Good morning, reader. Today you are the CEO of XYZ Logistics. Congrats! It’s 5:00 am. Your alarm goes off. I hope you’re ready, because today is not going to be the day you expected it to be. You wake up, roll to your side, and sit up in your bed. You reach for your phone on the nightstand, and through sleepy vision allow your thumb to instinctively swipe the alarm away. As your eyes adjust to the low light of the morning and the brightness of your phone, you notice 25 missed calls, 14 new texts, and hundreds of new emails clogging your inbox. You feel a slight churn in the pit of your stomach as you open your texts. The most recent text is from Sophia, your Director of Operations.
“Call me as soon as you get this.”
Received at 3:45 am. She clearly had been attempting to get hold of you all night. It's only 5:02 by now, so you decide to scroll through the messages before calling her so early. Sophia’s first text to you:
“Jim from the ACME account is pissed. He’s claiming we busted their whole network somehow.”
You scroll further.
“I really need you to call me back. It’s not just ACME – other customers are having similar issues.”
Your heart sinks as you begin to realize what has happened. You call Sophia. She proceeds to tell you what she knows so far.
Here’s what you learn:
At around 9 pm last night, someone began sending invoices to customers through Microsoft Dynamics 365. The invoices included a malicious link. Several customers clicked the link, two of which resulted in being locked out of their networks. The word ransomware has been mentioned, but no one has received a ransom note yet.
Additionally, later that night around 11 pm, thousands of emails started sending from your domain – specifically from your own personal work account. You realized this was why your inbox was so full. You had a high volume of “out of office” and “DNS errors”, with an unfortunate volume of angry customer responses. Further investigation revealed that multiple user accounts had been breached, everything in SharePoint had been encrypted, and – as if things couldn’t get any worse – someone got into your Fleet Management software and locked everyone else out! You take a deep breath. It’s going to be a long day.
What’s your first move? What are you going to do?
An Ounce of Prevention
If you have ever had the misfortune of living through a day like this, then I don’t need to tell you how stressful and challenging it can be. If you have yet to experience the business-altering disaster that accompanies a critical cyber-incident, then I am truly glad for you.
Though there are tremendous resources for building an Incident Response Plan for your logistics business, and you should absolutely leverage them, the most cost-effective and simplest way to deal with cyber-incidents is to avoid them in the first place.
In the above scenario, the CEO’s personal work account had been granted full-admin privileges to their Microsoft tenant – functionally making their account the lord and master of their entire Logistics realm. Threat Actors (cyber bad guys) had managed to steal their credentials weeks ago without the CEO’s knowledge using a crafty phishing email that seemed to come from their internal IT department.
The email masqueraded as a routine security measure prompting the CEO to log in with their credentials to stay compliant with their insurance provider. The CEO instinctively clicked a link that took them to what appeared to be a Single-Sign-On page. It was identical to others they had used their credentials thousands of times.
When asked, Cyber Risk Analysis Group founder, Brad Hamlett, had this to say:
"It all starts with choosing a framework to align your business with. You shouldn’t reinvent the wheel. These established frameworks serve as critical blueprints for building a solid foundation for both security and compliance. "
Rather than guess at best practices, you can begin your company’s security journey with confidence. This will prevent you from deploying a patchwork quilt of band-aide solutions and policies that leave your security posture weak and vulnerable – or worse, from doing nothing at all.
For instance, in the above example, if XYZ Logistics had been adhering to the National Institute of Standards and Technology (NIST), most recent guidelines for Multi-Factor Authentication (MFA), then the Threat Actor may have been prevented from gaining unauthorized access. Or if they had been adhering to the Cybersecurity Maturity Model Certification (CMMC) regulation on least privilege, it is unlikely that a single compromised user account would have had the permissions necessary to cause as much damage as they did.
Choosing a Framework
For all the benefits of picking a framework with which to align your logistics business, it’s not always simple as it may sound. For example, CMMC (mentioned above) is only relevant if you have contracts with the Federal Government in the United States – though its regulations may have universal value, making the business decision to architect your entire security posture around this framework may not make sense for you.
NIST, CMMC, HIPAA, CIS, ISO, PCI – the list goes on. So where do you start?
1-Don’t get overwhelmed. Anything may be better than nothing, and a little research may go a long way in helping you determine which frameworks may be relevant for you. Some things may become obvious to you early on. Don’t wait to implement the basics (good password hygiene, security awareness training for your employees, business continuity solutions, etc.)
2-Walk before you run. Security starts at the cultural level, facilitated by leadership, and takes time to fully bake into the identity of your organization. A good framework will help you build out a road-map of policies, procedures, technologies, and gaps that need your attention – and a good road-map gives you confidence that you will arrive at your destination in due course.
3-Be honest with yourself. Often you can be most blind to your own vulnerabilities – especially if you have never gone through an exercise like this before or lack veteran resources who know how to guide you through this experience. There is tremendous value in leveraging a strategic partner in your own Security and Compliance.
4-Prepare for insurability Do you have a cyber-liability insurance policy? If not, go get one. In today’s threat-landscape, it should be considered as necessary an investment as your internet bill or your Microsoft subscriptions. Additionally, your insurance provider will tell you exactly what conditions need to be met to qualify for a cyber-related claim. If you do not meet the minimum qualifications due to policy or technology issues, you may not only lose your insurance policy, but even have your claims rejected when you most need them.
Cyber Risk Analysis Group does exactly this. Starting with deep discovery, we seek to understand the breadth and depth of your organization and all the critical systems you depend on every day to be effective. From there, we can guide you through selecting the most relevant framework for your business. Finally, we don’t just help you build the road-map for you. We partner with you on the journey, so should your worst day in logistics ever arrive, we’ll be ready for it – together.
Comments