!” or “our insurance will handle it”, “our IT guy will deal with it.” Are these courses of action something to stake your business on? Let’s use a real world example happening now:

COLONIAL PIPELINE EVENT/RECOVERY FACTS

1.  Event May 5, 2021

2. Took five days and there are still intermittent service interruptions happening.

3. Budget? Unlimited. This was a recover at all costs exercise.

4. Government help – there for the asking

5. Temporary lifting of regulations to help deliver product.

6. Colonial Pipeline paid $4.4 million in ransom within hours of the attack. They opted to pay the ransom because it was unsure of the extent of the breach. The hackers provided the company access to a decryption program following the payment, but Colonial Pipeline was not able to immediately restore operations with the tool.

 HOW WOULD THIS COMPARE TO YOUR BUSINESS RECOVERY?

1. Do you have unlimited funding and is FedGov offering every assistance available to you?

2. Can you go 24x7 until it’s recovered? What about your primary business serving customers, who’s going to do that while all hands are on deck dealing with the current fire? If you have one IT guy, this isn’t realistic, even if they did have the requisite skills, and they probably don’t.

3. Do you assume you’ll only be down for a few days? Average time to recover a small business is about two weeks, but that can vary wildly.

 CLOSING

CYBERSECURITY IS NOT JUST A TECHNICAL PROBLEM. IT’S A BUSINESS PROBLEM.

Use this as a lesson you can learn at someone else’s expense. Review your own controls, backups, response plans, insurance policy, and your budget to make sure that your plan is documented, understood, and most importantly is realistic.

 CISA (Cybersecurity & Critical Infrastructure Agency) put out an alert on Best Practices for Preventing Business Disruption from Ransomware Attacks. And if you are curious, yes, Colonial Pipeline would be subject to adhering to CISA requirements as they are critical infrastructure.

Article link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a 

EXAMPLES OF QUESTIONS ON A CYBER INSURANCE APPLICATION

By Todd Swartzman, RealTime CISO

The questionnaire(s) you fill-out may have some definitive questions that want Yes or No answer. Not all applications will have the same questions as each insurer and even many insurance brokers have their own questionnaires that they use as part of the application process. 

You can ask the broker to help you better understand what these questions are really asking, and you can even add an addendum to better explain the answer to any questions that aren’t really a Yes or No given the question.  

That policy questionnaire is an excellent (free) way to measure how your business is positioned as far as your basic cybersecurity, your controls, policies, your compliance status, etc. If you find yourself answering “No” to many of the questions, this is your opportunity to improve your security to better protect your business, and maybe help you get better cyber insurance premiums. 

The questions being asked are proven steps businesses should already be taking to reduce their risks of a breach or ransomware event. 

Here I’ve listed some sample questions that insurers may use to help them qualify your business (aka, how risky are YOU to the insurer) for cyber coverage; having these things in place will  make it less likely you’ll need to use that shiny new cyber insurance policy: 

Email Security 

1. Do you filter emails for malicious attachments or links? 

2. Do you strictly enforce SPF on incoming emails? 

3. Do you train your email users to recognize phishing and other email based threats? 

4. Do you use Office 365 in your organization 

5. If yes, do you enforce MultiFactor Authentication for all Office 365 accounts? 

Internal Security 

1. Do you use Endpoint protection products across your enterprise? There may be choices or a listing of common products to help answer. 

2. Do you use multi factor authentication? 

3. For remote access? 

4. Do you have a process to apply critical security patches rapidly? 

5. Do you use web content filters to block potentially malicious content? 

6. Do you use protective DNS services (Open DNS, Quad9, etc.?) 

7. Do you provide your users with a password manager software? 

8. Do you have a firewall with active security services such as Intrusion Prevention Services, malware scanning, or similar? 

Backup and Recovery Policies 

1. Are your backups kept separate from your network (offline) or in a cloud service designed for this purpose? 

2. Do you use a cloud syncing service (e.g. Dropbox, OneDrive, Sharepoint, Google Drive) for backups? 

3. Have you tested the successful restoration and recovery of key server configurations and data from backup in the last 6 months? 

Other Ransomware Preventative Measures 

1. Please describe any additional steps that your org takes to detect and prevent ransomware attacks. 

Once you purchase a policy, you still have some work to do in order to get the most out of the policy and further reduce your business risks. Every reputable underwriter has resources that their policy holders can use to shore up defenses, create policies, and help train staff. Use them, after all, you are paying for it. Many have resources like policy samples, virtual CISO services, Incident Response Planning guides, courses on HIPAA and PCI, awareness training content, just to name a few. 

Why does my business need cyber insurance?

By Todd Swartzman, RealTime CISO

Your business is a target, whether you care to admit that fact or not. 

Having a good cyber insurance policy that helps mitigate some of your business risks is a safety net for your business in case of a breach, data loss event, business interruption due to a cyber event, assistance in a ransomware event, etc. Each policy is worded differently, and some policies won’t cover all things, or with the same limits. 

[Contact your insurance broker to get the process started. If your agent doesn’t seem to be very conversant on this subject, a good agent will loop in a cyber expert from the underwriter.]

FILLING OUT THE CYBER INSURANCE APPLICATION

WHAT SHOULD MY MINDSET BE WHEN FILLING OUT THE APPLICATION?

Think liability. Your job isn’t to make your business look good to the broker or underwriter. Be 100% forthright with your answers and be sure to answer accurately.  Ask the broker or underwriter to define their terms. What we commonly understand a term to mean isn’t necessarily what the insurer says that these policy terms mean, so be sure to get clarification. One policy I was working on included a 28-page document explaining the terms of their one-page proposal. Remember, what you think a term means may be quite different than what the insurer says that term means for their policy – go with the insurers version.

WHAT IF I DON’T KNOW THE ANSWER TO SOME QUESTIONS?

If you don’t know the answers to some of the questions, just tell the broker; or if you’ve been asked to answer the questions on behalf of a client, let the client know you don’t know the answer. This is especially important if the question is a legal or compliance type question. Your goal is to answer accurately, and it is critically important that you do so.

Here is why:

Cottage Health Systems got sued by their insurance company for failure to follow “Minimum Required Practices”. This is an example of what can happen if you have to make a claim and you answered inaccurately during your application. Cottage Health said they were doing something preventative relevant to the event, but they actually were not. READ MORE HERE…

TYPES OF QUESTIONS

The questionnaire(s) you fill-out may have some definitive questions that want a Yes or No answer. Not all applications will have the same questions as each insurer and even many insurance brokers have their own questionnaires that they use as part of the application process. Ask the broker to help you better understand what these questions are really asking. You can include an addendum with your responses to better explain any answers where a Yes or No isn’t the best answer.

That policy questionnaire is an excellent way to measure how your business is positioned as far as your cybersecurity, your controls, policies, your compliance status, etc. If you find yourself answering “No” to many of the questions, this is your opportunity to improve your security to better protect your business, and maybe help get better cyber insurance premiums. 

The questions being asked are some basic, proven mitigations that businesses should already be taking to reduce their risks of a cyber event such as a breach or ransomware. Here is a list of some sample questions that not only will help you qualify for insurance; having these things in place will  make it less likely you’ll need to use that shiny new cyber insurance policy.

Greater Baltimore Medical Center Hit by Ransomware Attack

BY MIKE LENNON

The Greater Baltimore Medical Center in Towson, Maryland was hit by a ransomware attack that impacted computer systems and medical procedures, the healthcare provider said Sunday. In late October, the U.S. government warned hospitals and healthcare providers of an “increased and imminent” ransomware threat. The alert warned that threat actors are targeting the healthcare sector with the TrickBot malware in attacks that often lead to ransomware infections, data theft and disruption of healthcare services.

The ransomware attack is the latest of many that have impacted healthcare providers over recent months. In September, a ransomware attack forced the shutdown of more than 250 locations operated by Universal Health Services (UHS). Also in September, an attack shutdown IT systems at a hospital in Duesseldorf, Germany, resulting in the death of a woman after she had to be taken to another city for urgent treatment.

TrickBot has been updated with functionality that allows it to scan the UEFI/BIOS firmwareof targeted system for vulnerabilities, security researchers recently discovered. READ MORE…

UHS Shuts Down Systems in U.S. Hospitals Following Cyberattack

BY IONUT ARGHIRE

In the end of September, 2020, Universal Health Services (UHS) shut down IT networks at multiple hospitals in the United States, after being hit with a cyberattack. A Fortune 500 company operating more than 400 facilities in the United States, Puerto Rico, and the United Kingdom, the healthcare services provider has approximately 90,000 employees and claimed an annual revenue of $11.4 billion for 2019. While many said that patient care wasn’t critically affected, others detailed difficulties in receiving lab results or performing other types of investigations in a timely manner. There was also one unconfirmed report of patients dying due to such delays. Furthermore, Bleeping Computer and TechCrunch report that information from people with knowledge of the incident leads to the conclusion that the Ryuk ransomware was used. READ MORE HERE…

As Hospitals Cope With a COVID-19 Surge, Cyber Threats Loom

BY ASSOCIATED PRESS

The (University of Vermont Medical Center) Vermont hospital had fallen prey to a cyberattack, becoming one of the most recent and visible examples of a wave of digital assaults taking U.S. health care providers hostage as COVID-19 cases surge nationwide.

The same day as UVM’s attack, the FBI and two federal agencies warned cybercriminals were ramping up efforts to steal data and disrupt services across the health care sector.

By targeting providers with attacks that scramble and lock up data until victims pay a ransom, hackers can demand thousands or millions of dollars and wreak havoc until they’re paid.

Ransomware is also partly to blame for some of the nearly 700 private health information breaches, affecting about 46.6 million people and currently being investigated by the federal government. In the hands of a criminal, a single patient record — rich with details about a person’s finances, insurance and medical history — can sell for upward of $1,000 on the black market, experts say. READ MORE…

NEED MORE PROTECTION? LEARN MORE ABOUT CYBER DEFENSE…