By MacDonnell Ulsch
The simple truth is this: Cyber-attacks are increasing in number, as well as in intensity and impact—and no entity is immune. Companies large and small are targeted by nation-states and organized crime, as well as cyber-attackers associated with a dizzying array of social and political causes.
Companies often say, “Why would anyone target us?” At least, that’s what they say before there’s a breach. After the breach, there’s another question posed by every chief executive: “Do you think we have to report this?” The answer to this question is usually “yes”—at least, it must be reported to some person or entity.
The reporting may be to a state or federal regulator in the United States or to similar organizations in foreign countries where personal information is breached. In some cases, it may be necessary to notify the U.S. Securities Exchange Commission or the U.S. Department of Defense.
In others, banks or investors may need to be notified, and the breached company’s insurer is usually on the list. Or it may be necessary to report the breach to companies under contract with the firm, especially if it involves a breach of contract.
Attacks may be from nation-states and organized crime, or from disgruntled or former employees. The targeted information can be intellectual property, trade secrets, personally identifiable information (PII) or protected health information (PHI).
Trust and reputation are irrevocably linked: If you violate the trust, you compromise the reputation. Reputation is, arguably, any company’s most valuable asset. A breached company is usually not a bad company, but sometimes that’s what hackers want everyone to believe.
Without trust, the information that is the fuel of the economic engines of commerce becomes a legal, financial, regulatory and reputation liability. Result: loss of market share, market preference and dominance; loss of shareholder and stakeholder value; and loss of investor confidence, which may result in the loss of geopolitical positioning and diplomatic power. And once trust is lost, it is hard to regain.
Breaches Evolve Into Extortion
At one time, hackers seemed to be content with denying service or access to a company’s transactional system, or stealing proprietary information. While they still commit these crimes, the evidence indicates that hacking has evolved considerably.
One evolutionary tactic is a special cause for alarm: an increase in the use of child pornography and human trafficking in breaches, in which the extortion of a company or an employee may be involved. If a hacker wants to extort a company, what better way than to threaten to defame that company or executive with the taint of child pornography or human trafficking? If the extortion demand isn’t paid, the brand faces the risk of being smeared globally. If it is paid, it’s likely that the demands will continue.
Another scheme is a proximity threat. In this scenario, while a company is under attack, another attacker is attempting to trick that firm’s employees into logging onto a fraudulent wireless network. The goal is to download keystroke loggers onto employee computers. If there’s a local accomplice, that could increase the possibility of a physical attack.
A third evolutionary hacker tactic is Website franchising. In these cases, attackers develop a Website using a stolen corporate brand. They attract visitors to the phony site and get them to create a profile with a logon ID and password.
Often, the unsuspecting Website visitors use their company-issued email address and private passwords. This gives the criminals confidential credentials, enabling them to sell or franchise the fraudulent site to other criminals and take a share of the revenue. This generates multiple revenue sources and also provides digital chaff to complicate criminal investigations.
Organizations that fail to adequately safeguard information will feel the pain: regulatory scrutiny; fines; civil and even criminal litigation; and the loss of market value, customer base, market dominance and reputation. The list is long, and the consequences can be costly.
Build an Executive Risk Council
What can companies do to protect themselves? Here is one recommendation: Build an executive risk council. It’s not a silver bullet for cyber-defense, but it does have significant value.
Such a council brings together affected parties. For too long, security has been perceived as either an issue of guards, gates and guns, or as an IT issue. While it is both, it is also more than that.
Look at the impact of a breach, and it becomes obvious who should be involved in an executive risk council. Although companies and situations vary, here is list of the departments and functions that should be represented on the council:
Legal: A breach, first and foremost, becomes a legal issue, potentially involving regulatory considerations, breach of contracts, civil litigation and even criminal prosecutions. So it is vital to include a legal representative. For smaller companies, especially those without in-house counsel, consider working with an external legal resource that’s knowledgeable of about information management and risk.
