How ACME Co. Survived their First Cyber-Attack Part IV
/Week 4: An ounce of prevention? Then make it a double!
This is Week 4 of Cybersecurity Awareness Month 2022. We followed ACME Co as they lost $50,000 as a victim of fraud but were eventually made whole by their insurance policy.
After Action Report
Joanna called a meeting with the senior leadership of ACME, including members of finance and IT, to discuss the recent fraud. She had a laundry list of lessons-learned to go over, but she also had a lot of questions. At the top of her list of questions was what security efforts ACME should be taking to prevent fraud from happening again or, worse yet, a breach from happening.
The follow up meeting went well, and it included a lively discussion on everyone’s take on how things were handled and what they might do differently. Two things were universally agreed upon: first, no one wanted to go through anything like that again; second, everyone would be better prepared if it did.
The Tabletop Exercise
Imagine if Joanna and her team had done a tabletop exercise before the incident occurred. They would have, sitting around the conference table, walked through an exercise similar to the real-life scenario they lived through. The training exercise would not have had the same level of excitement, but it would have allowed everyone to think through how they might respond to certain events. A training exercise would have revealed what could be built ahead of time – a simple contact list being a great example of what could be quite easy to put together in advance and very helpful during an actual emergency.
I Just Googled It
After the discussion on lessons-learned, Joanna began posing some of her questions to the team. ACME’s finance guy, Fred, was the first to propose changes within his department. His simple proposal involved outgoing wires: no outbound wire would be sent unless two people confirmed the receiver and the amount. He added suggestions to payments as well: new payments or changes to payment methods would require two different communications methods. If a vendor wanted to change payment methods, Fred would follow an email request up with a phone call to the vendor. He shared with the team his list of vendor contacts that he would maintain, so that he would always have a specific point of contact to reach. Joanna was impressed, as it was clear Fred had been working hard to improve his department’s internal processes. “Those are great ideas, Fred. I’m glad you came up with them and implemented them already,” she complimented him. “Well,” Fred admitted, “I just Googled it.”
ACME’s IT person, Mark, laughed. He had been doing some Googling of his own. After the fraud incident, Mark had taken to the Internet – a near endless resource for IT and security professionals – and found a lot of free resources. Mark projected his screen onto the conference room TV. “Here’s what I found using the Google,” Mark said as the TV came alive.
On the screen was an assessment tool, with some parts already completed. Mark explained that he had found tons of resources from all sorts of entities: the US government, the Australian government, several trade associations, multiple certification bodies, and universities. Two, in particular, stood out to Mark. “The National Cybersecurity Alliance has some great training resources,” Mark said, adding, “I’d like to do something for Cybersecurity Awareness Month in October.” Pointing at the screen, Mark said, “but this is the security controls from the Center for Internet Security – CIS.” He explained that all the resources from the CIS were free for companies to use internally, and he had started his own cybersecurity assessment of ACME’s systems. The results would help direct him in tightening up security within his department.
Master the Fundamentals
Whether it’s basketball or cybersecurity, one must practice the fundamentals... because the fundamentals still work. This holds true from youth sports to the NBA and from small organizations to multinational corporations. Urban legend has it that Michael Jordan relentlessly practiced free throws through the end of his career. That is, arguably the greatest player to ever play the game – after winning six world championships – continued to practice the most basic shot in his sport.
There is a perception that cybersecurity is too difficult, expensive, or unreachable for small organizations to do well. This is simply not the case. Small organizations can take these steps to start building a strong cybersecurity foundation:
Make security and privacy a priority within the organization. This starts at the top, where leadership communicates and demonstrates the priority by example.
Improve internal processes. Examples: the finance from redirecting funds; the HR person can improve recruiting, where candidates are screened, references checked, and background checks performed.
Secure IT systems and the data they contain. The fundamentals of this can be performed using free resources, deploying existing internal resources, and leveraging security mechanisms within existing services and systems.
The strategic plan for any organization should be a fully functioning security program, but small organizations can follow the three steps above to get started.
This Concludes Our Series
The team at ACME Co. were victims of fraud. Hopefully, the story of this small business facing their first fraud event educated and informed you and your company on the topic of cybersecurity. Think you need some help? Consider hiring a cybersecurity consultant to help you get started. Or, seek a managed service provider (MSP) which can support your IT and security needs. Already have an MSP? If your provider has not already started working with you on your cybersecurity, then consider an upgrade to Affinity Technology Partners.
Disclaimer: This story is 100% fictional and does not represent any person or company in any way.
About The Author
Bart Holzer joined Affinity Technology Partners as fractional Chief Information Security Officer (CISO). He is the owner of Overt Channel, LLC, working as a fractional or virtual Chief Security Officer and Chief Information Security Officer for mid-size firms and nonprofits. A former federal law enforcement engineer, Holzer advises clients on security strategy, risk management, security program development and incident response.