Cybersecurity: A Necessity for Your Bus Company
By Michael Andriola, Partner and Thomas J. DeMayo, Partner
Any business can go from operational to a state of complete lockdown with the simple click of a mouse. This is especially concerning for school bus companies as their internal databases contain sensitive information about the children they are transporting. A bus company’s hard-earned reputation and operational stability can be tainted or even worse – destroyed – with a single incident and, more importantly, may affect the well-being of its riders. Many businesses that fail to prepare, fail to recover.
Cybercrime can include any of the following:
- Theft of financial and/or sensitive information of an individual or company which can be sold and used in a myriad of cybercriminal activities.
- Cyberextortion, such as ransomware, where attackers install malicious code that encrypts company data, preventing the owner from accessing their data unless a ransom is paid for the encryption key. Another common form of extortion is the exfiltration of company data and a threat to make that data public unless the ransom is paid. Often, the attack will include both encryption and exfiltration, further increasing the pressure on the company to pay the ransom.
- Diversion of funds through manipulated emails that result in the change of electronic payment instructions.
- Denial of service attacks that results in company systems being overwhelmed and unable to process legitimate business transactions.
For a company to prepare successfully for and defend against the cyber threat, it must establish a cybersecurity program that includes a core competency and capability in the five pillars of information security: Identify, Protect, Detect, Respond and Recover.
As bus companies – and, indeed, all companies – evaluate their security programs and look to align with the five pillars, below are some of the key controls they should consider:
- Establish a cybersecurity committee with effective governance and a philosophy of security that resonates from the top down. This committee is critical to the success of a cybersecurity program.
- Perform ongoing risk assessments and more technical exercises, such as penetration testing to evaluate the cyber defenses and response capabilities of the company.
- Perform effective due diligence on any third party that will store, process, transmit or have the potential to impact the security of the company.
- Establish a cybersecurity awareness program which educates employees on cybersecurity threats and phishing emails. Ongoing phishing testing should be part of the overall awareness training program.
- Enforce strong logical access controls, such as robust passwords and multi-factor authentication (MFA). MFA should be utilized consistently for access to remote systems or applications that contain data of value and for any privileged access to a system or application.
- Restrict access to only what is needed for an individual to perform their assigned duties. Further, restrict access to not just the user, but also the device from which the user is connecting.
- Employ next generation anti-virus software, known as Endpoint Detection and Response platforms.
- Install vendor-provided security patches on a consistent and timely basis relative to the risk of the vulnerability the patch is intended to fix.
- Collect, analyze and store security logs from all critical systems, network devices and applications. Alert on known security threats or anomalous activity.
- Implement a backup strategy that is ransomware resilient so that in the event of a ransomware attack, a backup of last resort exists.
- Be resilient. Establish and maintain an incident response, business continuity and disaster recovery plan.
- Test the plans to ensure they will work as designed and employees fully understand their roles as part of the plans.
If you think a cyber-attack won’t happen to your company, be advised that cyber criminals just don’t target Fortune 500 companies. The following are examples of reported cyber-attacks against government entities, school districts and their related vendors such as bus companies.
- Washington State Public Bus System suffered a ransomware attack disrupting some of their systems. The threat actors are also currently claiming to have stolen data.
- Minneapolis Public Schools, which suffered a ransomware event early this year, has now reported that the threat actors have released the stolen information to the dark web. The data published, which dates back as far as 1995, consists of payroll information, union grievances, health information, civil rights investigations and other sensitive records. The cyber criminals demanded $1 million to prevent the posting of the data.
- The City of Oakland, which suffered a ransomware event in February, has reported that the ransomware gang has started to publish the stolen information. A first batch, consisting of 10GB of compressed data consisting of highly sensitive information such as IDs, passports, financial information, etc. has been published.
- Oak Ridge, a city in Tennessee, suffered a ransomware attack impacting many of their government systems. This comes on the heels of Tennessee State University suffering a ransomware event two weeks prior.
While this all may seem daunting, it doesn’t have to be. For practical, cost-effective and meaningful assistance with your cybersecurity needs, reach out to the partner in charge of your account or:
Michael Andriola, CPA, CFE, CCIFP, PSA
Thomas J. DeMayo, CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE
Partner-Cybersecurity and Privacy Advisory