Justin Sleight, IT Software, Office of the State Controller of Idaho

All modern organizations face some degree of cyber risk. Cyber attacks over the last several years have been steadily increasing, and have increased in both count and severity very recently. New technology and its implementation has become a common task for business small and large.

Only recently have small and mid-size businesses realized the importance of securing the implementation of these rapidly growing systems and infrastructure. Cyber threat management solutions are often complex and daunting to those not familiar with them.

This article aims to assist in the understanding of basic tools and guidelines that can properly assist both technical employees and management alike.

An event like no other

In march of 2016, IT staff at the Methodist Hospital in Henderson, Kentucky noticed something wrong with their internal network. They quickly assessed the situation and found the culprit to be the “Locky” strain of ransomware, a type of malware that usually spreads through spam in email. It infects several types of Microsoft Office file types, and once on a victim network, spreads itself and encrypts all accessible files. Ransomware is designed to lock the files that it accesses with an encryption key or password only known to the individual or group spreading the malware.

The IT staff quickly posted a notice on their public website that some web services would be affected due to an “Internal State of Emergency.” They also notified that public that some electronic services and communication methods would not be available due to the malware attack. Hospital IT staff management and the Information Services Director quickly realized that they needed to shut down all systems on their network. After doing so, they slowly brought the systems back online one-by-one after conducting a full scan for the virus or any remnants of it.

Even for a Hospital with a very robust security response plan in place, the Hospital still found itself unable to provide the services that it valued to clients, customers, and patients. For five days, the Hospital was unable to operate at full service capability, due to the complications from the cyber attack. IT staff were eventually able to shift system capacity to alternate servers, and begin restoring data from backup systems not affected by the attack.

Due to the due diligence of IT staff and the management in the Information Services division of the Hospital, a disaster and backup recovery plan was in place before the attack took place, allowing the organization to fully recover without paying ransom to an unknown malicious party, and according to official statements from the Hospital, no patient data was lost or stolen.

High Stakes

Cyber Risk management can be difficult to define and understand. Cyber-risk insurance can alleviate some of the pain associated with taking on any level of cyber-security risk, however most insuring entities will have fairly strict reporting, auditing and change update management. Cyber liability insurance can help offset some discomfort of securing a network, but it is certainly not a catch-all replacement for a dedicated security team with plans and policies in place at an organization. Both management-level and technical employees need to understand the impacts of these policies and procedures, and implement them accordingly, down to the end-user level. This is certainly no small task. For most organizations, getting C-Suite, CTO, and technical-level employees on board is only the first step. Disseminating these policies and ensuring automated reporting is in place at the node level is another hurdle entirely.

Once these policies and protections are designed, implemented, and properly automated, some organizations or mid-size companies may think that they can sit back and relax. This is not the case. Ensuring a security team is on top of reporting, analysis, and monitoring is an around-the-clock effort. With proper software and hardware appliances in place, most of these steps can be updated fairly easily with a robust security team internally.