The topic of cybersecurity is surfacing more and more frequently in headlines with businesses, municipalities, and government entities falling victim to data breaches, ransomware attacks, and other malicious activities. I joined the Verodin Cybersecurity Effectiveness Podcast to talk about the latest threats businesses face, questions business executives need to ask about their cybersecurity maturity, the best way to manage an information security program, and the latest legislative approaches for data privacy and cybersecurity in the United States. I also dove into how digital forensics investigations can encompass much more than incident response and how I landed in the digital forensics and incident response industry.
Based on the incident response work Tetra Defense sees, ransomware has become a booming industry with new variations and higher ransom demands emerging every day, not to mention the new strategy of posting ransomware victims’ data if they don’t pay. While some entities advise never to pay the ransom when attacked, it ultimately comes down to a business decision. The cost of not paying the ransom can far exceed what the attackers may be demanding – both financially with business interruption costs, and also in terms of reputation management. The best way to avoid the dilemma of whether or not to pay the ransom is to ensure your backups are regularly updated, properly configured, and segregated from your environment. If done correctly, you would be able to restore from backups without paying the ransom.
Brian and I also discussed how the legislature is starting to address cybersecurity compliance. While many policies like GDPR financially penalize businesses if they are not complying with the regulation, I propose a different approach. Rather than blaming and punishing the victim, provide safe harbor provisions because companies who are victimized by cyber attacks need to invest in improving their infrastructure. Fines only hinder their ability to do so and do not help victim businesses emerge stronger. If a company can prove that they had proper safeguards in place and still fell victim to a breach, they should not face financial penalties.
Visit here to subscribe to the Verodin Cybersecurity Effectiveness Podcast, winner of the 2020 Cybersecurity Excellence Awards in the category of best cybersecurity podcast for a company with 1,000 to 4,999 employees. Listen in to our latest podcast series and gain insights from some of the most powerful women in cyber.