This year Allinial Global revamped its Firm Tech event, shifting to a workshop format with a focus on cybersecurity risk management. The new event was designed to be virtual yet very interactive, leveraging the brain trust of Allinial Global member firms.
Many attendees found the workshop very engaging and said that it provided some great practice insights on what firms can do to prevent and respond to cybersecurity threats. We’re very thankful to Jeff Olejnik, Principal – CyberTech at Wipfli, for providing both thought leadership and meaningful exercises that incorporated actionable takeaways for attendees.
Cybersecurity Threats Continue to Increase
Cybersecurity trends like ransomware have gone from being an inconvenience to disrupting the supply chain, as we saw with the Colonial Pipeline incident which impacted our entire economy. Cyberattacks are also becoming more sophisticated, attacking “back doors” on common technology applications like Kaseya, SolarWinds, and Microsoft Exchange where one vulnerability can provide the attacker with access to thousands of organizations.
Because so many attacks are successful in impacting organizations, insurance companies are increasing the underwriting requirements and fees for coverage. Jeff said he’s seeing fees as much as double, and policy underwriting is requiring advanced controls like multifactor authentication and advanced endpoint detection and response (EDR) to be in place. A participant also shared that one client had an underwriter request that they have a 24/7 managed security incident management (SIM) service in place—so underwriters are definitely starting to request that organizations implement more preventative measures.
Jeff shared that this shift to preventative is because the average time to detection for a security compromise is 180 days, and a lot of damage can happen during that time. Thus, organizations need to focus on being able to identify indicators of a compromise so that they can detect them earlier and limit the damage that can occur.
Assessing Cybersecurity Risk
Since the workshop was focused on cybersecurity risk assessment, Jeff dived deeper into how to assess risk. He shared the following high-level risk assessment process:
- Determine Scope. Is this (a) a broad assessment, (b) focused more on a specific vendor or technology risk, or (c) responding to a specific threat?
- Identify Threats. Identify the ways an attacker could compromise the systems, or users of the systems, in scope.
- Analyze Existing Security Posture. Determine how the information security program elements are being implemented against the threats, and test the controls to ensure they are operating effectively.
- Create a Plan. Identify what will be done in the short, medium, and long term based on priorities, effort, and perceived risk.
- Keep It Current. Risk assessment is a process, not a project. Update when new controls are implemented, when there is a change to the business, when there are different data inputs, or when new threats emerge.
Jeff shared that when Wipfli performs broad cyber assessments for its clients, there are typically five threats included in the evaluation:
- Unauthorized access to data/external hacking
- Ransomware/extortion
- Unauthorized funds transfer
- Business email compromise
- Business interruption
He emphasized the importance of tying control deficiencies to the threat that results to the firm.
Jeff’s slides included more details on the steps in each of these areas. A recording of the workshop and the accompanying slides will be available to Allinial Global members soon.
Practice Makes Perfect
The last part of the workshop was an Incident Response Plan tabletop exercise for responding to a ransomware attack. This type of exercise is very helpful for testing an incident response plan to see if you’ve covered all your bases. It also gives your team some practice in responding to an event. Through this mock exercise, participants were able to discuss the issues and decisions that need to be made in response to a cybersecurity incident. It also become clear that incident response is not simply an IT issue, as firm leadership also plays an important role during a crisis.
We surveyed participants before the tabletop exercise on how confident they were in leading an incident response tabletop exercise, and 50% said they were confident or very confident. After the exercise, 80% were confident or very confident, so the practice that we incorporated into the workshop definitely helped boost attendees’ competency and ability to conduct a similar exercise for their firms. One attendee commented that “the incident response exercise was also a nice piece to walk away with and provided a jumping-off point into building/refining real-world procedures.”
Jeff mentioned that his firm helps to conduct incident response exercises for clients, so if your organization needs help running these for your leadership team, please contact him at jolejnik@wipfli.com.
Opportunities for Allinial Global Members
If you missed the workshop, don’t worry. Allinial Global members can request the recording, including notes around the solutions and ideas that were shared. We also plan to schedule some follow-up discussions at our monthly Firm Tech community meetings to build on the lessons learned and further enable members to learn from each other and discuss the threats they’re seeing and the effectiveness of the controls and products they’re using.
Hope to see you at next year’s workshop!
