The Current State of Cyber Security in Florida and What Your Industry Needs to Know…
By Angela Polania
The Florida Center (FC) for Cybersecurity issued The State of Cybersecurity in Florida report in mid-2018. FC contracted with Gartner to conduct the study and document their findings in The State of Cybersecurity in Florida, a report that comprehensively reviews the state’s cyber threat environment, workforce supply and demand, education and training opportunities, and research initiatives. The report also examines the cyber readiness of Florida’s businesses, agencies, and organizations in 12 critical areas against industry standard as well as national averages. Some of the observations include:
- Cybercrime will continue to increase due to Florida’s robust economic landscape;
- Digital business and technological innovations will continue to challenge existing security approaches for the foreseeable future;
- Florida’s senior, less cyber-savvy citizens are more likely to be victimized by cybercriminals and related fraud;
- A long-term lack of security investment and an emphasis on compliance versus security place Florida slightly behind other states in security maturity;
- The scarcity of trained cybersecurity professionals and increasing wages have resulted in a negative security-specific unemployment rate in Florida and nationwide.
Insight into Florida’s growing cybersecurity talent shortage:
- 68% of organizations surveyed report cyber staffing challenges
- Compensation for mid- and junior-level positions in Florida is $5,000 to $10,000 per position higher than the national average
An overview of the threats facing Florida businesses:
- Reports of corporate data breaches in Florida rose 17.8% between 2015 and 2016
- 41% of organizations surveyed report having suffered a breach
- Only 32% of organizations surveyed are confident they are prepared for a cyber attack
The most common exploit methods seen both in private and public enterprises include:
- Ransomware- Malicious software that infects a computer and restricts access to it until a ransom is paid to unlock it. Ransomware is typically spread through phishing emails containing attachments or when a user visits an infected website.
- Advance Persistent Threat (network attack where attacker stays in the network for a persistent period of time and uses phishing, social engineering, and privilege escalation to further gain hold of the environment under attack).
- Distributed Denial of Service (DDoS)- An attack in which multiple compromised computer systems attack a target, such as a server or a website, overwhelming the system and causing failure for authorized users.
- Cross-Platform Malware- Malicious software that can run on any platform (iOS, Android, Windows). Typically spread through phishing emails that contain malicious attachments or when a user unknowingly visits an infected website
- Metamorphic and Polymorphic Malware- Malware packaged with code changes that can “change appearance” to avoid detection or eradication. Typically spread through phishing emails that contain malicious attachments or when a user unknowingly visits an infected website.
- Phishing- Email or instant message intended to expose sensitive information such as usernames, passwords, credit card details and indirectly, money. Authentic-appearing email with infected links or attachments to entice users to execute the malicious code by opening attachments or accessing the site
A look at the steps organizations are taking to mitigate these threats:
- 80% of organizations surveyed require all personnel to complete security training
- 87% of organizations surveyed technologically enforce strong passwords
- More than 85% of organizations surveyed have disaster recovery and business continuity plans (though only 32% regularly test those plans)
Key Industrial Sectors
In 2013, President Obama signed Presidential Policy Directive 21, Critical Infrastructure Security and Resilience, stating that the federal government has a responsibility to secure and strengthen the resilience of the nation’s critical infrastructure. President Obama simultaneously issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which called on the federal government to work with critical infrastructure owners and operators to improve information sharing and develop and implement risk-based approaches to cybersecurity
The key industrial sectors designated in Directive 21 face a common set of threats, ranging from natural and human-made disasters to domestic and foreign malicious actors intent on stealing valuable information or disrupting commerce and services.
Defense Industrial/ Transportation:
Florida is home to 20 military installations and three unified combatant commands, and virtually every major defense contractor in the world has significant operations in Florida. The state is consistently a top-five recipient of Department of Defense contracts. Supporting this robust defense sector is one of the most extensive multi-modal transportation systems in the world, led by Florida’s unparalleled aerospace and aviation industry.
Given that this industry regularly introduces new technologies to its operations and relies extensively on computer systems for both ground and flight operations, their concern is not unwarranted. Responsible for moving people and cargo all over the world, this industry serves both the transportation and defense critical infrastructure sectors and is an attractive target for cybercriminals who want to obtain critical, sensitive information, disrupt operations, and even endanger lives. Aerospace companies are a high-value target for foreign nation-state actors seeking intellectual property and confidential information. The commercial aviation industry, long the target of terrorist attacks, faces the unique and terrifying threat of a malicious actor accessing flight controls remotely
With no personal income tax and its proximity to Latin America and other global markets, Florida is an extremely business-friendly state. Florida has the fourth-largest financial services industry and the third-largest insurance industry in the country. The very nature of the Financial Services Sector, centered on institutions that hold vast amounts of wealth, invites cyberattacks. In the first half of 2017, the financial services industry was the second-most-targeted industry for cyber attacks after healthcare. BEC (business email compromise has had a toll of over 12 billion in the last 6 years increasing every year throughout the country).
The ease of digital monetary transfers and the lure of large financial gains make this sector a prime target. Fortunately, this sector has a long-standing history of monitoring exposure and mitigating risk. The Financial Services Sector was an early adopter of additional safeguards such as multifactor and biometric authentication as well as data encryption, making it a highly cyber-aware sector.
Healthcare and Public Health
With the third-largest population in the nation and the second-largest senior population, Florida devotes significant resources to healthcare. In 2015, more than 46,000 healthcare establishments employed more than 803,000 Floridians. Beyond that, Florida is a leader in the bioscience industry, which includes pharmaceutical and medical device manufacturing. Florida is home to more than 1,100 biotech companies and is ranked second in the nation for the number of registered medical device manufacturing facilities by the U.S. Food and Drug Administration. Like the Financial Services Sector, the Healthcare and Public Health Sector is a prime target for cyber attacks due to the type and volume of data under its purview. Additionally, many people within the system can access this sensitive data, from doctor’s office administrators to insurance company employees, creating multiple points of vulnerability. It is not surprising, then, that the healthcare industry was the hardest hit by cyber attacks in the first half of 2017, accounting for 25% of all breaches. 2015 was a record year for healthcare data breaches, with more patient and health plan member records exposed or stolen than in the previous six years combined.
Florida ranks among the top 10 states for manufacturing, with more than 19,000 manufacturers producing a variety of goods. As the third most populous state in the nation, Florida has a large workforce to support manufacturing as well as the strong transportation infrastructure and logistics industry needed to move manufactured goods. Manufacturing was the third-most attacked sector in 2016, and the proportion of serious incidents were 40% higher than the average across all industries. Based on the type of attack, researchers surmised that threat actors see manufacturing as an easy target due to a lack of industry compliance standards like HIPAA and correlating a lack of cybersecurity investment. Intellectual property is a key payload in a manufacturing cyberattack, with cyber espionage cited as the reason for 94% of breaches in 2016.
Based on our experience and being in the trenches in this industry, the information summarized above from the study appears to correlate with what we see in our clients.
Financial institutions usually have the highest level of controls and governance with large health insurance companies than other industries.
Healthcare providers, small hospitals and systems do not have the level of investment and expertise many times required to properly secure and manage cybersecurity and even meet the minimum bar of HIPAA compliance.
Large defense contractors do appear to have the right controls in place and are DFARS compliant but smaller subcontractors that are part of the critical supply chain in this industry lack of the expertise and investment to properly secure their environment and let alone be in compliance with DFARS.
Large and middle market public companies have the budgets and have SEC requirements that have forced better cyber security governance and controls that most other companies.
Local government entities don’t have the budgets or pay the salaries to attract the best talent or enough talent and lack behind in cyber security controls mainly due to these reasons. Also, although NIST has issued standards required by the federal government, these are not forced and/or mandated at the local and state level and without little compliance and regulatory oversight (outside of FDLE for the police network and data) the eminent pressure of audits and compliance is not felt the same as with financial institutions and other industries.
Moreover, although Florida passed the Florida Information Protection Act of 2014 (Florida Statute 501-171), unlike upcoming legislation in California (California Consumer Privacy Act) and internationally (e.g. GDPR in Europe), the enforcement actions and fines/ penalties associated with this are not felt by companies. Many companies are not aware of the requirements and do not seem to have this as important on their radars.
Based on our experience in the field, the main issues and or ways in which cyber security is compromised seems to always boil down to:
- Social engineering/ phishing. The statics on BEC compromise (Business email compromise) maintained by FBI indicate a rise every year. This happens mainly through social engineering and targeted phishing/ spear phishing. We have seen this first hand in various cases where we have come in after the fact to reveal that these organizations had low levels of cyber security control sophistication and knowledge.
- Inappropriate patch management and vulnerability management practices. Systems are not patched as required and IT personnel do not have the bandwidth, knowledge or combination on how to tackle this effectively. Equifax hack was related to a web server not being patched.
- Limited security monitoring- the investment in technology and talented people to perform this function is lacking in many organizations. Also, salaries are high and talent shortage is a real issue in the entire country.
- Limited knowledge on how to property configure and secure software, systems etc. Weaknesses in application security, servers’ configuration etc., are found in most companies consistently creating exploitable vulnerabilities.
- Limited resources and budgets- in many organizations especially smaller companies, non-regulated industries, the investment in security is very limited and/or non-existent relegating the network administrator without proper knowledge and/or experience to perform security functions.
- Limited governance structures and practices- this can stem from lack of importance by Sr. Mgmt. on the subject, small organizations with limited budgets and lack of knowledge on the importance and risks posed by weak cyber security controls.
In order to improve the current state at State and local government agencies and enterprises, the State of Florida government can help by:
- Implementing stronger regulatory requirements (e.g. enforcement actions with FIPA and monetary consequences). This will make sure that protection of information is on company’s and organizations’ radars to make the proper investments. Although compliance is not security (a saying in the industry), compliance sure pushes or forces companies to improve their controls and processes that due increase their resilience to cyber security threats and actual attacks.
- Continue the enhancement of cyber security educational programs and workforce development to increase the pool of available knowledgeable resources and continue and invest in organizations that work with private enterprises to provide the new trained work force with the experience to further improve their skills.
- Improve high school training to have a standard curriculum for ethical hacking and cyber security training (ethical hackers start this early and are usually the best ones) with partnerships with government agencies and enterprises.
- Work with academia and educational bodies to build partnerships with companies for information sharing and training resources.
- Walk the walk and implement strong controls at the agencies with appropriate oversight and governance
- Fund research, organizations and initiatives that support the improvement of talent, cyber security knowledge and overall awareness and enforcement of the subject.