Greg Kelley recalled how a large Ohio finance company not only suffered the heavy costs and disruption in business from a major hack of its systems, but a damaged reputation that led to the exodus of its largest client.
Kelley is the chief technology officer at Medina’s Vestige Ltd., a digital forensic investigator and cybersecurity consulting firm that works with companies on protection proactively and helps them deal with breaches once they occur.
He noted how the client in his example didn’t necessarily have 100% of its sensitive information — like employee-identifying personal data and tax information — exposed in the hack.
Yet, the damage in reputation was enough for the firm’s most lucrative client to walk out the door.
Those issues could have been more appropriately protected against. Yet, cybercrime is so common and pervasive, with major breaches reported with such frequency, that they’re easy for observers to forget when the next one hits a few weeks later.
Some of the most high-profile cases have involved major companies, like banks and retailers. But the reality is, every business is a potential target, no matter the size or industry — even though those in some sectors seem to lag a bit more than others.
And while cybercrime becomes increasingly common, companies are, bafflingly, well behind in protecting themselves with proper software safeguards, training of employees to prevent hacks or even covering themselves with effective cyber-focused insurance policies.
“People do lag in cybersecurity. There’s no question,” Kelley said. “They usually think they’re not a target. They see the stats, they see the articles. Yet companies like to differentiate themselves, so they think: We’re different from company ABC. Or they think they’re too small or have nothing of importance. That thinking is causing problems.
“What they don’t realize is that they all have something important,” he added. “And just by being connected to the internet, you’re a target.”
‘Everyone is a target’
The world of cybercrime is akin to criminals walking in droves up and down neighborhood streets, Kelley said, jiggling doorknobs at each house to see which are loose. In this scenario, doors are IP addresses.
When it comes to cybersecurity, experts say business people tend to believe they’re less likely to be negatively impacted by something that’s clearly affecting others. In psychology, it’s a phenomenon known as optimism bias.
In many cases, company execs realize they could be targets, but just aren’t doing anything about it, convinced those worst-case scenarios — like suffering a costly hack that causes a major client to flee — aren’t going to hit them.
Or they just don’t know how to go about it.
“Although cyber risk has been tagged uniformly as a top-of-mind issue for boards of directors in recent surveys, many directors do not know how to approach the problem, and many manufacturing companies think cyber risk does not apply to them because they do not handle consumer data,” said Frances Goins, co-chair of the data privacy and information security practice at Ulmer & Berne LLP, who works with some of Northeast Ohio’s largest companies, particularly manufacturers.
She pointed out how the high-profile Target breach involved data that was actually taken through a breach of an HVAC vendor of the retail giant.
“Everyone is a target on this stuff,” she said. “You’re pulling the blanket over your head if you think you’re not.”
Indeed, the business world recognizes there’s an issue here.
But it’s not doing a great job of addressing it.
According to a May report by FICO, an analytics software company, 99% of companies surveyed across the globe expect cybercrime to either increase or remain at current levels. The same amount said they expect to spend more or the same on cybersecurity. Yet, only 20% said they have comprehensive cyber insurance that would protect against all risks.
At a June event hosted by the Association for Corporate Growth and the National Center for the Middle Market, Israel Martinez, CEO and chairman of consulting firm Axon Global, said 60% of small businesses that come under a cyberattack close in three months.
The notion a company is small potatoes next to Chase Bank or Walmart and therefore not a target of hackers is a fallacy. In fact, small companies — which naturally have fewer resources to invest in cyber research and protection anyway — are low-hanging fruit for hackers, said Ian Friedman, a cyber expert with Friedman & Nemecek LLC who also teaches cybercrime as an adjunct professor at Cleveland–Marshall College of Law.
“Companies will say, well, these guys are going after the Targets and big box stores, they won’t go after a little guy like me,” he said. “That’s just not true. A lot of small companies are breached because they have no real protection lines. Companies play the odds that they won’t be hit. Or they do the bare minimum, putting up anti-virus software but doing nothing to really protect their system.”
While Friedman and other experts say companies are exposed across the board — not just hospitals and banks and retailers with sensitive data that tend to come to mind — there are some industries that seem to lag more than others.
Recipe for disaster
Manufacturers have trade secrets, yet small shops are likely to worry less about cyber breaches.
Accounting firms have troves of data, yet Kelley said one of the most common breaches he has seen in Ohio recently involves CPA firms having information stolen so hackers can file bogus tax returns.
Those are two sectors increasingly facing attacks.
And then there are law firms, which, these experts say, seem particularly susceptible.
Notably, U.K.-based big-law firm DLA Piper in late June suffered a major ransomware attack that comprised virtually every attorney and sensitive client data and case info. The attack prevented lawyers from accessing documents, shut down office phones and computers, and stands to cost the firm millions, according to their insurance broker, as reported by The American Lawyer.
“I’ve actually been seeing signs lately that law firms are catching up when it comes to cyber. Some are realizing they’re targets. Others are seeing pressure from clients,” Kelley said. “But they tend to lag behind in technology in general, and that’s what’s led them to be behind in cybersecurity.”
While difficult to quantify as each attack can vary, Kelley said even a small company in any given industry could be looking at costs of at least $100,000 to manage a breach after it happens just for response and remediation — and that doesn’t even account for the new cyber protections the firm will likely procure afterward. Goins said she sees reports indicating the average cost of any given cyberattack is around $200,000.
And by the time a breach has happened, it’s likely a hacker has already been farming data for months. Kelley said the national average for the amount of time a company has been exposed to a hack before a breach is noticed, or the hacker confronts the business, is between seven to eight months.
In Cleveland, he said, in Vestige’s experience, that’s more like nine to 15 months.
Companies can buy cyber insurance that’s becoming more comprehensive — past critiques of those insurance products have centered on them not fully covering a company after a breach, Goins said, and insurers have been “playing catchup.”
Other cybercrime prevention best practices include education for employees on how to avoid breaches caused by things like phishing scams, and testing cyber protections already in place. Often times a breach is caused by software that’s simply out of date, Goins said.
But while those options are out there, many are simply choosing to continue rolling the dice and playing the odds, figuring they won’t be hacked and cybersecurity, therefore, isn’t a necessary expense.
But that perspective could be setting a business up for disaster.
“Nothing is impenetrable. Even the federal government is breached constantly. So there is no expectation people are going to be absolutely intrusion proof,” Friedman said. “But they need to protect themselves. And if they’re later sued, they need to be able to say they did everything they could do. You have to give this constant attention.”
“Five years ago, people went and got the basic box software from Best Buy, and that was the end of it,” he added. “Those days are long gone.”
Article from Crain’s Cleveland Business
By Jeremy Nobile