Autopsy of a Cyber Nightmare: How to Protect Your Business
It’s Sunday afternoon. You’re watching football with friends. Or, maybe you’re at a family party. Meanwhile, somewhere in a rack of servers at your business, there is a fan, screaming like a banshee. It’s been whirring away at top speed, 24 hours a day, for a week. Until someone notices it, it’s going to keep doing just that. But why?
Here’s the bad news: You’ve been hacked, and internet crooks are using your network to mine cryptocurrency. Cryptocurrency, such as Bitcoin, builds untraceable transactions using computer power from around the world; the people who supply that power — in this case, your hacker — get paid for doing so.
Whether the next piece of news is simply bad or really, really bad depends on how well you’ve prepared for this moment. And that — defending against cybercrime and dealing with its potential fallout — was the focus at a PSA Partnership event, hosted by PSA’s Cyber Risk Solutions Practice leader Mike Volk.
Don’t get tricked
“Data security has to be part of your corporate culture,” said panelist Howard Feldman, a partner at Whiteford, Taylor & Preston LLP. The notion that cybersecurity is just an IT issue is outdated, Feldman explained; it’s a corporate governance issue. Today, securing your networks and data requires a major, ongoing commitment from the leadership at your company.
Even the idea of completely securing your operation against cybercrime has become something of a misnomer, according to panelist Christopher Ensey, COO of Riot Blockchain (former COO of Dunbar Security Solutions). “Let’s get to best probable outcomes — that’s the world that we’re in. Disruptions can be dire, they can change the way you interact with your clients.”
Panelist Jason Briody, Director of Forensic Services at Atlantic Data Forensics, Inc., explained the risks further when he listed the different types of costs associated with his work. Computer forensics experts essentially play detective on your network after you’ve been hacked — they figure out how the hackers got in, what damage was done, and how to clean up your systems and get you back up and running. A business that practices good cybersecurity and has a plan in place for how to deal with an attack might pay $5,000 or $6,000 for forensics and cleanup. A business that’s unprepared and hasn’t kept up to date with the changing cyber landscape — this is where the “cyber nightmare” comes in — could easily spend $25,000 to $100,000.
When a cyber security nightmare strikes, and how to avoid one
The first thing you should do when you realize you’ve been hacked is disconnect the infected computer from the network and put it in quarantine. This may sound counterintuitive, but the experts explained it’s best to direct everyone — including your IT staff — to stay away from the infected computer.
First, you should call your lawyer, which will privilege your communications, Feldman explained. In addition, laws and regulations differ across the country, so you could have a long list of requirements for how to notify your customers of the breach. Second, you should call a computer forensics expert. They will know best how to find the problem and restore your networks. If you have cyber insurance, make sure to coordinate with your insurance agent as early as possible to make sure you are following the appropriate process to help ensure your incident response expenses can be covered.
However, it’s better to place all those calls before a hack happens. To prepare, here are the conversations you should have:
- An early call to your lawyer will help you better understand the risks associated with the data you collect and store. There are different legal, regulatory, and contractual requirements, for instance, associated with social security numbers, HIPPA data, and credit card information.
- An early call to a computer forensics and/or IT security firm will help you get up to date on cyber security best practices, identify vulnerabilities in your system, and get started on crafting a cyber-response plan that makes sense for your business.
- An early call to your insurance agent will help you find a cyber policy that works. Unlike other insurance markets, such as auto or homeowners, that have been around for a long time, cyber insurance is still new. And because of that, plans vary greatly — in terms of quality, breadth of coverage, and cost — from one carrier to another.
Practical tips for IT security
What can you do to put your company at lower risk for cyber-attacks? Here are some easy-to-implement tips from the panel:
- Phishing training. “Most data security incidents are people problems,” noted Feldman. Make sure all your employees are up to date on what modern email phishing campaigns look like — today’s cyber criminals are savvier than the Nigerian prince spiel. Phishing campaigns have become increasingly good at looking like legitimate emails. Make sure your employees know that any email that contains a link that then prompts them to enter personal information is probably bad news.
- Password management. Make sure you have multiple passwords for your network and other systems. For example, don’t use the same password for website management and internal HR data management. Similarly, only employees who really need it should have access to individual components of the overall system.
- Use multi-factor authentication. This method is free and easy, and our experts stressed its utility. It means having a standard user name and password, but then including a third step, like having a text sent to your phone with an extra code to enter.
- Purge old data. Why hold onto old credit card data from customers or old personal information on employees who have long since moved on? Getting rid of this unused data will help lower your risks.
- Use cloud services. Microsoft, Google, Salesforce, and Amazon all have better security than most companies.
- Use an offsite backup with versioning enabled. Having an offsite backup that maintains versions allows a forensics expert to restore your system much faster in the event of a hack.
Surfing the dark web
The bottom line to all of this? It has become easier and easier for hackers to make money off of you. All they need is a foothold in your network, and they can sell whatever they find — whether that’s specific data or passwords — or simply use your network to process nefarious activity. “They’re after everything, really,” Briody said. “If you’re not doing vulnerability scans of your own network, I guarantee someone else is doing it for you.”
Don’t miss the next PSA Partnership event, The Circle Blueprint, on March 27, 2018. Author Dr. Jack Skeen will discuss how to create engaged, productive employees to reduce drama and minimize turnover.