Surety Bond Quarterly - Winter 2017 - 36

Credential theft and loss happen
constantly. The media reports on the
big compromises but not the thousands of small events where credentials are stolen and then bartered on
the black market. This means that the
chance of your old passwords floating
around the internet is actually quite
high. With the availability of machine
learning, making use of these passwords requires virtually no effort.
And the answer to "how could they
have gotten in?" is simply that they
logged in as the executive who was
too busy to change his password using
his old password. Logging in as the
executive set off no alarms, tripped no
sensors, and violated no IT protocols.
They had the executive's keys and just
unlocked the door the same way the
executive does.
The worst part of these incidents is
that they are completely avoidable.
Two basic cybersecurity concepts to
start with are:
1) Assume passwords have been compromised; and
2) Security must apply to everyone in
the company from the top down.
Those with the highest rank and privilege have, by default, the most access
to data and therefore pose the greatest risk to the organization. Executives
often are the riskiest members of the
organization, because they sometimes
believe the rules don't apply to them,
and, therefore, they often have the least
security protection because security
personnel are unable to insist that they
follow the same protocols.
Security must be set up to protect
your highest risk assets! It is truly
staggering the number of incidents,
breaches, downtimes, hacks, malwares, and virus outbreaks that would
never have happened if these two
tenets of security had been followed.
Here are some cybersecurity
"Getting Started Actions" you can take:
Assume the bad guys
have your password.
Ask the question to your security
team, and do so bluntly: "If someone
has my password, how do you keep
them out?" The answer to this should
be very quick and simple. The answer

36

is two or multifactor authentication.
At a more sophisticated level, your IT
team may be using behavioral analytics or conditional access systems.
Any of these make for good security
defenses and are most effective when
they can be described and articulated
quickly and in a manner that is easy to
understand. This is the simplest attack
vector, yet the hardest to notice. It is
one of the reasons that a breach can
go undetected for hundreds of days.
Much of your security defenses should
be based on this concept.
Ask your security team
questions; do not let
exceptions be your downfall.
Do you make policy exceptions for IT or
executives? The answer should be no,
especially IT and executives, as they
pose a high risk to the organization.
No one should be the administrator
of their PC, including IT personnel and
there should be no exceptions to this.
As a business leader always ask the
questions, "Does this procedure apply
to everyone? Are there any exceptions?" There are weak spots in any
environment, so ask where they are
and prompt the question "Am I a weak
spot?" Give security teams the opening
to change the status quo, as it may save
you from disaster.
Implement an ongoing and
creative education campaign.
Every organization should have a
formal internal and external security education campaign. One of the
top security defenses is formal and
regular training of all employees. It
should include at least the following
three areas:
* Phishing and spam training and
testing
* Training on company specific security policies, procedures, programs
and concerns
* Training on how security can benefit the individual both at work and
at home. It is helpful to employees
to teach them about their personal
security and how it transfers to the
security of the company.
Be creative with security education. Face-to-face training is the most

SURETY BOND QUARTERLY | WINTER 2017

effective, but it can't stop there-once
and done is not sufficient. Effective
security training delivers the message
when the employees are engaged, and
it continually reiterates good cyber
hygiene. Employees do care about the
company data; many times they just
are unaware that some of their practices are risky. Make them the stewards of your information and part of
the solution. They will be grateful for
the trust and responsibility.
Require all employees to receive data
privacy and security training at least
annually, with frequent follow-ups.
Too often there is the assumption that
everyone knows what the "right" thing
to do is. While positive, we find that this
leads to a false assumption of security
and safety. Often the default behavior
is: "If no one has mentioned it, it must
be okay." All employees need security
training and to be shown what "right"
means. Educate employees to identify
what data is dangerous and how to
handle it. Grade your level of success
for security training as well as your
systems. Employees are your highest
risk. Let them know it, and empower
them to be part of the solution.
A well-run organization
has down time and must
patch vulnerabilities.
Do you allow IT to have a regular
monthly down time so systems are
up to date? You wouldn't run construction equipment constantly without
servicing it, would you? Many of the
recent newsworthy vulnerabilities and
exploits had resolutions well before
the issues became evident. There is no
perfect system; all systems will have
bugs and problems. However, implementing patches and proper maintenance is a critical business process.
Today's unimportant patch may be
tomorrow's exploit savior!
Disaster recovery and back
up is vital to cybersecurity.
It is likely that, no matter the defenses,
at some point you will need to recover
from an incident. Perhaps from ransomware, maybe a virus, an employee
could make a mistake, your cloud
server could be hacked, or your



Table of Contents for the Digital Edition of Surety Bond Quarterly - Winter 2017

NASBP Upcoming Meetings & Events
2017–2018 Executive Committee
From the CEO: Looking Backward to Reach Forward
Relationships for the Long Run
Subcontractor Default Insurance: Relevant Considerations for the Surety Claims Professional
Bottom Line Protection with Job Cost Accumulation & Allocation
Inside the AIA’s New Insurance and Bonding Contract Exhibit
The Calm After the Storm: Managing Disaster Response Contracts
Practical Tools to Help Jump-Start Your Company’s Cyber Plan
Index to Advertisers
Surety Bond Quarterly - Winter 2017 - Intro
Surety Bond Quarterly - Winter 2017 - cover1
Surety Bond Quarterly - Winter 2017 - cover2
Surety Bond Quarterly - Winter 2017 - 3
Surety Bond Quarterly - Winter 2017 - 4
Surety Bond Quarterly - Winter 2017 - 5
Surety Bond Quarterly - Winter 2017 - 6
Surety Bond Quarterly - Winter 2017 - 2017–2018 Executive Committee
Surety Bond Quarterly - Winter 2017 - 8
Surety Bond Quarterly - Winter 2017 - From the CEO: Looking Backward to Reach Forward
Surety Bond Quarterly - Winter 2017 - 10
Surety Bond Quarterly - Winter 2017 - Relationships for the Long Run
Surety Bond Quarterly - Winter 2017 - 12
Surety Bond Quarterly - Winter 2017 - 13
Surety Bond Quarterly - Winter 2017 - Subcontractor Default Insurance: Relevant Considerations for the Surety Claims Professional
Surety Bond Quarterly - Winter 2017 - 15
Surety Bond Quarterly - Winter 2017 - 16
Surety Bond Quarterly - Winter 2017 - 17
Surety Bond Quarterly - Winter 2017 - 18
Surety Bond Quarterly - Winter 2017 - 19
Surety Bond Quarterly - Winter 2017 - 20
Surety Bond Quarterly - Winter 2017 - 21
Surety Bond Quarterly - Winter 2017 - 22
Surety Bond Quarterly - Winter 2017 - 23
Surety Bond Quarterly - Winter 2017 - 24
Surety Bond Quarterly - Winter 2017 - 25
Surety Bond Quarterly - Winter 2017 - Bottom Line Protection with Job Cost Accumulation & Allocation
Surety Bond Quarterly - Winter 2017 - 27
Surety Bond Quarterly - Winter 2017 - 28
Surety Bond Quarterly - Winter 2017 - 29
Surety Bond Quarterly - Winter 2017 - Inside the AIA’s New Insurance and Bonding Contract Exhibit
Surety Bond Quarterly - Winter 2017 - 31
Surety Bond Quarterly - Winter 2017 - 32
Surety Bond Quarterly - Winter 2017 - The Calm After the Storm: Managing Disaster Response Contracts
Surety Bond Quarterly - Winter 2017 - 34
Surety Bond Quarterly - Winter 2017 - Practical Tools to Help Jump-Start Your Company’s Cyber Plan
Surety Bond Quarterly - Winter 2017 - 36
Surety Bond Quarterly - Winter 2017 - 37
Surety Bond Quarterly - Winter 2017 - Index to Advertisers
Surety Bond Quarterly - Winter 2017 - cover3
Surety Bond Quarterly - Winter 2017 - cover4
https://www.nxtbook.com/naylor/SBPQ/SBPQ0118
https://www.nxtbook.com/naylor/SBPQ/SBPQ0417
https://www.nxtbook.com/naylor/SBPQ/SBPQ0317
https://www.nxtbook.com/naylor/SBPQ/SBPQ0217
https://www.nxtbook.com/naylor/SBPQ/SBPQ0117
https://www.nxtbook.com/naylor/SBPQ/SBPQ0416
https://www.nxtbook.com/naylor/SBPQ/SBPQ0316
https://www.nxtbook.com/naylor/SBPQ/SBPQ0216
https://www.nxtbook.com/naylor/SBPQ/SBPQ0116
https://www.nxtbook.com/naylor/SBPQ/SBPQ0415
https://www.nxtbook.com/naylor/SBPQ/SBPQ0315
https://www.nxtbook.com/naylor/SBPQ/SBPQ0215
https://www.nxtbook.com/naylor/SBPQ/SBPQ0115
https://www.nxtbook.com/naylor/SBPQ/SBPQ0414
https://www.nxtbook.com/naylor/SBPQ/SBPQ0314
https://www.nxtbook.com/naylor/SBPQ/SBPQ0214
https://www.nxtbookmedia.com