Gone are the days when adding special characters to passwords was the height of Internet security procedures. In today’s hacker-hungry world, businesses that adopt the “not ‘if’ but ‘when’” philosophy toward cyber incidents are the ones with a chance at surviving them.
Most IT professionals understand this, but the reality is that they’re almost powerless to prevent and manage an attack if the entire company isn’t on board with the right plan.
Chad Layton is a shareholder and attorney at national law firm Segal McCambridge Singer & Mahoney, which has offices in eight US cities. He specializes in representing technology companies and advises all types of companies in how to manage cyber risk from a legal perspective, including how to create and then implement a detailed cyber incident plan. The difference between a company surviving and going bankrupt, according to Layton, often comes down to how it responds to a breach.
“Any company connected to the Internet is subject to the risk of an attack,” Layton says. “This risk is becoming greater and greater. Everyone is aware of the big ones—Sony, Ashley Madison, the government—but it’s an area that I find, especially for smaller and mid-size companies, where they ignore or don’t effectively manage the risk.”
“You need to build a culture of cyber awareness, a healthy suspicion—you want to think twice before you do something.”
That’s a huge deal. The Ponemon Institute’s 2015 Cost of Data Breach Study found that cyber incidents have increased in both frequency and cost. Last year in the United States, malicious or criminal attacks—the most costly types—accounted for 49 percent of all incidents. Nineteen percent involved negligent employees, and 32 percent involved system glitches related to both IT and general-business processes. The costs of detection, post-incident notification, and lost business have all increased, with a total cost of data-breach management up 11 percent.
According to the Ponemon Institute report, the average consolidated total cost of a data breach has grown to $3.8 million—a 23 percent increase since 2013. What’s more, the average cost per record lost in a breach—that could be one single customer record with credit card information attached, or an insurance company policy holder’s health-care history—is $217, a record high.
Learn more about cybersecurity prevention and response in the legal and IT fields with a white paper from Sync titled The General Counsel’s Guide to Digital Defense. The Legal Side of Cybersecurity. Click below to download this complimentary industry insight report.
While large corporations might have plans and budgets to account for these risks, Layton says that half of all data breaches and hacks are perpetrated against smaller companies (defined by 2,500 employees or fewer). “What’s really startling is that of that 50 percent, more than half of those breaches result in a company having to close its doors,” he says. That’s because the costs of a data breach go far beyond IT expenditures: “damage to your reputation, damage to your customer trust, those sorts of things.”
“You have to hire attorneys, IT forensics experts, PR or media people to reach out to customers or the public,” Layton says. “Depending on the type of breach or nature of the business, there’s potential for lawsuits or federal regulatory fines.” A recent FTC ruling related to the 2008-2010 breaches of Wyndham Hotels, for instance, states that companies may be held liable for not adequately protecting customer data.
While Layton defends companies who are sued in commercial litigation matters, he also advises his clients on how they can try to avoid those lawsuits following a data breach, even if they can’t guarantee they can avoid cyberattacks. A company’s preparation can make a big difference in how much liability it carries to shareholders and customers.
The Importance of Vendor Security
One of the latest areas of vulnerability that both Layton and Kurzynski advise their clients to address is that of vendor security. A company is only as secure as its vendors, and it can be held liable for breaches caused by vendor negligence.
“If you’re a company that shares data with other vendors, make sure they have cyber insurance—and that you have the right to audit them to make sure they are properly protecting any data that might be shared,” says Layton, who also advises restricting vendors’ access to only the type of data that they really need to perform their function, rather than allowing open access to everything.
Vendor risk management is one of the fastest-growing segments in Kurzynski’s industry. “If you don’t hold vendors accountable to a certain amount of security, they just won’t do it,” he says. “The smaller, younger startup cloud providers, even some of the bigger ones, have surprisingly lax security programs and really won’t do anything until they’re forced to.”
The best ways to ensure vendor reliability is to hold vendors to high standards of cybersecurity and to limit the type of access that each vendor maintains to a company’s data. It’s also important to assess each vendor with the right perspective.
“The guy that does our copiers and fixes and repairs them—we’re not going to hold him to same level of security as the company that’s managing our servers,” Kurzynski says.
Prevention is the Best Medicine
IT departments may be focused solely on building secure systems, but Layton cautions that more preparation is needed. While the majority of attacks come from outside sources, something as simple as an employee losing a tablet with poor encryption and not reporting it could wreak havoc on a business. Employees falling for phishing scams creates an even more vulnerable position: An unsuspecting person clicks a link in an email, a virus is downloaded onto their computer, and the company may not even detect the intrusion for weeks or even months.
“You need to build a culture of cyber awareness,” Layton says, stressing the importance of employees maintaining “a healthy suspicion—you want to think twice before you do something.”
On the technology side, Layton often advises clients to partner with IT forensics firms that can help them prevent attacks and understand exactly how to respond—not only to recover data, but to determine the scope of the attack and advise on next steps.
Terry Kurzynski, a senior partner at HALOCK Security Labs, helps companies prepare for breaches by performing a series of incident-response readiness activities, which vary depending on the industry and type of data at risk.
A big part of that is educating staff on how to detect breaches. Kurzynski recalls a Black Hat conference four years ago at which security professionals all agreed that keeping the “bad guys” out entirely was no longer a feasible goal. “The industry needs to invest more in incident response capabilities versus only on protection investments. The goal is to reduce the compromise-to-remediation time frame from a couple hundred days to a couple hours or less,” he says.
Kurzynski compares two recent high-profile data breaches to illustrate the importance of preparation. Target, a major retailer, and Anthem, a large health-insurance provider, both suffered data breaches in recent years (Target in 2013 and Anthem in 2015). Target exposed over 30 million credit card records; Anthem exposed over 30 million health records.
“Anthem came in, [and] they had a well-coordinated response because they were ready for it. They were in control of the notification process versus being controlled by the media or law enforcement. They did it in a timely fashion, within a week. They just executed well,” Kurzynski says. Target, on the other hand, did not detect its own breach; it was discovered and revealed by a third party. “The incident seemed to never end [because] they couldn’t manage the response externally. Their incident response capabilities were likely not where they needed to be.” Now Target is still facing shareholder derivative lawsuits, while the Anthem story has faded.
“Companies should have an emergency response program in place—the CISO needs to designate a person responsible for that,” Layton says. “It doesn’t really cost a company a lot of money to put this together, talking trough potential things and putting together a list of resources, having a list of people to call right away.” At the top of that list should be an attorney, he explains, so that all communication regarding the breach will be covered by attorney-client privilege.
In addition to having an emergency response plan, organizations need an established risk register that can help limit legal liabilities. HALOCK helps organizations demonstrate their duty of care by performing a risk assessment. The resulting risk register and risk treatment plan is what a judge recognizes as the organization’s proof of its duty of care.
“Judges are not in a position to determine whether a particular control is adequate or not,” Kurzynski says. “What they do understand is, whether or not you’ve demonstrated your duty of care. What actions did you take to treat those foreseeable risks? Has the organization performed activities to foresee and reasonably address its risks?”
Another critical measure of preparation is to obtain cyber-incident insurance, which has become a separate option that companies must purchase. Layton says that IT executives should be sure to review cyber insurance requirements and take certain steps in order to qualify for coverage—the same way that homeowners with insurance need to install locks on their doors if they want to be covered for a burglary.
When the Inevitable Happens
“If zero risk was the goal, I wouldn’t be able to drive to work,” Kurzynski jokes.
Average total cost of a data breach for a US company
Increase in total cost of data breaches
Average cost per stolen or lost record
Increase in cost per stolen or lost record
Like anything in life, there is an inherent risk in maintaining sensitive data; smart business leaders recognize this and set their contingency plans in place. When Kurzynski is called in after a cyber incident, his team will perform a number of functions, often simultaneously. They look to stop whatever malicious action is occurring, then assess what, if anything, was stolen or breached (not every cyber incident results in the loss of important data). At the same time, they work to fix the problem so that the company can keep operating, and they find and preserve forensic evidence that can point to how the incident happened. After that, HALOCK can advise a company on how to update its security plan, what changes to make, and other post-incident activities.
Layton will also advise clients about this process: interviewing employees, documenting everything, and determining what should be disclosed to the public or to shareholders. “You want to make sure you are providing accurate info to your customers and the public,” he explains. “You don’t want to make the mistake of disclosing too early because your information may not be accurate, and you don’t want it to be confusing.” At the same time, companies must inform upper-level management and make sure that senior executives understand the full breadth of the incident.
When it comes to external notifications, the legal issues can get thorny. Forty-seven states currently have cyber-incident notification laws, and they’re all different. Companies with customers in multiple states must navigate different timelines, the type of information communicated, and the steps they must take following a breach, depending on the state.
“The goal is to get back to business as usual,” Layton says. “But it’s really critical to provide assurance to your business partners and your customers that, yes, something did happen, but you’re doing whatever you can in your power to make up for it.”
All of these steps may seem daunting, especially for smaller companies that actually may be the most vulnerable, Layton says. But all IT security is scalable, and the necessary preventive measures depend on what type of data is at risk.
“The most important thing to emphasize is having a plan in place,” he says, “and for companies to think long and hard about the decision if they choose not to have a plan.”