Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Why Election Season Puts Your Business at Greater Risk for a Cyber Attack
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd chat candidly about the importance of a strong cybersecurity stance ESPECIALLY during Election Season.
That’s right, all those scary cybersecurity stories get turned up to 11 during this wild time. Big and small organizations alike, this is the episode for you to ensure your highest level of data protection amidst the noise.
All this and more on this week’s Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the Andui Sausage to your compliance jambalaya, Mr. Adam Goslin. How the heck are you, sir? I’m doing good, Todd. How about yourself? Spicy, sir, spicy indeed. And it may have something to do with the fact that election season is upon us. Now, we’ve got an interesting topic along those lines today, and that is why election season actually puts your business at a greater risk for a cyber attack.
Why don’t you tee this one up for us, Adam? Yeah, well, we happen to be having this conversation literally on Tuesday, the 5th of November. So, yeah, a very timely topic indeed. So, if anybody’s been paying attention to the election news cycle, they’re noticing increased numbers of reports related to foreign threats to U.S. elections. This seems like it’s been a big story since 2016. I’m sure there was shenanigans going on before that, but it seems to have taken a front-row seat since. What might be of news to the listeners is that election season brings along an elevation in. you know, in cyber risk. So, you know, anytime we’ve got elections, you know, in play, there’s certainly increased volumes of cyber attacks in general. You know, the election season sees a greater level of activity, you know, by bad actors and this year’s presidential election is so far has been no different and why should we really expect anything different?
Indeed, now tell us more about foreign cyber attacks during the election season. Well, you know, there’s a whole bunch of different people and organizations that are, you know, really materially affected by the election cycle, you know, cyber concerns. When it happens to be the year we’re doing a presidential election than in many cases, that kind of golden egg for, we’ll call them certain nation-sponsored groups, is to be able to manipulate the outcome of the election. So, while prime targets certainly would remain, things like party headquarters, outposts, public figures that are affiliated with one party or another, heck even the voting machines are kind of targets of opportunity. So, there really isn’t a particular party candidate, that’s immune from these attacks. If they can get in and breach field offices, find known voter lists for a particular party, then that’s kind of gold for them, and gives them an opportunity to start engaging in different forms of social media messaging and swamping them with messaging to attempt to influence the vote. So, if they can’t manipulate the outcome of the election results, then hey, guess what, next best thing, we can go and create some disruption. So, chaos within the arena. So, we saw plenty of the shenanigans unfolding during 2016. And the other problem is, is that the election cycle, oh God, I wish they were shorter. But they’re not, thankfully, thankfully we’re sitting here on November 5th, I’ve said to several people, I’m like, I’m looking forward to, I’m just looking forward to my phone, voicemail, text message, email, television ads, ads on YouTube and every other social media platform, finally not blasting everybody with election ads. It seems like it’s been forever. But yeah, thankfully, We’re just about there, but because that election cycle’s so long, these attackers have plenty of time to get and be effective. The news media is just now picking up news stories about election season, cybersecurity concerns, but certain nation states have been systematically and actively launching attacks for well over a year.
The Center for Information Security, or CIS, Um, you know, they’ve got a, you know, they’ve got a compliance certification specifically for voting, it’s called the elections infrastructure security certification or EIS, EIS C, um, you know, which was developed in response to the issues, you know, that were related to elections infrastructure. With the TCT portal, you know, every time that we get a request from a paying client that needs a particular certification, all they do is ask us, hey, you know, can you go add fill in the blank and we’ll go at it, and EIS C happens to be one of the, you know, 150 plus certifications we’ve currently got up on the TCT portal, with clients leveraging it. So, you know, certainly, a lot of the rhetoric stories, you know, things hitting the news, etc, from, you know, especially back in 2016, you know, people were kind of taking that seriously and, and, really making sure that they were putting voting systems kind of through their paces. And we got a request to go get that one added to the portal.
Very cool. Now, which businesses more than the others are at risk for this happening during this heightened period? Well, you know, government offices, campaign office, election systems, they’re primary targets, right? Their vendors are also good opportunities for, you know, for cyber attackers and, you know, the electronic election systems, they’re hosted someplace, you know, and there’s a whole supply chain that comes into play when you’re talking about the election. So, you know, certainly every company within that spectrum is at risk, but you know, it’s not just the, the election and industry companies that can, you know, that can encounter problems. You know, the reality is, is, as you come across one of these types of events that spurs heightened awareness, heightened targeting, etc, while, sure, it sounds great to, hey, we’re gonna go target election and election support related companies. It’s approached with a very broad spray, if you will. The attackers are looking for those particular prime targets, but in order to locate them, they’ve got to just basically go out there and look. And I’ve had conversations with different organizations over the years, many of which are, thank you, of which are, you know, kind of shocked, right? Oh, hey, we don’t, you know, we don’t have a website. All we’ve got is a, you know, Got is a, is an environment type of thing. And how, why were we targeted? The bad guys, especially with something like this, you know, the, the spectrum of, you know, a kind of election and election support related targets, um, they could be sprinkled and spread damn near anywhere. And so the bad guys literally are doing, you know, randomized attacks against, you know, against IP addresses. They don’t even know who the target is as they’re just trying to identify, potential targets. Well, all they’re doing is trying to find systems that they could breach and then try to get in and breach them and see what they can go do with them. So, you know, it really puts it into a situation where every organization falls into this arena of being, you know, in a heightened state of, of potentially being breached, um, you know, just because of the, the, the nature of how they’re, you know, how they’re going about doing it. Even if they aren’t after, uh, you know, after you, you know, the listener type of thing, um, you know, the, the election attackers, if they find gold, you can bet, you can bet their bottom dollar, they’re going to know somebody that can go hand data to information to etc, even if it wasn’t their primary target, you know, it’s, uh, it’s interesting when you start to get into the landscape of the, you know, of the attack vectors, of the attack process and procedure that these guys go through, you know, depending on what the nature of the data that they’ve come and discovered. So now I’m targeting election data, but I happen to find medical data. I happen to find intellectual property. I happen to find, you know, PII, um, you know, all they’re going to do is if they’re, if they’re razor beam, you know, razor beam, that was a fine combination of. Razor focused and laser beam. So now it’s a Razor beam. Razor beam, Razor beam. Sunday, Sunday, Sunday. That is my monster truck’s name, just so you know. Razor beam, you’re gonna rename it, huh? All right. We’re gonna have to start thinking of fun band names here soon. But anyway, you know, if they’ve got this laser focus on election folks, if they’re tripping across all their valuable data, all they’ll do is just go hand it off to other bad guys who pay them for it and blop and then they’ll go monetize it.
So, you know, the reality is, is that, you know, they have to, the bad guys are funding themselves. And so your data is an opportunity for them to make money on the dark web. And so, you know, before you even know that you’ve been breached, you know, meanwhile, your sensitive data has been sold off to somebody else, highest bidder, whatever it may be. So, you know, the election cycle attacks, you know, should be highly relevant to every business out there. It doesn’t matter whether you’re a global enterprise or a mom and pop shop, you know, they’re gonna, all they’re doing is looking for targets and, you know, these targets of opportunity where it’s easy to go, you know, get into breach, etc, they’re gonna monetize it one way or the other. They’re either pawning it off to their, you know, to their friends or their, or they’re consuming it if they believe that it’s, you know, related directly to one of the parties or election offices, to, you know, vendor support for any of the aforementioned, you know, then certainly they’ll stick with their nose to the grindstone and keep it in the way to try to continue to expose that particular target, but you can bet that they’re handing off stuff they trip across in the meantime to some of their friends.
Yeah, that makes sense. Now, some companies think they’re too small to be a target. Is that a safe assumption, Adam? Well, no, short answer. You know, the way that I put it, and I’ve heard this particular mantra, oh, well, you know, we’re not all that well known or oh, we don’t have all this sensitive data, you know, etc, and so they, you know, a lot of organizations will kind of mentally, mentally bamboozle themselves into thinking that we’re too small, we’re not a big enough juicy target, etc, so, you know, we’ve somehow are safe or, you know, I harken back to the conversation we were having earlier, which is, you know, these guys literally, they have systems set up, which will, you know, for an IP address, they’ll, you know, they have basically systems that will go 1.1.1.1, you know, anything there, no, okay, great. 1.1.1.2, you know, and they’ll just literally run through, you know, the series of IP addresses. And they’re oftentimes initially, they’re just saying, is this host alive? Is the first round of, you know, round of a quote attack? And, you know, they have this stuff locked in. So they’ll literally go through, they’ll look for an IP that comes back with, you know, with something alive, you know, type of deal. As soon as they know it’s a live IP, they hand it off to a next kind of a phase two process, which will then say, okay. this IP is live, what type of stuff is it doing? Does it have, you know, does it have an open SSH port? Is it, you know, has it got a wide open DB port? Is this some type of a web server serving content on 443 or 80, you know, etc. And they’ll put it through these rounds, right? The next round, after they figure out the ports that are open, now they’ll start doing directed attacks against the port 80 and 443, you know, that they would typically go and assign out to web servers. They’ll do generic things to try to figure out, well, what type of a web server is this? You know, and then from there they’ll hand it off to a next round of even more specialized attacks. These guys, there’s a reason that this stuff makes so much freaking money. And that’s because they are really good at it. And they do it in, they do it in mass. And so, you know, kind of coming back to the company that’s going, we don’t have anything you know, you got to think about the different types of data that you may have within your walls, right? You could have credit card data. You could have personally identifiable information for your employees, your vendors, your customers. You could have your own banking information and accounting information. You could have clients banking information and accounting information. You could have legal documents, intellectual property, medical data, payroll information. You know, medical insurance information for your employees. There’s all tons of stuff that could be of value. Now, the one thing, the one thing that’s interesting is I’ve heard from people before, all I’ve got is first names, last names, phone numbers, addresses, and emails, you know?
How big of a deal is that? Well, guess what? Go ask any of the freaking hundreds of companies that only had that hacked, that had their name in lights, that were having to answer questions from their customers about, well, why in the hell did you have a- data breach. Meanwhile, it’s showing up on Google and all your salespeople are having to answer questions about your relative data security. If that goes in lights publicly, I don’t know what to tell you. It doesn’t matter what they were able to get a hold of. Your customers, your vendors, your partners, your employees, they all expect you are protecting their stuff and they don’t care.
Is it worse if it’s medical data or my detailed financial information or my credit cards? Yeah, it’s worse. Honestly, there’s no real shades of gray between you got breached and had my first name, last name, address, phone, email taken versus the other stuff. Um, you know, there’s a very small step in between those and generally the, the, the companies or the people that end up having their stuff, uh, you know, breached, they don’t really care one way or the other. You’re still answering, you know, answering to it. So, you know, you know, it could be more than that. What it could be is it could be a ransomware attack that’s put on your organization where, you know, some, somebody within the organization opened the wrong file, ran the wrong thing, you know, etc. And now you’ve got ransomware starting to spread across your, across your systems, locking you out of your whatever workstations, file servers, you know, servers within your environment. It doesn’t matter. Are they, are they local workstations or are they virtual workstations? Are these local servers? Are they servers in the cloud? You know, it all depends on, you know, kind of what the, the person that happens to have gotten breached, um, what they have access to, uh, you know, what level of access they have to, um, you know, you don’t know if the person that happens to click on the wrong thing. Should it be less of a chance if it’s, uh, you know, if it’s one of your system administrators versus one of your salespeople, okay, dollars to donuts. Sure. It’s probably going to be less of a chance with a system admin, but I can tell you that with, you know, two decades of evaluating organizations, you know, and, and, and, and, oh, I’ve seen plenty of dumb stuff that system administrators do as well. So it, you know, nobody’s safe. That’s, that’s the real point here. You know, the reality is it doesn’t matter how big it doesn’t matter how small with the broad spread attacks that happened during election season. Uh, yeah, everybody’s a freaking target, dude. Everybody.
What should companies be doing to protect themselves? Well, you know, at the end of the day, step up your cyber protection, etc. I mean, for organizations. Here’s where I wanted to kind of drop a couple of tidbits. I have heard for a long time that, oh, well, we’ve got IT people or we’ve got this outsourced IT company and well, they must know how to do this stuff securely. I’m telling you right now, if that’s where your headspace is as an organization, you’re very, very likely wrong. It is a good notion to adopt the notion of trust but verify. I comment this from a perspective of perspective. When I first started getting my entree into the cyber arena north of two decades ago was quite literally coming up through the management ranks of IT and having my boss tell me I needed to get PCI compliant. And I summarily said, well, what’s PCI? And then embarked on what I can only describe as 18 monstrously painful freaking months of trying to figure out what is all this stuff. By the time that I was done, I realized several things. I realized one, how little I knew about security and compliance despite the fact that I went, I’ve been to school for IT, I worked as a grunt in IT all the way up to management in IT. I didn’t know anything about security and compliance in the grand scheme of things. I know how to do IT stuff, but did I really know how to do the IT stuff securely? No, different arena, different skillset, different world. So for those organizations listening to this pod, long story short, you may be one of a very small handful of organizations that just happens to be lucky enough to have somebody with whatever, five plus, a decade plus, experience in dealing with literally cybersecurity, not IT. If you are, well, kudos to you, but there’s a lot of companies out there that are not in that situation. So I hear griping from companies, oh, we can’t invest in our cybersecurity, it’s gonna cost too much, or this is gonna grind our business operations to a halt, blah, blah, blah. You know, but the reality is it doesn’t have to cost an arm and a leg to go from doing nothing to doing something. You gotta start somewhere, right? Sure, sure. I mean, I would encourage and implore organizations, do that, start doing something, you know, implement a solution that starts, you know, protecting your business, you know, without getting in the way of your business operations, it is doable, you know, start simply, you know, you don’t have to do everything all at the same time, you know, but you should at least get started with what you can. One of the biggest factors is knowing where am I at and what do I need, what are my opportunities for improvement?
So, you know, companies that are taking their security seriously, those are the ones that survive, you know, the reality is, is that, you know, you’ve got organizations out there, you know, that are literally relying on their cyber liability insurance to protect them, but, you know, the one thing is these organizations, they need to keep in mind, that’s cyber liability insurance, that’s not gonna protect you from things happening. It only assists those organizations that have found themselves in the unfortunate situation of having an issue. The other piece of it is, is that the insurance, the insurance literally part of the application process for cyber liability insurance, these questionnaires often are getting filled out by somebody in accounting, CFO, something along those lines,
I see it frequently, even today, that those applications are going to the gear heads that really know what they’re doing and how to answer these questions, whether they are or aren’t actually doing these things. And meanwhile, the company sitting here under the misnomer that, well, geez, we got the cyber liability, so we can just go ahead and invoke that. Well, not if your application for the cyber liability insurance in the first place is inaccurately reflected, which you’re actually doing as a company. So, just like insurance isn’t gonna protect your car from an accident or save your house from catching on fire, it’s not gonna be guaranteed to save your business after a data breach. I mean, there’s a lot of companies that they find themselves in the unfortunate situation of staring down a cyber attack. If you happen to be one of the unfortunate companies to be in the early stages of a zero day, even, where you’re literally one of the very first handful of companies hit with a brand new vulnerability, well, honestly, man, there’s not really a hell of a lot you can do about that, but that’s not a reason or an excuse for why organizations should be saying, well, then, geez, it makes total sense that we’re not gonna do anything about it. I mean, you’re really, you’re not gonna do anything about your cyber stance, given with a notion that, there’s really, I don’t know if I had to put a percent, it has to be, you know, one hundredth, between a hundredth and a thousandth of one percent that your organization happens to be the one, you know, that gets hit with this, you know, with this zero day. But I can tell you with absolute certainty, those that aren’t taking their cyber stance seriously, they are at tremendously higher possibility of getting breached.
Partying shots and thoughts for the folks this week, Adam? Well, you know, at the end of the day, you know, Total Compliance Tracking was literally founded to make compliance management suck less. So, you know, you’ve got an opportunity to leverage a platform, the TCT portal, to be able to help with managing your engagements. You know, we talked earlier about the company that, you know, it doesn’t really have their ducks in a row, etc, and we talked about kind of figuring out where you’re at against your target certification.
It makes it a hell of a lot easier to be able to use a system against your target, you know, kind of your target control matrix for your target standard or certification, and literally be able to go line by line by line, which of these things are we doing? Which are we not? You know, etc. You know, for those organizations that are kind of trying to get their act together and or step up their game and or sanity check, you know, where they’re at, you can self-serve, if you will, through leveraging just the TCT portal as a tool.
If you’ve got all the expertise in-house, etc, and you’re comfortable with that, great. You know, we TCT, we also happen to provide programs where we’ll help people with their ongoing management of their compliance, etc. If you find yourself in a situation where you need the assistance or you need the validation for a third-party assessment or audit, you know, we know dozens of different, you know, assessor organizations that can help you with fill-in-the-blank standard, you know, and we’d be happy to give you a recommendation for one that also doesn’t suck to deal with. So no matter what your present state of security and compliance, you know, I just recommend take your stuff seriously, use a tool for managing your compliance. It will be so much better, and allow you a sane way to be able to validate, and review your current state of security and compliance.
And finally, please do yourself a favor. If you don’t know who’s currently filling out that cyber liability policy, start asking some questions, figure out who’s filling it out, and are we filling it out correctly? Because that is a huge risk for organizations out there today.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
