It’s hard not to scare the daylights out of business people when the subjects of hackers and cyberattacks are raised.
Even scarier, however, is the fact that many of those same executives don’t take reasonable steps to protect their companies’ most sensitive data.
How to reduce the risk of a data breach – and how to respond once cyber-defenses are scaled – was the topic of a Wednesday seminar at the Milwaukee Athletic Club. Produced by four groups with a stake in enhancing corporate cybersecurity, the event was a reminder that for many companies, it’s not a case of if they will be hit by hackers, but when. Read the article here.
Reported cyberattacks in the United States were up 40% in 2016 compared with 2015, rising to 1,093 from 781. “Phishing,” skimming, email manipulation, denial of service attacks and ransomware were among the most common breaches as cybercrime syndicates and nation-state hackers stepped up their assault on corporate and public electronic data.
Seminar speakers agreed hackers in 2017 are much more stubborn than those in the past, often refusing to quit after initial attempts to breach firewalls fail.
“There’s no more outrunning the bear,” said Mark Shelhart, senior manager for incident response and digital forensics at Sikich LLP. “We would like to see hackers scared away, but that doesn’t happen anymore. They’re handpicking victims, they’re getting persistent, and they’re getting elaborate.”
If companies and other institutions can no longer run fast enough – meaning, do just enough to frustrate hackers until they select a more vulnerable target – what steps can they take to mitigate risks?
Planning to protect sensitive data is still essential. Recommendations from Shelhart included blocking some commonly used remote access tools; investing in file integrity monitoring systems to validate operating systems and software; locking out or segmenting vendors, whose data systems may be more vulnerable than your own; reducing the lateral movement of data within a company without crimping essential communication; and not spending a lot on “silver bullet” tools that may not work as advertised.
Jeff Jensen, a former FBI agent and federal prosecutor now with the Husch Blackwell law firm, described 10 components of how to respond if a breach occurs. They included quickly securing an information system before the damage spreads, complying with breach notification laws, calling in a digital forensic expert, checking what insurance coverage is in place or getting coverage if it’s not, and thinking through how to respond to press and other inquiries.
Because a company hit by a data breach may find itself defending against lawsuits brought by everyone from consumers to shareholders to credit card companies, it’s important to “lawyer up” right away. As soon as a breach occurs, companies should develop a legal strategy to deal with those risks. Hiring a lawyer right away also helps the company to claim both attorney-client privilege and work product protection from the start.
If the odds of a data breach are getting higher, perhaps the solution isn’t to build a better firewall but to devalue what’s behind it through encryption.
That approach was outlined by V. Miller Newton, the chief executive officer of PKWARE, a Milwaukee-based firm with about 100 employees and more than 30,000 customers worldwide.
Founded in 1986 and known in its early days for inventing the .ZIP file compression application, PKWARE today still provides data compression and encryption services. About 60% of its customers are in financial services, 15% in health care and 15% in government – three sectors that are often targeted by hackers.
Newton said only 5% to 10% of the world’s sensitive data is encrypted, yet that step may be the only way to protect data in an era of device proliferation. It’s hard to build firewalls in the age of mobile access and the internet of things, with literally billions of connected devices.
Miller’s five steps for guarding against thieves, snoops and hapless insiders are: designating a company data protection officer, discovering where sensitive data is stored and who has access, determining data security gaps where possible, defining data security policies and deploying protections for data in motion, in use or at rest in storage.
The costs of data breaches can be measured in many ways, from lost revenues and bruised reputations to long-term liability. Companies that prepare aren’t immune for cyberattacks, but they’re better positioned to survive them.