A short list of concerns to consider after a breach.
A Clark School study at the University of Maryland states that there is a cyber-attack once every 39 seconds and that 1 in 3 Americans will be effected by a cyber-attack this year. Yes, these alarming statistics concern us all, it’s a sign of the times. As a business leader, it is your job to plan for any number of events, and a cyber-breach is a likely one.
The first step is to understand and admit that you have information to protect. You need to understand that your company DOES have information that criminals (the press likes to use ‘hackers’) want. Even if you don’t have healthcare information, credit cards, or social security numbers, you probably have customer lists, e-mail addresses, and business partners that can be exploited. The of getting access to your data can be: stolen funds, access to partner systems, or even blackmail. If any of those things happen because of a breach in your systems, your customers will want to know what you are doing about it. Quick, efficient damage control is key. If you don’t have a plan, your reputation and trustworthiness could be irrevocably damaged.
Respond Quickly and Directly
We have all heard the phrase, ‘Get ahead of the story’. Social Media insures that negative news will travel around the world at the blink of an eye. After a breach, you have a limited amount of time to respond. The last thing you want is for your clients to be talking about something you don’t know about. Of course, a knee-jerk response may not be helpful either if you don’t have a plan in place. Think about what could happen and plan a response that would fit the type of breach. It’s far better to have a template then to have nothing. If you don’t have a cyber-response plan, put one together now.
Customers are more likely to complain than praise and 90% of potential customers will research you before purchasing. So it’s important to address issues directly, both publicly and privately, to minimize the impact of a social media black-eye. Not only will it cool off the individual but also show that the company responds to customers.
Find the Problem and Develop the Solution
Ok, you had a breach. Whether the breach was a result of human error, phishing, or a design flaw, there is something that needs to be addressed. Find it! You don’t have much time to find what happened, often because customers will be demanding it. Don’t just grasp at straws, figure it out. If you don’t have resources in-house that can help, there are plenty of resources you can bring in. Keep in mind that law enforcement can prove to be a resource for you as well. It may be very helpful to know of similar attacks and how they were resolved.
When to Go Public
If the breach isn’t already public, consider taking it public. You may take a reputational hit in the beginning but with a breach every 39 seconds, you’re likely to be forgotten before very long. Additionally, it is far worse to be found covering up a breach than to have made it public ASAP.
Keep in mind that there are notification rules in many states. You must, and probably should, notify all individuals that had information compromised. In California, a breach of information for over 500 Californians must be made public. New York has a similar provision for 5,000. GDPR (in Europe) and CCPA (in California) also contain notification requirements, templates, and timelines.
Take this opportunity to market how your company will prevent this from happening again. Increased staff, technology, and even new procedures will help assure the customers (and public) that your company is on top of the situation. Consider setting up an information line for phone and e-mail questions.
Now Move Forward
Security breaches are a risk to business but don’t need to be catastrophic. Every setback is also an opportunity for improvement and the better your company is to responding to a breach, the better it will look in the marketplace. The fact is, if you survived the breach, the company is likely a lot stronger and equipped now; possibly more than the competition is. Using improvements and lessons learned in marketing is a great way to set your company apart from your competitors.
Paul Bergman is vice president of Tracc Development, Inc., where he drives cybersecurity engagements for enterprise and government clients, such as Cisco Systems, Panasonic, US Navy, ROAM IT, and Kryptos Logic. LinkedIn
You may also enjoy my previous article: Planning to just assume Cyber Risk? – Don’t forget recovery planning
You may not know about the EMOTET malware but you should. This malware started as a banking trojan that would steal passwords and accounts from users. However this report from Kryptos Logic shows that this malware has now started including exfiltration to the list of things it can do.
Why is that bad?
Exfiltration is the act of stealing your data. It is one thing to steal account numbers and passwords but yet another to steal all your data. Imagine, you can change passwords and close accounts but stealing your most sensitive data may not be as easy to recover from! Imagine your data on patient records or the credit card information of all your customers. That could certainly be a lot harder to recover from!
A strong Cyber Security involves many overlapping systems. Each system relies on the other systems for added strength but can also stand alone. Often the deployment of a full set of Critical Security Controls (CSC) is an expensive and time consuming undertaking.
What can an IT manager with a limited budget and manpower do?
For a moment, I’ll neglect the obvious firewall and user training components. Below is my priority list for first steps in securing your company infrastructure:
1. Application whitelisting
2. Use of standard, secure system configurations
3. Patch application software
4. Patch system software
5. Reduced number of users with administrative privileges
Need help? Tracc Development, Inc. will work with you to develop a strategy to achieve a stronger cyber-security posture.
According to a recent article in The Hill by By Morgan Chalfant. “…roughly three-quarters of business owners said that they believe their businesses are unlikely to be affected by a cyber-attack.“
This begs the question: Why do you think that way?
We fly under the radar
It takes about an hour to scan all Internet addresses. All 3.7 billion of them! So, assuming there are only 3600 hackers out there (trust me, there are more) that means you will be found in a matter of seconds! Obscurity is not really a great defensive strategy.
We don’t have any useful information
I hear this one a lot and usually it’s not true. Did you know that California has stricter notification requirements than the federal government? Some organizations have legal reporting requirements if name, address, and phone number are compromised. Do you have a client or customer list anywhere? Do you keep credit card information for customers?
We use SaaS providers so security is their problem.
First of all, there are security holes in some of the largest cloud based solutions out there and an analysis of risk for each tool is a subject for future articles. The fact is that user behavior is probably your biggest weak-point. How well is your staff trained; how often? An analysis of a common cloud based file share showed that over 15% of files in the cloud contained sensitive information like credit cards, company salary information, password files, etc.
Cyber-security is a serious problem that requires serious attention from business leaders. If you think you have good security, find a cyber-security expert to come in and test things. You will likely be surprised (and probably embarrassed) by what they find.
These sorts of initiatives are very helpful. Many of the nations key industries have industry specific groups like this that are very helpful. I'm following this to see if it turns into something that small-mid sized businesses can benefit from.