Lilit Davtyan, Grayson Milbourne and Chant Vartanian Share What Businesses Need to Know About Cybersecurity in 2023

This business advisory panel is produced by the L.A. Times B2B Publishing team in conjunction with M-Theory Group, OpenText Cybersecurity, and Phonexa.

Corporate cybersecurity breaches continue to escalate and the threats (and fines) are growing as we become increasingly reliant on cloud-based computing and other online innovations. With hundreds of thousands more employees working from home, with devices containing sensitive data leaving offices and entering homes at an elevated rate, those concerns have exponentially increased.

While tools to prevent breach incidents have become more sophisticated, so have the methods of hackers and cybercriminals. What actions can business owners take to protect their private data and that of their customers and employees? How can C-suiters and IT teams sleep better at night when there are so many mounting threats to our digital security?

The Los Angeles Times B2B team turned to three uniquely knowledgeable cybersecurity experts for their thoughts and insights about the threats businesses face in today’s digital world along with what executives can do to safeguard the privacy of their organizations, employees, customers and other stakeholders.

Q: From a cybersecurity standpoint, what’s your advice for companies that are analyzing their current security measures?

Lilit Davtyan, CEO, Phonexa: Companies analyzing their current security measures must conduct a comprehensive risk assessment in order to identify and evaluate vulnerabilities to potential cybersecurity threats and mitigate risks associated with outdated legacy systems. A crucial first step is prioritizing cybersecurity initiatives and implementing robust security measures, such as security operations center (SOC) compliance to reinforce the tech infrastructure currently in place. This will help business leaders determine if they have the right tools to protect their organizations from cyberattacks, data breaches, and other security risks. Doing so will also ensure an optimal user experience. Companies can go one step further by implementing regular internal audits that include a review of current security policies and analyzing security logs to identify potentially suspicious activity. These measures will ultimately prepare a company for a quick and effective response in the event of a threat or security incident.

Q: What’s the most dangerous cyber threat that you think businesses will have to deal with this year?

Chant Vartanian, Founder and Chief Executive Officer, M-Theory Group: This year will not be all that different in terms of the techniques we see used – rather, we are already seeing increased effectiveness of the usual methods. Bad actors are getting increasingly more sophisticated; our ability to detect phishing and other malicious messages is becoming far more difficult to discern at a quick glance. Beyond email, we are seeing a resurgence of attempts to phish via SMS. Regardless of medium, phishing remains a persistent threat. Continuous education and auditing are still needed. Invest in well-established training platforms such as KnowBe4. Beyond training, technical staff vigilance and use of secure email gateway platforms remain equally important.

Why is it important for organizations to have an incident response plan?

Grayson Milbourne, Security Intelligence Director, OpenText Cybersecurity: Because it’s not if an organization will experience an incident but when, having a documented plan to detect, contain and respond is absolutely critical. Incident response plans should take into consideration a variety of scenarios. The action you take for a ransomware attack versus discovering an employee doing something nefarious is greatly different. Having a playbook that considers many scenarios ensures nothing is missed. After all, the last thing any business wants to do during a crisis is ad hoc incident response. Planning and practice can greatly minimize the time required for recovery of critical data so businesses can maintain operations. Because even carefully built backup-and-recovery plans can be compromised in an attack, additional safeguards are important for cyber resilience. For example, in the event of a ransom attack, keep multiple copies of backups in different domains (e.g., local and cloud). Incident response plans are a must for businesses of every size.

Davtyan: Having an incident response plan in place is a proactive and forward-thinking approach to managing security incidents. A strategically devised incident response plan helps organizations mitigate the impact security incidents may have on their operations, bottom line, and reputation. In addition to minimizing damage, an incident response plan enables organizations to expedite response time, allowing them to restore their systems and services as soon as possible. This, in turn, reduces downtime and prevents potential revenue loss. Another reason an incident response plan is crucial for organizations is that it ensures compliance with laws and regulations that require organizations to have a response plan, especially considering that non-compliance results in significant penalties and fines. In addition, a clearly defined plan of action helps maintain trust and confidence from consumers by demonstrating that an organization is prepared to manage security incidents.

Q: If a business outsources network security, data management and payment transactions to third parties, does that provide sufficient cyber protection?

Vartanian: In a word, no! While the heavy lifting absolutely offloads the lion’s share of work, it requires everyone to be aware and to continue practicing in-house methods to reduce the company’s attack surface. It is a theme in our practice to suggest the outsourcing of many facets of network security, but we also promote the need for other methods that keep non-technical staff engaged. We continue to see basic mistakes made in identifying common threats; complacency is bred when it is believed that one is in a completely secure posture because expert outsourced tools and services are in place. Overall security and persistent vigilance must remain a holistic effort that involves all employees.

Davtyan: Businesses can obtain added layers of protection by outsourcing network security, data management, and payment transactions to third parties, but that doesn’t necessarily ensure adequate cyber protection. The quality of services provided by outsourced third parties and the extent to which a business remains responsible for assuring that security measures are sufficient ultimately determine the efficacy of its cyber protection. Businesses must thoroughly vet all third-party providers to ensure the ongoing protection needed to avoid disruptions to operations and maintain business continuity. This can be accomplished by establishing clearly outlined contracts and agreements with third parties and conducting regular reviews and audits of their cybersecurity practices. Maintaining sufficient cyber protection is critical to safeguarding sensitive data, complying with data protection laws and regulations, and establishing consumer trust. Businesses should consider all these factors and plan accordingly.

Q: Is cybersecurity awareness training a good idea for businesses?

Milbourne: Cybersecurity awareness training is a must for businesses. When it comes to cybersecurity, the first line of defense (or weakest link) is employees. Bad actors have shifted their focus to users to gain access to environments and then move laterally. Email remains the most popular and easiest attack vector. Phishing attacks pose a substantial risk to organizations of every size. In fact, in the first quarter of 2022, we saw a 1,122% increase in phishing compared to the same time the previous year. And while defenses have evolved, so too have threat actors, which creates an urgent need for ongoing security awareness training for users. Ensuring employees follow basic online safety protocols and deploying email security solutions are obvious starting points. But as malware attacks grow more sophisticated and advanced, ongoing education and awareness of new attack vectors and social engineering campaigns are key. Quarterly or monthly phishing simulations are a great way to keep users current and accountable.

Q: What’s different about the way hackers work in 2023?

Vartanian: As mentioned earlier, we are seeing incredible leaps in sophistication. Because there are many more state-funded and other large-scale private companies that make this a thriving criminal enterprise, the time needed to exploit new vulnerabilities is shrinking. Moreover, the scale of such attacks is increasing. The severity, as measured in dollars defrauded, grows mightily. We are not winning. In our line of work, we have the very unfortunate experience to see how this plays out first-hand. Huge ransoms continue to be paid, and that means we are not getting the basics correct. In nearly every case, we can point to a fundamental mistake as the root cause. Spending just a tiny fraction of a future ransom, today, with the right tools and services can shut the door here for bad actors.

Q: What are some of the biggest mistakes companies make when attempting to protect themselves from breaches?

Davtyan: There are various mistakes a company can make when attempting to protect itself from breaches, starting with failing to sufficiently invest in cybersecurity measures, most notably by not adequately training employees on the best cybersecurity practices. An undertrained staff will likely be unable to fully assess the potential impact of a data breach, thereby exposing the company to potential breaches and attacks. Another mistake companies make is not regularly conducting security audits to detect and address potential threats, leaving them vulnerable to future attacks. This oversight is exacerbated when companies neglect to update their systems and software with up-to-date security patches. This, in addition to having inadequate measures to counteract internal threats, increases the risk of a company being exploited by cyber attackers. Companies can counteract these vulnerabilities by upgrading both their internal measures and perimeter defense.

Q: What is the best course of action for a company that is victimized by ransomware?

Milbourne: Companies have a vested interest in their own survival that often supersedes compliance with regulations. Not surprisingly, companies that have been compromised spend a considerable amount of time ascertaining how to minimize business impact. Small- and medium-sized businesses (SMBs) wanting to avoid the perception of a business failure – and the many steps required to report a breach – often take the easy way out; they pay the ransom and pretend it never happened. However, paying the ransom comes with consequences. Your business has been marked as one that pays ransoms and might be targeted again. Cybercriminals are relentless, which makes it difficult for even the most advanced companies to evade an attack. A compromise should not be viewed as a business’s failure to protect itself but as a reality in the world we live in. Alerting customers on a timely basis and being honest must be the primary focus. Sharing information with the Cybersecurity and Infrastructure Security Agency (CISA) is also very useful as it allows proper attribution and volumes of activity of threat actors to be assessed and targeted.

Vartanian: If a company finds itself in this predicament, it must seek professional assistance. While the damage has already been done – it can get worse. This means there could be lingering artifacts of the original exploit or even bad actors that continue to re-visit the same “customer.” There is no honor among thieves. When you receive expert help, you can shore up the original vulnerabilities, adopt better practices, and achieve a sustainable way of doing business. New tools and platforms can be established to monitor and audit critical resources. One of the biggest problems we see is that most never know when they are attacked; getting contemporary workstation and server protection, which is also actively monitored, is paramount. Even if you do not have physical servers, you still need to care about infrastructure monitoring. It is a very small step to go from an exploited workstation to exploiting all your cloud resources! You may not be able to prevent all exploits, but you can at least know when it happens – and therefore, minimize the damage.

Q: How have regulatory issues changed the way businesses view cybersecurity?

Milbourne: A great example is the General Data Protection Regulation (GDPR), one of the world’s toughest data protection laws. GDPR, through penalty, has caused businesses to take better precautionary methods to protect data. Ironically GDPR is now being used as leverage by hackers. Instead of deploying ransomware after breaking in and stealing data, we’ve seen instances of hackers threatening to release data, citing GDPR fine violations and the costs that will impose. For businesses that don’t take GDPR seriously, complying with this ransom demand may be the more “appealing” option. Ironically, this new tactic by hackers is a good thing because it is causing businesses to take better precautionary methods to protect data and create cyber resiliency. In doing so, these businesses are less likely to suffer a GDPR violation and the likeliness of hackers getting away with meaningful data is significantly lower – a huge win for businesses and, more importantly, customers.

Davtyan: Regulatory issues have significantly altered the way businesses view and approach cybersecurity. In recent years, governments across the world have introduced data protection laws and regulations that require companies to implement robust cybersecurity measures capable of protecting sensitive data. Examples include the California Privacy Rights Act (CPRA) and the European Union’s General Data Protection Regulation (GDPR), both of which enforce strict requirements for data privacy and security. Complying with these regulations helps establish trust with consumers, partners, and stakeholders and allows businesses to avoid steep fines and penalties. With the threat of data breaches and cyberattacks always present and continuing to impact businesses around the world, cybersecurity is increasingly viewed as a crucial component of an organization’s operations. As a result, more and more companies are prioritizing investing in enhanced cybersecurity measures.

Q: What cybersecurity issues keep you or your clients up at night?

Vartanian: We both love and hate this question every year! It seems the theme here is why things are worse in 2023 – and we are not just talking about cybersecurity, right? Companies that have not yet been exploited can become complacent. We worry about both our current clients and our inevitable future clients in this way. It is early, but we have already had a marked uptick in new business for this reason. Successful phishing attacks and ransomware continue to rule the day. While there are new emerging threats, the variety of basic methods continue to represent the “unlocked car” to draw a physical world crime metaphor. Why use new techniques when the old ways work so well?

Q: As a trusted advisor to businesses, what are some of the key pieces of advice you share with clients in terms of protecting themselves against cyber threats?

Davtyan: Businesses can protect themselves against various cyber threats while minimizing the impact of any security incident by following three key pieces of advice. First, a business must keep its applications, operating system, and security software up to date with the most recent security patches and updates. From there, all sensitive data must be regularly backed up to a secure location, and backup data must be tested to ensure restoration in the event of a cyberattack or security incident. To guarantee that this step is properly implemented, access to sensitive information has to be limited to employees who require it to do their jobs. Then, to ensure long-term protection against cyber threats, businesses should conduct regular assessments of their security systems to help identify vulnerabilities and rectify them before they are exploited by hackers and other cyber attackers.

Milbourne: First and foremost, businesses must realize they are a target. SMBs especially continue to think they are not a valuable target; this is a big misnomer. And all businesses should have a cyber resilience strategy in place to detect, contain and respond to attacks. This includes understanding their key assets. It’s not just creating an incident response plan but practicing it as well; practice is the true value. Because there is no one surefire way to prevent an attack, layered security is key to achieving cyber resilience. Email and endpoint security, recurring security awareness training and DNS protection are all essential elements. Each layer provides a better chance of fending off attacks. In the event a compromise is successful, having tools in place to stop the lateral movement so that businesses can quickly recover from cyberattacks and accidental data loss is key to achieving cyber resilience.

Q: Is cyber liability and crime insurance sufficient coverage for all cyber risks?

Davtyan: Although cyber liability and cybercrime insurance can provide protection for certain types of security incidents, they don’t offer sufficient coverage for all cyber risks. While these insurance policies may cover certain incidents, such as cyberattacks and data breaches, some potential losses including damage to physical property or reputational harm may not be covered. Business leaders must take into account that every cyberattack and security incident is unique. Therefore, it is essential to carefully assess your specific needs and consider a vast range of security measures and insurance options to sufficiently protect your business. Having the appropriate amount of coverage ultimately depends on the specific circumstances of a security incident. The best practice for businesses is to have a response plan in place and actively seek advice from cybersecurity experts.