“Crack the Code”: Area businesses find data-breach response plans vital in today’s world of cyber attacks.
These days, it’s not a question of if scammers will try to hack your business. It’s when.
And like any criminal, they’ll look for an unlocked door … say, an employee who uses the same computer to do financial transactions and monitor email. Or one who brings a personal cellphone into the workplace, emails files to his home computer, or gives his kid a jump drive he’s used for business to do a school project.
It could even be through someone you do business with, lax on computer security because he doesn’t have anything scammers would want to target — except, perhaps, a customer who does.
Or maybe it won’t be an accident: Maybe an employee finds out her job is going to be eliminated and decides to take your information with her when she leaves, purges crucial data or sabotages your servers. Maybe one of them is a would-be entrepreneur who just wants to jump-start his own business by stealing yours.
“There’s been a lot going on nationally for quite some time, but we didn’t see it in this region,” said Kay Casto & Chaney attorney Christian Capece. “Then the U.S. Attorney for the Southern District of West Virginia prosecuted two cases this summer — one involved a disgruntled employee who decided to use his access to information to damage the company, the other involved someone who wasn’t an employee putting a key stroke logger on a computer.
“We saw it as a red flag that these issues were starting to creep into smaller, regional companies, and we needed to be up to speed on that here in West Virginia.”
Capece, along with Kay Casto’s Shannon Smith and John Hoblitzell, co-founded their firm’s new Data Privacy and Cyber Security practice group, helping clients develop a data-breach response plan to help mitigate the impact of cyber attacks.
“(What happens) if it’s Monday morning and you open up a computer message that says, ‘Hahaha, I just took 50,000 of your customer names and used them to open up credit card accounts,’” Capece said. “What are you, the business owner, going to do if you haven’t prepared for something like that happening?
“Before it does, you need to figure out what you’ll do, how you’ll respond, what steps you’ll take, because if you mishandle the situation it could have serious repercussions.”
Compounding the problem is the lack of a uniform reporting requirement. Because there’s no clear-cut national policy, each state sets its own rules.
“They’re a hodgepodge,” Capece said. “Notification requirements vary and they can be very expensive. If you have 50,000 customers and it turns out their credit card information was stolen, that’s 50,000 letters you have to send out. Sometimes you have to offer them one year of credit monitoring — that’s expensive when you multiply it out.
“Those are some of the hard costs, the quantifiable costs, but what about the cost to your reputation? Who’s going to want to do business with you?”
Breaches, fallout escalate
No one, it seems, is immune.
- Former Clay County Sheriff Miles J. Slack pleaded guilty in federal court in September to illegal wiretapping after he installed a keystroke logger on his estranged wife’s work computer. She was a magistrate court clerk. The computer belonged to the Supreme Court of Appeals of West Virginia and the program intercepted all communications on her computer for nearly two weeks before it was detected.
- Three months ago, Ricky Joe Mitchell, a 34-year-old network engineer at EnerVest in Charleston, admitted he sabotaged the company’s computer system after he found out he was going to be fired. He remotely accessed EnerVest’s system and reset the network serves to factor settings, erased backup information and disabled a data replication process designed to transmit backup data offsite. He also deleted the company’s phone system accounts, extensions and accounting data, leaving EnerVest virtually helpless for about 30 days. U.S. Attorney Booth Goodwin pegged the financial fallout from EnerVest’s breach at more than $1 million.
- Hackers got their hands on 40,000-plus debit and credit card numbers from more than one million shoppers at retail giant Target through a security breach discovered just before Christmas. By Feb. 1 the company had already spent $61 million trying to fix its problems, with analysts warning Target alone could end up spending close to $500 million while the ripple effect of the breach — the costs incurred by banks, consumers and others — could run into billions of dollars. The thieves gained access to the sensitive information by hacking one of Target’s third-party vendors, an HVAC company in the Pittsburgh area.
- Debit and credit card information for nearly 3 million Michael’s customers was exposed to hackers during an eight-month security breach at more than 1,100 of the chain’s craft stores nationwide, while another 400,000 customers at its Aaron Brothers affliate were similarly exposed. Among other things, the chain hired a pair of independent security firms to do an internal investigation.
- Earlier this month, Virginia-based Deltek notified about 80,000 employees of federal contractors they were at risk of identity theft after a hacker broke into the research firm’s GovWin IQ system. The hacker allegedly obtained GovWin IQ usernames, passwords and, potentially, credit card information for about 31 percent of the 80,000 employees whose information was exposed. An arrest has been made.
- Credit and debit card information was hacked from food and beverage outlets at 14 hotels White Lodging manages for hotel industry heavyweights like Marriott, Holiday Inn, Sheraton, Westin, Renaissance and Radison.
Global Payments, Yahoo, eHarmony and Zappos have all fallen victim to hacks, as have high profile aerospace and defense contractors like Lockheed Martin, L-3 Communications and Northrop Grumman. Most federal agencies — including the FBI, the U.S. Department of Defense and the State Department — have been hit as well.
“It used to be organizations that thought they had valuable information and were aware they could be targeted would take precautions,” said Blase Janov of Medina, Ohio-based Vestige, a company specializing in digital forensics, electronic evidence, audit and assurance. “But now, everyone is a target. It’s more the ease of entry to the information than just the information itself.”
And for every cyber security breach that makes headlines, “there are multiple breaches you’re not seeing and reading about,” he warns.
If you wait until you are a victim of a cyber attack to figure out how to handle the fallout, you’ve waited too long.“Being proactive is far more important than being reactive,” advises Smith. “When a breach occurs, if you don’t act immediately then the data is gone and the potential fallout of the breach — whether you lose vendors or consumers — just gets bigger and bigger, much like it did with the Target breach. Being proactive really needs to be the focus.”Smith, in fact, was a victim of the Target breach.“Luckily for me, I check my accounts multiple times every day and I caught the charges as they were in progress, before they went through,” she said. “I immediately contacted my bank. I never lost anything; it was annoying, but I caught it and they fixed it.
“They even gave me extra credit protection after it happened because they had a plan so when it happened they knew immediately what to do and how to take care of it. That’s what we’re trying to get others to do, to get a plan — so when someone like me comes to you and says they’ve been breached, you’re able to fix it without any harm.”
It’s a lesson some have had to learn the hard way.
“There’s a firm I know in Northern Virginia,” Capece said. “It was primarily a military law firm that got hacked by Anonymous.”
Anonymous is an international Internet hacking collective that’s gained notoriety for its efforts to combat what its members see as injustice — causes that run the gamut from, say, reigning in the controversial Westport Baptist Church in Kansas to protesting digital piracy regulations, drug cartels, child pornography and rape.
“The firm didn’t have the most robust protection, and (the hack) was extremely damaging,” Capece said. “They found a back way into the firm. Not only did Anonymous post information about the case they were concerned with, but they also poked into information about other clients.
“It’s not like they just go in and select one piece of information — once that door is opened, it’s opened.”
The bigger the exposure, the more expensive the cleanup will be.
Cost of a breach
Hoblitzell points to studies by NetDiligence, a cyber risk assessment and data breach services specialist, and the Ponemon Institute with Symantec, the data management company, that puts costs well into the millions.NetDiligence, which looks at data breaches from the insurer’s perspective, pegs the average cost per breach at about $3.7 million.Ponemon/Symantec, on the other hand, addresses breaches from a consumer perspective, calculating the average cost at around $5.4 million though massive hacks like Target and Michael’s aren’t used in the calculations because, they say, it would skew the results.“One thing I found is that insurance carriers are incurring average costs of almost $1 million; that includes things like crisis response, computer forensics, services for notification, credit monitoring and reporting,” Hoblitzell said. “All of those things are required in one form or another under most state breach notification laws. In West Virginia, for instance, one of the things you have to do is to set up a number people can call. You have to tell them whether you possess their information or not. That’s an expensive service to maintain. And there may be credit monitoring that you have to maintain for a period of time.”
Assess, plan, implement
Before you can protect critical information, you have to know what critical information you have, where it is and who has access to it so that when a breach happens, “you know where to go for information, you can gather all the resources to show investigators so they can figure out what happened and what information went out the door,” Vestige’s Greg Kelley advises. “If you’re relying on an assessment that just says ‘we’ve got this database of customer data, we just need to lock it down better,’ then you’re not looking at how to track the data and if it’s breached, how you’re going to determine what went out the door.“That’s what’s important in a breach: Determining what went out the door and, more importantly, what didn’t go out. It used to be if you couldn’t determine what data went out the door you didn’t have to report it; now, if you can’t determine that it didn’t go out you have to report it. The onus is on business now to prove information didn’t go out the door.”Merely having network protocols and firewalls in place doesn’t mean you’re protected — the Target breach being a case in point.“It’s a perfect example of how someone used a third-party, an HVAC company, to get access,” he said. “They probably thought they were the last people on the planet that had anything valuable, but you’re not always a target because of what you have but because of how they can use you to get to the next step.
“Most attacks, most vulnerabilities, come through mistakes that are not necessarily IT security mistakes. You need to look at things like policies and vendor contracts. Those are critical right now, third party relationships are one of the biggest causes of breaches. And it’s environment wide, so you have to look at employee behaviors and the work environment. IT security is part of it, but only a part of it. The good news is it doesn’t have to be overly complicated. A lot of things can be easily prevented with a little training and a little knowledge.”
Once you know what information you have, who has access and how it’s processed, “from there, you can usually do a little tightening down of the data,” he adds.
“You can make sure it’s controlled better; even develop a plan for what you’re going to do if a breach happens. Just remember, you’re still going to be exposed in some way. You’ve heard about computers over in Iran that monitor centrifuges enriching uranium? Those computers had no connection to the outside world whatsoever — they sat in an enclosed, secure room, but someone figured out a way to hack those computers from the outside world. If someone can do that to a computer in an enclosed room with no connection to the outside world, then, definitely, any business on the Internet, no matter what firewalls and intruder detection systems you have, is going to be vulnerable.”
Smith also advises password-protecting technology and files, “and that password needs to be complicated and changed often, and it certainly never should be stored with the data. Change your passwords once a month or every three months, whatever works for you, but make sure whatever technology you touch is protected.”
Andy Wessels, founder and owner of Sterling Communications of West Virginia, says cyber-crime prevention is a question of “taking control of your own destiny.”“There’s an old expression, ‘If you don’t tell your own story, someone else will tell it for you,’” he said. “Of course, that’s more true every day in this communication age. There’s no longer such a thing as hunkering down and hoping the storm will pass; we’re all well aware of the 24-hour news cycle, and it’s no longer just traditional media but social media as well.“You have to communicate to your customers, and use all the tools available to you to do that.”Wessels said much can be learned simply by watching how those who have already been hacked handle the fallout.
“Target itself, for all the mistakes they made in the early going of not communicating their message, did some pretty good things later on in the process,” he said. “The CEO got out in front of it; he even made a very sincere, heartfelt apology. They updated their data as soon as they found out it wasn’t the 40 million customers they thought were affected at first but more like 110 million customers.
“They took accountability and responsibility for what had happened. The CEO did an open letter to their customer base explaining now only what they had done to mitigate the damage but also what they were doing to make sure it didn’t happen again — how they’d hired security experts to investigate, how they were offering free credit monitoring to those who were affected. They still have a long ways to go. The lesson we can take away from it is that it’s not necessarily going to go away immediately; it’s not going to return to normal right away. You need to create the expectation that yes, there may have been damage done and it’s going to take time to resolve it, but you’re working to mitigate it and make sure it doesn’t happen again.”
The State Journal, West Virginia
By Linda Harris, Legal Reporter