With an ever-increasing amount of available data, fueled by technology, comes an increased risk of data theft. Data, in the form of financials, intellectual property, and even personally identifiable information (PII) and personal health information (PHI), has become portable in multiple formats. A single USB flash drive can store millions of records. Those records may also be transferred from a laptop over a Wi-Fi connection to cloud-hosted storage in just a few moments. These constant innovations and advancements in web-facilitated business tools also often yield more vulnerabilities for internal negligence and external hacking.
What should companies consider when shoring their defenses against cybercrime? CPO Magazine sat down with Prashant Pai, Vice President of Cyber Offerings at Verisk, and Scott Stransky, Assistant Vice President at AIR Worldwide, a Verisk business, to understand the strategies that could help businesses prevent, or recover from, an increasing volume of attempted hacks.
Q: What are typical methods of attack (for example, phishing) that businesses can prepare for?
Pai: Businesses would be wise to prepare for data and privacy breaches, ransomware, and Denial of Service (DoS) attacks. One of the most common methods by which intruders get in is phishing, especially spear phishing (that is, targeted phishing) through e-mail attachments. Regularly training your staff is key so that they know better than to automatically click on links or open attachments in e-mails from unrecognized senders. One of the best cyber defenses an organization can erect is a trained and aware staff.
Stransky: I agree. One of the most critical things a business can do to prepare for cyberattacks is employee training. Many attacks can be prevented if employees are vigilant and always have some degree of suspicion when they receive an unexpected e-mail.
Q: Describe how ransomware and other malicious software (for example, WannaCry) work and what the best defense is.
Stransky: In a ransomware attack, cyber criminals encrypt the contents of your computer. A ransom is required—usually around $300 to $500, payable in an online currency like BitCoin—to recover the contents. Most will help get you your data back if you do pay. The ransom paid is sometimes insurable, with many cyber policies including coverage for it. With WannaCry, although many companies suffered business interruption while their systems were down, very few companies ended up paying the ransom. WannaCry encrypted those computers that were not up to date on their Windows updates. Companies also should be aware that those with current off-line backups of their files could restore their systems without paying a ransom.
Pai: Sometimes the most basic defense is best: software patching and upgrades, for example. The largest software manufacturers have gotten much better at releasing new patches as soon as they’re aware of existing vulnerabilities. If left unpatched, ransomware such as WannaCry and Petya/NotPetya spreads from one computer to the next when it finds another device on the network with a vulnerability. Running virus scans and not connecting to any open public Wi-Fi networks is another pragmatic piece of advice. Cyber pandemics are somewhat analogous to human health emergencies. We can’t stress basic computer health and hygiene habits enough.
Q: What kinds of issues and costs might a company expect following a high-profile breach?
Pai: Following a headline-grabbing breach, there are incident response costs to contain the breach, evict the intruders, and recover operations quickly. After that, breach responders and breach coaches are needed to implement a course of action to support affected consumers and/or employees. Actions can include determining which consumers were affected, notifying them, providing them with credit monitoring costs, and covering the fraudulent transactions. There may be potential liability issues coming from consumers, their card issuers, and so forth. This event may also cause substantial business interruption or disruption. And often, we’ve seen reputational impact and the public relations expense required to repair brand and image.
Stransky: There are also “fuzzier” costs to consider. C-level executives tend to be ousted or resign after a major incident. A company’s cyber insurers may likely charge more to renew cyber insurance policies after such an incident. As for cyber insurance, most of today’s policies have limits that are not really high enough to deal with a major incident. In the Target breach, the company had an insurance tower with a total limit of $100 million, but the direct costs of the breach were several times greater than that.