Lions and Tigers and Hackers, Oh My!


Hackers, Oh My!

With the ever increasing digitally connected world in which we live today, where technology is constantly changing and extremely difficult to keep up with, it’s only a matter of time before you can expect to be significantly and negatively impacted by some sort of computer system compromise.

At an individual level, there are a number of things you can and should do to protect yourself.  Determine if you’ve already been hacked and change passwords on any compromised accounts. This information on hacked accounts is not comprehensive, but that does not undermine its value.  Learn how to properly manage all of your numerous passwords. A password manager makes it easy to implement unique, complex passwords without needing to remember them. Assume your personal information is already compromised because likely it is. What are you doing about it?

The bad guys want to monetize your personal information which often involves opening a new line of credit in some form or another. Start by making it difficult for hackers accomplish this. You can do that when you place a freeze on all of your credit reports.  These are some quick, high level tips that you can employ in your personal life to immediately and significantly raises your defense levels against hackers.

But my main purpose in writing this article is to approach this topic from a business perspective. What should businesses be doing to protect themselves from hackers and the many threats they represent? First, let’s take a step back and consider how hackers could negatively impact a business.

Hackers these days love to use compromised computer systems to mine for crypto-currency like bitcoins. It provides them with an easy, fast way to monetize their hacked computers and impacts businesses by using up significant levels of computer processor (CPU) resources to the point where those computers can become unusable. What if critical computers within your organization become unavailable, not only because their CPU’s are being overwhelmed, but because once you figure out what is happening you then need to investigate what happened and clean the systems affected by the malware.

What about ransomware? This is another common way in which hackers compromise computer systems. How many hospitals, transit systems and other organizations have you heard about in the news that were crippled by ransomware?

Perhaps the worst type of attack a business might face would be one where confidential, proprietary and/or sensitive information is compromised. After all, you can’t get the information back once it’s been copied into the nebulous cloud known as the “Internet” and it is very difficult to reverse the bad publicity from such an event and negative reactions from customers. Not only that, but it can be very expensive to complete an investigation, implement changes to prevent future compromises, notify individuals that their data has been compromised, provide credit monitor services for those effected, engage with lawyers, etc.

The old adage about an ounce of prevention being worth a pound of cure is very applicable when it comes to computer security. Every situation is different, every company is different and every company has different levels of risk based on the type of business they are involved in, the type of data they work with, etc., but it should be safe to assume that in general, implementing a baseline level of security and being proactive is going to be less expensive in the long wrong than being reactive and having to work through all of the negative issues mentioned above.

I’m not going to go into all the in-depth technical details that companies should take to increase their computer security posture and protection themselves. Suffice it to say that you should be implementing a multi-layered approach to security. Every company is different, but typically email is far and away the highest point of risk for a company being compromised in some fashion or another. What have you done to recognize and mitigate this risk? Not sure? Get engaged with your teams on the topic of computer security. Not only may the success of your company rely upon this, but your job too.

Look at recent events like the Equifax breach. There were many things that happened because of the Equifax breach, but did you know that Equifax’s CIO and CSO soon “retired” after this event occurred? Even Equifax’s CEO eventually succumbed to the significant backlash from the Equifax breach. The CEO of Target eventually “resigned” as well for the major breach that happened in 2014 and ultimately cost Target hundreds of millions of dollars to clean up and in lost revenue from upset shoppers who would not return to the retail store chain.  Marissa Mayer, CEO of Yahoo had her compensation reduced by more than $12 million due to her lack of attention and response given to a big hack affecting Yahoo. This revelation ultimately led to $350 million discount in the sale price of Yahoo to Verizon. Ouch!

Every company should have someone that they trust to offer them good advice on computer security, whether this is an internal employee or an outside resource.  Companies should be actively involved in understanding their risks related to computer security and what they are doing to mitigate those risks. What are the computer security best practices and standards for your company’s industry? Are you ahead of the game or behind the curve? Don’t know? Find out before it’s too late.

All that is well and good, but I have a cyber security insurance policy. That’s my “get out of jail free” card. I don’t need to worry about this stuff because if I’m ever affected by an event like this my insurance policy will pay for everything. Cyber insurance policies typically require a standard of care be maintained meaning that you must be meeting and following basic good computer security principals. In the Equifax breach it was determined that hackers gained access because a computer system was not kept up to date with the latest security patches. A standard level of care was not being met in this situation.

Your cyber insurance policy may not cover a cyber security event if your company is found to be negligent in preventing it because a standard level of care was not being maintained. So read your policy carefully, understand the pitfalls of cyber insurance and understand that this doesn’t get you off the hook for implementing good computer security at your company. In fact, most insurance companies, when it comes time to pay out, will look for any opportunity to not pay out on a claim so it is very important that you not provide reasons which might allow that to occur.

There is no silver bullet to protect yourself against cyber-attacks. Look to implement a multi-faceted approach using some of the ideas mentioned above. Surround yourself with trusted advisors on this topic and don’t let it become something that you lose track of and don’t give attention to. By actively involved in maintaining and monitoring your company’s computer security. By doing this you will enable your company to avoid the serious pitfalls surrounding cyber-attacks and dramatically reduce their impact should they occur.

Andy Thoren, Director of Information Technology