Hi everyone, below are some great cybersecurity related questions that were asked during the Third Party Risk Management Bootcamp that Venminder hosted last week! The team thought it would be helpful to share these here along with answers. Chime in if you have further answers or comments to any of them. The online event was three days, 6 sessions and 11 presentations long, covered by nine experts. Needless to say, a lot of great information was shared. If you're interested in viewing the recordings, you'll find the link on the Program Improvement library page.
Q: You are noting things that we "should be doing." As an example, penetration testing results. My problem is I am trying to learn when to gather these things and when not to. The answer of "well it depends" without any framework or if-then can be frustrating.
A: It does depend – for example, if there is no exchange of data, then no penetration testing is needed; if there is NPPI exchanged, then there is the need for penetration testing. The NIST framework provides some level of guidance but absent concrete standards, I can't offer anything besides my usual guidance of pull threads to see what needs further exploration. I agree it is frustrating.
Q: How do you estimate how much cyber/E&O insurance is adequate?
A: This is not something that we can give you an exact amount on. Ultimately, the amount of insurance should reflect what is adequate to cover expenses in a qualifying event and this varies depending on multiple factors. This is something that should be determined with the insurance carrier and company stakeholders and would vary greatly based on factors such as company size, types of qualifying events, scope of impact, etc.
Q: Any recommended books for further cybersecurity knowledge?
A: If you're looking for a good way to learn more about cybersecurity and information security in general, I always recommend cybrary.it. You can sign up for a free account and access much of the material. Take a look at the CISSP course as it combines a good mix into 15 hours of free video training broken up into short lessons. Check it out here. I don't have any cybersecurity specific books that I've read…some are on my shelf…but again for general information security, of all of those books I've studied, this is my favorite as it's the easiest to digest so it's my go-to recommendation: CISSP Study Guide by Eric Conrad et al. And, of course, you can go to the Third Party ThinkTank community libraries for all kinds of other great information.
Q: What do you recommend for those instances where a firm is hit with ransomware, but that system auto replicates to other system. How would one defend against that?
A: Ransomware doesn't hide. 99 times out of 100 ransomware will "announce" itself. That is, it is a very noisy malware attack. It's practically impossible to hide mass encryption of files across any platform. If you have the tools in place to monitor for ransomware. Ransomware wants to grab your files (and I use that word specifically here) and hold them hostage until someone pays. Remember, bad actors are after quick money. As much and as often as possible. It's not in their best interests to create a time bomb variant that sits on your backups and hits you at some later date.
The attack may target certain file types and alter the file type to make it harder to access those files. I say all of this to make this point. Ransomware doesn't normally go after backups unless the drives that the backups call home are mapped on patient zero. If you're backing up to tape, even better. Keep your EPP (end-point-protection) and other security schemes up to date and running and don't map drives.
There are several vendors that have products that will alert you to ransomware and even take automatic actions to prevent it from spreading. These days, those solutions aren't that expensive. While there are many defensive software providers around today, I have used Varonis in the past with excellent results. I set it to listen for mass file encryption and halt the encryption process if detected. It worked for me. Again, not an endorsement, just something I did in the past.
Third Party ThinkTank