Should a fractional CISO admit to dealing with data breaches?
We think so. If you know a fractional CISO (also called virtual CISO or vCISO) that claims they’ve never dealt with a data breach, you know one of two things is true:
Data breaches and cyberattacks happen all the time. Even the most robust cybersecurity programs aren’t effective 100% of the time – you know why?
Human error is the cause of so many data breaches, it’s not even funny. People make mistakes, and unfortunately sometimes those mistakes include lost money, exposed data, unauthorized access, the list goes on.
So a fractional CISO should definitely have experience with breaches – because an important part of their job is knowing how to contain and react to the breach.
Although we are sharing true stories below, we are not including any names or important identifying information. These are their stories. *cue Law and Order ‘dun dun’ sound*
Victim: healthcare company with <50 employees, our contact is named Janice.
The phone rings.
“Hello?” Janice says.
“Hi, my name is Jim, and I work for Fix it Now, your IT Firm. I need to check something on your computer, do you have a few minutes?”
“Sure, I have a few minutes, what do I need to do?” Janice says.
“Go to logmein.com and enter code ######. Then I can connect to your computer.”
Janice does as she is asked, and Jim is now accessing her computer.
Fix It Now is the name of their IT firm, and they would sometimes need to access company machines to patch vulnerabilities or install or update programs.
“How long will this take?” Janice asks.
“I’m not sure, I’m going to run a diagnostic test on your machine.”
Janice is starting to feel a pit in her stomach – something about this doesn’t feel right.
Her computer screen is rapidly changing from black to white, lots of text and moving parts. She tries to take a screenshot, but can’t. She’s not sure what to do.
“Ok, all done.” the voice says.
Janice’s computer seems normal once again, but she can’t shake that icky feeling. She immediately emails her fractional CISO for advice.
Her CISO asks a few clarifying questions and then immediately gets on the phone with Janice. They loop in their IT company (who had not contacted her) to review access logs, check her machine for malicious programs like keyloggers or worse. A forensic team was contracted to confirm the presence or absence of a data breach.
The next part of the story for this specific company is mostly good news: no critical data was stolen or accessed, email accounts were not compromised, no malicious software was detected.
But even though it ended with “good news” – there was a lot of work and money involved in this incident.
Lesson #1 - Hackers are doing their homework. They can figure out the names of your vendors, IT firm, CEO, coworkers and more. Thanks to the Internet and social media sites like LinkedIn, this is actually pretty easy. Hackers will use this information to appear legitimate. Make sure you have controls in place to prevent imposters from posing as your legitimate contacts. For example, perhaps your IT firm should always contact via email to schedule time to access your computer for updates and addressing vulnerabilities. Or maybe your IT firm should already have remote access enabled, so there was no reason for them to call in the first place.
Lesson #2 - If you or anyone at your company gets that ‘pit in your stomach’ feeling over anything cybersecurity-related – make sure they know they can report the situation without fear of retaliation or embarrassment. Janice knew she could contact the fractional CISO and be taken seriously – without her fast action, who knows what the hackers could have accessed or done.
Victim: US government contractor named ABCD with <10 employees, our contact is named Simon
The CISO’s assistant receives an emailed invoice from the CEO of ABCD.
He thinks to himself, this is odd, why would ABCD send us an invoice?
The assistant uses the hover method to see who is sending the email and then sends a screenshot of the email to the fractional CISO.
Spoiler alert: the email was actually sent from ABCD!
The CISO sees the email and immediately understands what is happening here. He quickly calls Simon.
After a short discussion, the CISO learns he is not the only one who received a fake invoice from the CEO of ABCD.
Simon explains that they have received numerous phone calls from many of their clients about this mysterious invoice.
Clearly, the CEO’s email has been accessed by cybercriminals who are trying to collect money from the CEO’s contact list.
The CISO contacts the CEO about changing his email password ASAP.
From here, the CISO, Simon, ABCD’s IT firm, and ABCD’s lawyer meet together. They find out ABCD’s IT firm had screwed up setting up multi-factor authentication (MFA) rules in ABCD’s email system.
The CEO’s email was being protected by ONLY a password.
Which is unfortunately extremely easy to crack.
The CISO had stressed multiple times to ABCD and their IT company that MFA must be enabled and enforced for email, banking, and client information systems.
Unfortunately, the IT company had not listened to this advice. Not using MFA on email is like leaving the front door unlocked. It’s only a matter of time before cyberattackers get in.
And now ABCD unfortunately has their reputation on the line – they need to go through the process of reporting the breach and contacting their clients.
Thankfully, after completing forensic work, it was determined that the cyberattackers had only accessed the CEO’s email and not other systems. But think of the data in a CEO’s email account! Yikes!
Lesson #1 - Make sure MFA is turned on and enforced for as many accounts as you can. At a minimum, set up MFA for: email, banking, client information accounts, social media.
Lesson #2 - Do not blindly believe your IT firm. Cyberattacks are frequently caused by human error, and guess what – your IT firm is full of humans! They make mistakes too, but ultimately it would be your company’s reputation and data on the line. If your IT firm says something is done, ask for proof!
Victim: financial services firm called SafeMoney with ~25 employees, our contact is named Bill
This is unfortunately an all-too-common situation. It involves something called lookalike domains.
Bill is the IT manager at SafeMoney, and received a strange email from one of his coworkers.
From: [email protected]
One of our clients got an email from “us” but it’s not from us, what do we do?? See below:
From: [email protected]
Subject: Re: Fw: Please update our banking information
No, it’s not!! Cc’ing Bill for help!!
From: [email protected]
Subject: Fw: Please update our banking information
Alice - I just left you a voicemail about this. I got this email, is this legitimate?
From: [email protected]
Subject: Please update our banking information
We’ve changed banks, can you please send payments to:
The fractional CISO and Bill realized the original email was from a lookalike domain - safmoney.com vs safemoney.com. So the “good news” is that the emails were not coming from inside the actual company. This was something else.
The CISO and Bill worked with SafeMoney’s lawyer and forensic team to determine a few things:
Ultimately Bill reported the incident to various organizations (Google, Microsoft, Norton, FTC, FBI, and the registrar for the lookalike domain). Although other contacts did receive an email from this lookalike domain, none of the contacts were victims. But this created a huge headache and hassle for Bill and the entire SafeMoney team.
Lesson #1 - Bob the customer did the right thing. He reached out via phone to confirm the legitimacy of the email. He could have just blindly updated the payment information, but he verified via a different method. If you get a strange email, verify by phone. If you get a strange phone call, verify by email.
Lesson #2 - there are a number of steps to take to prevent this sort of situation. Unfortunately, there is no foolproof way of preventing this from happening. We have some tips here: https://adeliarisk.com/lookalike-domains-4-ways-to-protect/ and if you want to learn more about reporting phishing scams and/or lookalike domains: https://adeliarisk.com/recognize-prevent-and-report-phishing/
As you can see from these ‘behind the scenes’ stories, a cyberattack is not always the obvious-ransomware-message-displayed-on-all-computers or suddenly your bank account is drained. Although those things happen too!
Many times a cyberattack can be subtle and appear ‘small’ – but a critical reason for contracting a CISO is to know what details to check, what steps to follow, and how to stop the cyberattack from spreading. Sometimes it’s “easy” like changing a password and turning on MFA. Usually it’s more complicated than that.
A fractional CISO can help strengthen your cybersecurity program, guide you towards compliance, and whip your IT company into shape. They are also invaluable when it comes to investigating and stopping breaches. Learn more about Adelia Risk’s Fractional CISO / Virtual CISO service: https://adeliarisk.com/virtual-ciso-service/