Pictured: Dan DeFay, Chief Security Officer, and Ken Satkunam, President and Owner, NorthStar Technology Group
Cybersecurity threats are on the rise and one misstep could cost you your business. We spoke with NorthStar Technology Group’s President and Owner Ken Satkunam and Chief Security Officer Dan DeFay to learn about how to prevent and recover from cybersecurity disaster.
Q: What do you think are the most common cybersecurity threats businesses are facing these days?
Dan: It used to be ransomware, but more and more we’re seeing what they call business email compromise. That’s where, basically, the attacker gets them to click on something, and then they have some kind of mechanism, which allows them to take over that email account. Then, once they’re in there, they’ll try to spread the attack to other companies or other contacts connected with that email. And, even if a company has multi factor authentication turned on their accounts, we’re still seeing that they figured out a way to bypass that.
Q: What else could you do other than two factor authentication to make sure that you’re not exposing yourself?
Ken: Multifactor authentication is something that people can do now and it still helps. It’s another hurdle that might cause a hacker to go elsewhere—somewhere easier.
Beyond that, it’s really about awareness and being able to recognize those sorts of things. You don’t need to have a complicated security awareness training program, but I think just generally being educated and able to recognize messages that seem to be off or fraudulent is important and I think people are getting better at that. Years ago, people would click on anything and everything.
Q: I’ve done interviews similar to this and I’ve heard that once a hacker is in your system, they can spend a very long time in the system before they do anything or before you become aware. What are some red flags that business owners should look for that would indicate there has been a security breach?
Ken: What you’re talking about is dwell time, which is the time between when a breach occurs and when it’s noticed that it occurred. Most often, it’s the savvy of the attacker that makes this very, very difficult to detect. 99% of the time, you’r not going to catch the attacker during this period. Attackers wait because they want to do everything they can to cause the most damage. So, they may be in there spending time trying to figure out what you’re using for backups. And then, before they deploy the ransomware, they’ll go in and delete those backups. Ulitmately, a preventative strategy and a good recovery strategy are your best bets.
When the event occurs, you will usually notice your systems will start acting weird. The files might get encrypted from ransomware or all of your colleagues in your contact list will be getting weird emails from you.
The two terms you’ll hear a lot in the cyberworld are compromise and breach. Compromise is when the attacker actually gets a foothold in your system, and then they’ll stay in there trying to figure out the best thing they can do to maximize the impact. Then, when they actually take action, that’s the breach.
There aren’t really any tools a company can use on their own that’s going to tell them if someone has taken over their computer. The only way you might know is if your computer starts running slower because they installed some sort of malware that’s eating up memory.
After a breach happens, a forensic firm will go in and utilize complicated, expensive software to look for what we call “all indicators of compromise.” It’s a software that goes in and looks at all your files and your memory and your data—it looks for indicators of compromise and pieces things together from there.
By The Numbers
- 66% of organizations reported ransomware attacks in 2023 (Cisco Talos Blog)
- Around 80% of businesses affected by BEC attacks did not have multi-factor authentication (MFA) in place (Cobalt: Offensive Security Services)
- Global financial losses from business email compromise scams exceed $1.8 billion annually (Deloitte United States)
Q: What are the first steps people should take if there’s something that happens?
Ken: Even if we’ve done all the preventative things we can, something can still happen. There’s no way you can guarantee complete risk reduction. So, you want to make sure you have good cyber liability insurance coverage. You want to make sure you have good backups prior to the event. You want to make sure you have a strong incident response plans and that’s what you’re going to turn to if something happens.
Contacting your cyber liability insurance carrier is probably step one. They’re going to have their own forensics team that can go in and take a look to see what happened. They’re going to have their own lawyers who can counsel you on if you need to report the incident. They can also let you know if you need to let customers know. They’ll have guidance on talking points for the press. They’ll be able to kind of guide you through through that process.
And obviously, you want to make sure you don’t tarnish evidence. A lot of people, the first thing they’ll do is they’ll shut stuff down, or they’ll disconnect stuff. And I understand that reaction—you think you’re going to prevent it from spreading everywhere. But instead of doing that, you essentially tarnish the evidence. It’s like coming onto a crime scene and touching everything. You want to be able to leave that alone for the forensics people—that is challenging for a lot of people because they want to get back up and running as fast as possible, and forensics can take a long time.
If you don’t have insurance, you’re going to want to contact someone who can come in and help with the recovery process. That’s going to be either through forensics to identify what happened, or, at the very, very minimum, someone who can get you back up and running. You’re going to have to restore from backup and go through that whole process and make sure your systems are clean.
The challenge with that is knowing how far back to restore data from. Because of that dwell time, restoring a day back might restore bad stuff. Restoring from a week back might restore bad stuff. Restoring from a month back might restore bad stuff. You need that forensics process to help you identify when you want to restore from.
Dan: Things are getting to the point these days where trying to do this on your own can be very high risk. Because, if you don’t have tools to prevent this, they can get in and steal some of your data. Think about how drastic that would be for a CPA or law firm.
Ken: More and more people are recognizing the value of cyber liability insurance. However, the problem now is insurance carriers are requiring businesses to accomplish certain things regarding cyber security controls in order to even get coverage. Before COVID, I never actually talked to an insurance broker or carrier unless it was our own. During COVID, we ended up working with a customer who was filing an application for this every single month. The insurance providers were telling them that they couldn’t get coverage unless they followed steps A, B, C, D, E, F, G, and those items could sometimes be complicated.
Q: What are some things that people should look for in cyber liability insurance?
Ken: I think working with a carrier or a broker that manages your particular business industry is important. So, if you’re in healthcare, there are certain insurance carriers that work well with healthcare. If you are in manufacturing, there are certain carriers that work with manufacturing. But the big thing, of course, is to work with a reputable broker. A good broker will be able to know, your industry and know what you need for coverage limits.
There are a lot of brokers who have no idea about cyber insurance. They’re used to covering boats and cars. We’ve met a few that are good and you can totally tell the difference. It’s also really important to have internal IT or to partner with an IT company. You want to reduce risk in as many areas as possible.
I think most people who haven’t been through a breach don’t really understand the magnitude of stress that it causes. Typically revenue starts to just plummet and expenses skyrocket because you’re bringing in forensics and you’re bringing in lawyers. It never happens at an ideal time.
Q: How can people make sure their backups and servers are safe?
Dan: Having a robust backup system is super important. In our industry, there are so many different flavors of that, but having a good backup and understanding what your recovery goals are is important.
With a backup system, there are two points that we really need to understand and that’s the recovery objective and recovery time. Once I know those things, I can figure out how often I want to backup. Do I backup every day? Every week? Every month? I need to figure out how much data loss is okay. I also need to figure out how long I can withstand a backup taking. Can I wait five minutes? Can I wait one hour? Can I wait one day?
The problem is that backing up too frequently is expensive. There’s always a trade off with this stuff. Imagine how much disk storage, for example, I would need to back up all of my data every minute. It’s just not realistic. So, you can architect things to make it pretty bulletproof, but there’s going to be a cost consequence for that.
Q: Is there anything else you guys want to say to our readers?
Ken: The biggest thing is preparation. Don’t wait until something bad happens. Build an incident response plan before something happens. That incident response plan should include your most important digital assets and how to we make sure those are backed up and how to recover them. It should include who to talk to in the event that something bad happens. You should also have cyber insurance. And that cyber insurance is going to have a checklist of what needs to be in place for coverage, and we’re happy to take a look at that for anybody that needs help with that. We also really recommend that people get a cybersecurity risk assessment, which is a process where you identify all of your digital assets and review them to see if there are any vulnerabilities in those assets and then talk through the best strategy to protect those.
Northstar Technology Group
northstartechnologygroup.com
Facebook | /NorthStarTG
Instagram | @northstartechno
Linkedin | /company/northstartechnology-group/