Technology is in our hands, at our fingertips, all of the time. With the click of a button, business transactions are conducted and confidential information is shared instantaneously across the globe. It’s all too easy to assume that passwords and fire- walls are keeping that information safe and secure, but the reality is that cyber attacks and security breaches are the new normal, and a company without both prevention tactics and recovery strategies firmly in place has already fallen behind.
Financial, health care, technology and retail companies are all at risk of losing data, time and money due to cyber attacks—and damaging their reputations.
“Everyone’s heard about security breaches happening almost every other day in the past few years, across industry sectors,” says Derek Han, principal in the cyber risk practice at Grant Thornton. “Companies are trying to keep up with innovations from a technology stand- point, and keep up with the security issues that come with technology innovations.”
The concept of cybersecurity isn’t new. But it’s been within the last three years that the introduction of programs designed to attack networks has become a “very insidious issue,” says Nick Barone, director of Eisner Amper’s cybersecurity practice.
“The top concerns have always been controlling and protecting sensitive data and the ability of the network to function: data security and operational functionality,” Barone says. “But given the increased level of attacks on company networks, they’re being elevated in priority.”
Corporate boards in particular, Barone adds, are asking what processes are in place to protect the company.
HOLDING DATA HOSTAGE
One of the biggest threats right now isn’t cyber espionage. It’s the proliferation of ransomware, which is just what it sounds like. A hacker breaks into a company’s system, en- crypts the data and demands a ransom in exchange for unlocking it. “It’s a quicker payday if you know you have a company that’s willing to pay a certain dollar amount to undo the damage,” Barone says.
“2016 was the year of ransomware,” says Ted Schaer, head of the cyber liability, privacy and data security practice at Zarwin Baum. “Businesses across the country saw an uptick in malware that was introduced in very simplistic emails that people would open and infect their system with ransomware. The company becomes paralyzed because all of their data has been encrypted—unless they pay the ransom, or have sufficient backups that they can wipe everything out and reinstall. And in 2017, that will continue to be a very big cyber- security threat for businesses.”
The ransomware tactic sounds like one data kidnappers would use to go after larger corporations with more money to pay, but it’s smaller companies that are now facing the most pressing threat.
“Cyber criminals are realizing that bigger companies are employing greater tools to prevent intrusion. So they’re starting to focus on small- and medium-sized businesses, because they know [the businesses] might not have the budget and resources to employ sophisticated cyber defenses,” Schaer explains.
And the news doesn’t get better from there: “I think 2017 is going to be a very difficult year for businesses that rely on websites, such as online banking and retailers,” he says.
Accidentally opening an email you shouldn’t is far from the only way a system can be infected. The latest buzz is centered around the Internet of Things, or IoT — the network connectivity governing smart devices, including everything from home appliances, phones, vehicles and medical devices like pacemakers, to machinery, utilities and much more.
The concerns around the “malware that is being used to secure the IoT that is being used as weapons against businesses, are only going to grow as those viruses become more and more available,” says Schaer. “You can go on the dark web right now and either hire people or obtain the virus yourself.”
COMBAT THE RISKS
“You have to know what you don’t know, which sounds very basic, but many organizations don’t know the applications, systems and servers they have, which makes it hard for them to deal with a security breach,” says Han of Grant Thornton. “Knowing what you have and understanding your environment is very important.”
Along with understanding what information you hold and where and how that information is stored, the practice of “good network hygiene” should be an ongoing effort.
“You need to evaluate [your network] and make sure the vitals are proper and consistent, and you need to understand changes to your network and how they can have a down- stream effect on security,” says Barone, adding that security measures affect both people authorized to access the network and those authorized to access sensitive data.
Best practices from regulatory agencies and industry recommendations should be used to evaluate your network and assess what preventative steps need to be taken to avoid cyber attacks in three areas, says Barone: people, process and technology.
With the rapidly changing technology landscape, an assessment isn’t a one-time endeavor. Companies should commit to an annual risk assessment, he says, “bench- marking your environment to the standards out there.”
THE WEAKEST LINK
Cyber threats don’t always come in the form of malicious hackers hunched over computer screens in the dark, breaking into your network to steal or freeze your data. It’s all too common for well-intentioned employees to inadvertently put a company at risk.
“Human error is one of the top threats, accounting for one of the top concerns from an information securities disclosure standpoint,” Han says.
Schaer puts it even more bluntly. “Your weakest link in cybersecurity is sitting in your office: your employees,” he says. “Human negligence, general carelessness [and] the absence of training still continue to be the leading cause of breaches among businesses in North America. Having good, sound policies and practices around mobile devices—including phones, tablets and laptops—continues to be a great concern for businesses, because those are the areas where cybersecurity seems to fall down the fastest.”
Barone agrees, “People are susceptible to being tricked into either giving up information or installing malicious programs. When you compare it to the other two areas of risk— process and technology—people are the weakest link in the security arena, because their actions can override the security measures in place.”
So how does company leadership protect against negligence, or simple misjudgment?
“Companies tend to focus on technologies to prevent security breaches, but the No. 1 thing to do is to hire the right people,” says Han. “The most important thing is having the right people in the security field to conquer the threat, and you have to be vigilant about security discipline.”
Barone breaks it down into three steps. Train employees to increase information security awareness; test employees to maintain their diligence against attacks; and monitor employee activity “as a way to identify precursors of behavior that lead to attacks on net- works and unauthorized access of the network by nonemployees,” he says.
RECOVERING FROM AN ATTACK
Taking steps to prevent a cyber attack is one piece of the puzzle. Just as important is detecting an attack when it happens and knowing how to react to the breach and recover your data.
“You need to invest in detection and response capabilities,” says Han. “Not only invest money in securing your network and protecting your servers, but also to understand what the threats are and have response procedures so that when something bad happens you can quickly react to it.”
Note the “when,” not “if.” Schaer warns you need to assume there will be a breach. “All businesses need to plan for a breach. It’s not a question of if, it’s a question of when,” he says. “Businesses large and small need to have a plan in place for how they’re going to respond to a data breach or ransomware incident or a ‘denial of service.’ If you do it at the time it happens, you’re way behind the eight ball.”
THE ROLE OF REGULATION
The President’s Commission on Enhancing National Cybersecurity released its final report earlier this month, calling for, among other recommendations, the establishment of an Ambassador for Cybersecurity position at the State Department to lead U.S. engagement with the international community, and the consolidation of cybersecurity and critical infrastructure protection functions under a single federal agency. The next administration can do with the recommenda- tions as it sees fit.
Certain government-mandated protections around cybersecurity have already been in place for years, but new technology calls for updated regulations and enhanced enforcement. “What is established, what has always been the case, is the need to protect consumers’ and patients’ information, and the need to protect consumers’ credit card data,” Barone says. “The regulations out there are very clear; the expectations are clear.”
The regulatory landscape includes the Federal Trade Commission, which handles personally identifiable information, or PII, and the Office of Civil Rights (as well as the individual states), which deals with health information, including HIPAA. “We’re reading more and more about higher degrees of enforcement and fines for companies that fail to protect that information,” Barone says.
Han is seeing the same thing. Government regulations need to catch up to technology innovations and be more adaptive and forward-thinking, he says, but there has been movement in terms of auditing violations. “Regulatory bodies have become more aggressive in holding companies accountable for managing their risks,” he says. “The bad news is that the compliance costs will continue to increase, especially for the financial and health care sectors.”
But protecting “the internet in general” is the government’s responsibility, since it’s critical infrastructure, says Barone. “The goal is to make sure those companies that provide us critical services are protected. Our oil pipelines, refineries, electrical power stations, energy generation, water supply—all of those are tied to the internet now, and that’s where you’re going to see the government continue to put their focus.”
As with individual businesses, the goals are both prevention and preparedness—”making sure we have enough redundancy and robustness in any type of contingency plan to weather and survive an attack with minimal disruption to people’s daily lives and the economy,” Barone says.
Collaboration between the public and private sectors has far-reaching implications for cybersecurity, but the process of figuring out exactly how information should be shared is in its infancy.
“There’s now a consensus that we have got to develop a voluntary depository for sharing cyber incident data ... so we all understand what’s happening and when it’s happening,” Schaer says. “I think what we’re going to see is a more concerted effort by the federal government in order to have greater sharing.”
Schaer is also hoping for a comprehensive national data protection bill and national notification statute. “What we currently have is individual states that each have data privacy and notification laws, which is very cumbersome for businesses who are responding to a nationwide breach.”
Separate sets of laws means when a Philadelphia-based retailer who serves customers across the country experiences a payment card industry (PCI) breach, that retailer now needs to hire counsel across the country to advise on each individual state’s data privacy and notification regulations. Compare that with the European Union, Schaer says, where data privacy is a national issue. “We don’t have that in the U.S. We’re a sectorial approach. So the financial sector handles it one way, health care handles it another, retail and hospitality handle it another,” he says.
One bright spot is the beginning of infor- mation sharing within the private sector, even ifithasalongwaytogo.
“I do think that regulation will continue to encourage information sharing, but it’s a very complex issue. People are hesitant,” Han says. “But there are private associations in the financial and health care sectors that focus on sharing information among themselves, and that’s a good starting point.”
Published (and copyrighted) in Philly Biz, Volume 1, Issue 12 (December, 2016).
For more info on Philly Biz magazine, click here.
To subscribe to Philly Biz magazine, click here.
To advertise in Philly Biz magazine, call 856-797-9901.