The CEO of a regional retail chain is preparing for his board meeting. His cell rings with an urgent call from his accounting firm’s partner. The chain’s customer data and their credit card information is for sale on a website used by Russian hackers.
What to Do Now?
Call the police. Call the Board. Call IT. Contact customers. Contact the press. Contact shareholders. Contact employees. Re-read the cyber attack response plan. Racing through the CEO’s mind will be a complex matrix of responsibilities and liabilities for the company, the customers, his staff and the board.
The first question they will ask is “what will you do about your customer’s private data?” The second question will be “what did you do to prevent the attack from happening?”
Most companies of any size and many smaller ones have been penetrated by cyber-attacks – and may not know it. For today’s company, the operating assumption must be:
- We must prepare defenses against attack
- We will be attacked
- Our defenses will be breached to some degree
- A breach reaction plan must be in place
Target had credit card data of 40 million customers stolen. North Korea stole movies and confidential communications from Sony Pictures because the government did not like its portrayal in the movie The Interview. Russian operatives stole personnel files from the US Office of Personnel Management for 18 million current and former federal employees.
These mega cyber breaches are in the headlines. But cyber-attacks are an everyday – and largely unreported – reality for virtually every company in the US and much of the world. Phishing attacks are pervasive. The Better Business Bureau recently broadcast a warning to small businesses against opening an email with the Subject: QuickBooks Support: Change Request. The link in the email downloads malware giving hackers full access to the company’s network including passwords.
Target lost customer credit card data because an HVAC contractor in Pennsylvania was attacked by malware. The contractor was maintaining Target’s heating and cooling systems. Using the malware, the hackers stole the contractor’s password for access to the Target network. Once inside, – because of the use of a bona fide password – here were no barriers to the hackers getting access to highly confidential customer information.
Symantec reports that half of all large companies have significant breaches each year and one quarter of smaller companies are breached. The cost of responding to each of these breaches is about $15 million for larger companies and $4 million for medium-size companies according to the Ponemon Institute. Small business costs are about $700,000 per incident. These costs force 60% of smaller companies that are attacked to close.
Theft of physical assets, embezzlement and shoplifting have always been business realities. Cyber threats challenge a company across new dimensions – loss of IP, loss of private customer information, loss of private employee data, and possible violations of data protection regulations. The consequence of these data losses is loss of reputation, customer confidence and brand value.
The movement towards open platforms across the company and widely shared data combined with connecting personal devices – phones and tablets – to the company network increases transparency and productivity. But these trends also make the network much more vulnerable.
The primary assets of corporations today are often digitized financial assets and IP (intellectual property). A recent study estimated that 80% of the total value of Fortune 500 companies is IP and other intangibles. Many of these assets are vulnerable to cyber theft and diminished customer acceptance and brand value after a breach. Verizon’s purchase price for Yahoo was reduced by $350 million after its massive data loss. Companies are responsible for protecting private information under their control – patient data, personal data, customer financial information, customer credit cards, etc. Failure to protect this information exposes the company and in some cases board directors and officers to financial liabilities.
For most organizations, their single largest vulnerability (43%) is disgruntled current employees who will sell data to other hackers or take the data or IP to their next employer or to a foreign government. Of outside breaches, Ponemon estimates that the entry point for almost half are vendors to the company and outside contractors.
Attackers from outside the organization include many individuals in the US and abroad. These are a problem but they are not as dangerous as organized or sponsored attackers. Theft of digital information using sophisticated technology and long term persistence is mostly undertaken by:
- Criminal gangs in Russia and Eastern Europe
– Selling the data on the black market
- Chinese government organizations
– Capturing IP for domestic use
Prepare to be Attacked
Start with the assumption that you will be attacked. You probably have been attacked and perhaps penetrated. Every company has a different risk profile, but start with these questions:
1. What is authentically important to protect?focus on data – customer, financial, IP
– focus on data – customer, financial, IP
– operating systems are less important
2. What are the channels of vulnerability?
– employee connection to the internet, vendor access t the company network, vendor add-ons to systems and equipment, stolen laptops, etc.
3. Isolate valuable assets on high-security networks separated from other networks
– only accessible by company approved devices
– only accessible by employees approved for access
– ensure monitoring systems are in place to detect attacks and breaches
– monitored for cyber breaches in real time
– larger companies should engage consultants to attack their defenses and find vulnerabilities
4. Backup data, so critical systems can be brought back online after attack
– keep software on networks, workstations, and desktops current with cyber protection updates
– consider advantages and liabilities of putting data in the cloud
5. Prepare employees to protect the company’s network and assets
– training, awareness, scouts for danger
6. Plan for when an attack occurs
– Who is notified?
– Who decides next steps?
– Who speaks for the company – What do they say?
Defending against cyber-attacks is a difficult challenge. There is no simple solution. With persistence, bad actors can get access to the company’s systems and assets – through the company’s online presence, thumb drives picked up in the parking lot, employee emails and connections to the internet, service contractor’s links into the company, subcontractor components connected to the company’s network, stolen laptops and theft by faithless employees. Building appropriate defenses is technically difficult and there are many not obvious pathways into and out of the company.
Too often, cyber security is seen as a specialized technical issue to be managed by the IT department. The potential for financial loses and reputational loses from cyber-attacks is so large that delegating cyber defense strategy to the IT department is no longer a viable or responsible approach. Every part of the organization – from the board room to the shipping room – has a role in defending the company.
Response to an Attack
In some cases, information is stolen and the company does not know about it. In time, the company may learn that data for sale on the internet came from an earlier breach. In other cases, the hackers will freeze the company’s network and demand a ransom to unlock it.
After a breach is discovered or a denial of service attack is underway, the primary considerations for the company leadership are:
- minimize further damage to customers, employees or patients whose private information was released
- restore company operations
- discover the source of the breach and close it
- inform law enforcement – FBI, state attorney general, SEC
- speak with one voice to the public, customers, employees and investors
The reality of today’s world is that an attacked company must discover how the bad guys broke in and close the breach. But the company cannot be fully open about the results of the investigation. Plaintiff attorneys will use this information to claim that the company had not reasonably protected the compromised data. The contention will be that the company should have anticipated the attack and prepared adequate defenses to safeguard the private data. Compliance with Federal and state requirements for an Information Security Plan covering the data inventory, security for the data and data disposal will be questioned.
The leadership of an attacked organization must launch both public and private responses immediately. Legal, ethical and public expectations are high. Without a plan in place before the attack, the chances are high for missteps, misstatements and higher legal, financial liabilities and reputational losses.
Steps you can Take
Most companies today are under protected and don’t understand their real vulnerabilities. As the CEO or board member, here are steps you can take to limit cyber risks and reduce their financial and reputational damage.
- For most companies, cyber security is an important corporate risk management issue. Core funding and priority decisions should be made at the board and CEO level.
- Create a risk profile of high value assets and their vulnerability to cyber theft. Develop a plan to manage these specific risks – avoid, accept, mitigate or transfer through insurance.
- The board and other senior leaders, not just the IT department, should periodically review the adequacy of defenses, employee training and real-time monitoring with the assistance of inside and outside cyber security experts.
- Ask if cyber defenses are adequate and if outside testing is needed. If the answers are Yes and No – Red Flag!
- Be certain Federal and state requirements are followed for an Information Security Program and an Incident Response Plan. A Security Programs Team Leader may also be required.
- Develop a culture of cyber awareness through training and messaging about the role of every employee in defending the organization.
- Theft by employees is the largest loss category. Culture, monitoring the network, insolation of assets and manager/team surveillance are best defenses.
- Prepare your team for the breach. Who decides. And who speaks.
As a board member, I am expected to ask company leaders whether they have put in place policies and procedures that protect the company, its employees, its customers and its assets against cyber-attack. But my real responsibility is to be sure these procedures actually.