Headlines involving computer hacking, data breaches, and computer security issues have become commonplace. Companies such as Trump Hotel Collection in Las Vegas, Target, Ashley Madison, Home Depot, Comcast, Neiman Marcus, Wyndham Worldwide, and Sony Pictures all suffered recent high profile intrusions of their computer systems, and as a result spent well over $100 million in investigatory fees, fines, legal settlements, mandatory legal notifications, attorneys’ fees, public relations costs, and a multitude of other issues.
High-profile stories reported on by the national news media represent a small fraction of the total problem, however, and such incidents are only increasing. According to a September 2014 report from the Ponemon Institute, 43 percent of companies experienced a data breach in the previous year. Of those companies, 60 percent suffered more than one data breach in the preceding two years.
This trend will continue to increase, as companies become even more interconnected and reliant on computer systems. As reported recently in a paper from the Wharton School of Business:
A multitude of companies of different sizes and across sectors incur losses as a result of this crime. According to the Identity Theft Resource Center, a nonprofit research and education group that aids cyber-crime victims, at least 441 U.S. companies, government agencies, and other institutions reported material breaches to their computer networks during the first three quarters of 2013. This figure likely underestimates the real magnitude of the crime. As Michael Levy, chief of computer crimes at the U.S. Attorney’s Office for the Eastern District of Pennsylvania, notes, ‘[c]ompanies often don’t know that they have been victims of cyber attacks, and if they do know it, they are reluctant to disclose such intrusions because they fear this might damage their reputations or cause them to lose their shareholders’ confidence.
In sum, as the PCI Security Standards Council wrote earlier this year: “For any organization connected to the internet, it is not a question of if but when their business will be under attack….”
Companies Need To Be Wary Of A Multitude Of External And Internal Threats
Breaches of computer systems can occur in a multitude of different ways. Most commonly they occur in one of three ways:
• Malicious or criminal attack
• System glitch
• Human error
The first category, malicious and criminal attacks, tends to generate many of the headlines in the news media. For example, the Ashley Madison hack was conducted by a group of hackers known as the Impact Team. Although it is not yet known exactly how the Impact Team was able to breach Ashley’s Madison’s security, the hackers stole large amounts of data without Ashley Madison realizing its security had been breached. Ashley Madison appears to have first become aware of the hack when the Impact Team publicly demanded that Ashley Madison take down its site, as well as another site it owned.
What is now known is that despite promising its users confidentiality and robust security, Ashley Madison failed to follow through. As the Digital Guardian recently reported:
A blog post from a cracking group called CynoSure Prime exposes that Ashley Madison failed to use a robust encryption strategy for its user passwords, allowing the group to crack over 11MM passwords in just 10 days.
One popular problem that has arisen in recent years is “ransomware.” Hackers gain access to a system either directly or indirectly – for example, by convincing someone to open an innocuous looking email and click on a link. Software then encrypts files, which cannot be accessed until the hacker provides a decryption key, which requires the payment of a ransom. The software used by such hackers is frequently so good that even the FBI advises some companies to pay the ransom in order to get their data back. As recently reported by The Security Ledger:
The FBI wants companies to know that the Bureau is there for them if they are hacked. But if that hack involves Cryptolocker, Cryptowall or other forms of ransomware, the nation’s top law enforcement agency is warning companies that they may not be able to get their data back without paying a ransom.
‘The ransomware is that good,’ said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. ‘To be honest, we often advise people just to pay the ransom.’
Companies need to keep in mind, however, that although criminal hacker groups are often the first to jump to mind when potential threats are considered, malicious attacks frequently do not come from outside sources. For example, in January 2014 more than 20 million South Koreans, 40 percent of the country’s total population, had personal data such as identification numbers, addresses, and credit card numbers stolen. The breach came from the Korea Credit Bureau, which provides credit scores to banks and other credit card issuers. The data was copied by an employee to an external drive for more than a year without anyone’s knowledge.
In fact, Michael Bruemmer, vice president of the credit information company Experian’s data breach resolution group, recently explained in a USA Today article that although “shadowy hackers in Eastern Europe often get the blame” for hacking attacks, “more than 80 percent of the breaches” his company works with “had a root cause in employee negligence.” The problems of employee negligence cannot be overstated. For example, can employees use passwords such as “password” or “123456?” Although it seems commonsense that no one in this day and age would do so, thousands of Ashley Madison users used each of those passwords. Also, how careful are employees trained to be about clicking on links in external emails?
Similarly, what kinds of financial controls does your company maintain? Imagine the following scenario, which has successfully been used on more than one unsuspecting company. A hacker infiltrates a company’s computer system and gains access to the calendar and email account of a company’s CEO. The hacker then picks a Friday when the executive is traveling, and sends an email from the CEO’s account to the accounting department directing that it is critical that a large wire transfer be sent that day to a specific account to keep a large project going. By the time the company discovers that the wire should never have been sent, the money has been forwarded to one or more offshore accounts in places like Jersey, Guernsey, the Isle of Man, or the Seychelles, and cannot be recovered.
Companies also need to keep in mind that not all attacks are financially motivated. For example, the Ashley Madison attack appears to be an example of “hacktivism,” in which the hackers are trying to make a social or political statement:
The Ashley Madison hack was not a random hit. It was what is known as hacktivist vigilantism. The hacking group purposely targeted the site because they profit “off the pain of others,” the stated reason for the group’s attack on the site. Ashley Madison, no doubt, took a public approach to a semi-taboo subject (adultery) in American society, and arguably courted controversy as part of their marketing scheme. Unfortunately, no matter what your business is, there is probably someone that doesn’t like what you do or represent (e.g., oil companies, Planned Parenthood clinics, medical research facilities, Microsoft, Sony, defense contractors, all the way to innocuous companies whose management has taken a public stance that has angered others) and is willing to go to some lengths to embarrass or attempt to undermine or destroy your business.
In that vein, companies need to consider threats such as denial of service attacks, in which hackers take control of large numbers of computers and use them to, for example, send so much email traffic to a company that its system is unable to keep up and crashes. Such attacks are bad enough on a routine day, but what if one occurred on a day when a company needed to upload its bid on a controversial public project such as a power plant or a military base?
Data Breaches Can Cause Problems For Years
As touched on above, the kinds of problems a hack can cause are widespread. Aside from the obvious short-term problems caused by a computer system becoming temporarily unusable, problems can persist for years to come. For example, more sophisticated hackers from Eastern Europe and other places, many of whom are affiliated with organized crime, will steal personal information about system users or employees and hold on to it for a year or more before using it for additional wrongdoing or selling it to others.
Similarly, the Ashley Madison hackers released portions of Ashley Madison’s source code, which means that other hackers can now study it at their leisure and attempt to find additional security vulnerabilities. As with personal information, source code or simply an explanation of how a successful hack took place can be sold to third parties for future use.
Companies that lose personal information about users or employees also have to send out legally mandated notifications. Currently, 47 states have mandatory disclosure requirements, almost none of which are the same. Moreover, the required form that needs to be used is generally governed by the residence of the affected individual, not where the breach took place. Thus, if a company has a breach involving employees living in 25 states, it should be assumed that many different kinds of notices will need to be sent to different groups of employees.
Data breaches may also affect security clearances for government projects, customer confidence, employee morale, and a host of other issues.
Have A Data Breach Plan
Given the reliance most businesses place on their computer systems, it has become critical that companies create and update response plans for data breaches. Although not intended to be comprehensive, the following list contains items that all companies should be thinking about:
• Has your system been tested for vulnerabilities? Do you know how difficult it would be to hack into your system, or for someone to gain physical access?
• Do you provide any employee training on using strong passwords; periodically updating passwords; knowing how to spot potential phishing emails; and the necessity of keeping USB drives, cell phones, and laptops secure?
• Is your system sufficiently backed up? If necessary, for example, in the event ransomware infects your system, could you simply delete the affected files and replace them in a few hours? And is your backup stored such that it is itself vulnerable to hacks?
• Do you monitor who is downloading what data? Do you have an employee downloading excessive amounts of files, especially one who might have been passed over for a promotion or who has resigned and is merely closing out a few final tasks before leaving?
• Do you have cyber insurance? Policies have become commonplace, and companies should strongly consider speaking to their current broker about such a policy or even consulting a specialty broker about adding and regularly updating coverage. If you do have coverage, who is your point of contact at the insurer to report a breach?
• Do you have a designated law enforcement contact, for example at the FBI, in the event of a data breach?
• Do you have a public relations policy established in the event of a data breach? What will you do if, for example, someone publicly announces they have hacked your site and will begin releasing sensitive company information in the event you do not withdraw from consideration of and publicly condemn a lucrative project? Who is responsible for speaking to the press?
• In the event you lose sensitive information about your employees or customers, such as addresses and social security numbers, who is going to send out the legally required notices?
Computer systems have revolutionized the way business is done. Although they bring benefits such as increased productivity and connectivity, they also come with a variety of new and ever changing risks. Businesses need to be aware of such risks, and be proactive in implementing plans to address the potential day when a hack or other similar problem occurs.