What does a data breach look like, and who do you call? Cyber experts share their perspective.
By Dave DeWitte
Editor’s note: This is the second part in a new members-first series on cybercrime and data security, The Death of Privacy. Read the first installment at bit.ly/deathofprivacy.
Whether you work for a major corporation or a two-person shop, the odds of encountering a data breach get bigger each year. ProCircular in North Liberty is one of the first Iowa companies to get the call when a business experiences a serious breach.
“A couple of our engineers just left the office to help an accounting firm that’s completely locked up,” CEO Aaron Warner said in a June interview. “They’ll be completely freaking out and wondering what will happen.”
ProCircular and firms like it can assess the extent of the breach and what data was taken, and often advise or aid the company in getting their system resources back in the case of a ransomware attack. They also help clients build defenses into their IT systems and advise on new and emerging threats.
“Bugs – you’ll see those roll across the country, starting in the morning and working their way west through the time zones,” Mr. Warner said. “We’ll call our client and say, ‘that thing is coming our way – you need to patch for this.’”
The idea that cybercriminals only pursue a select group of prime targets and that smaller companies will be overlooked is one of the biggest fallacies in data security today, experts say.
Companies with less than $50 million in revenue filed 48 percent of the cyber insurance claims from 2014-2017, according to the latest NetDiligence Cyber Claims Study. Companies with less than $2 billion in revenues represented 88 percent of all reported claims. The median cost of those claims: $56,000.
Ken Schmutz, supervisory special agent at the FBI’s Cyber Crimes unit in Omaha, spoke at EntreFEST in Cedar Rapids earlier this year, urging businesses to notify the FBI when they’ve been breached. He said he has witnessed the fallacy of businesses thinking they’re under the radar of cybercriminals.
“The worst ones [data thefts] we run across, they think: ‘We’re small, no one will attack us.’ They’re the ones who’ve done zero preparation.”
Identifying your risk
The first step in getting serious about preventing such intrusions is called a risk assessment, Mr. Warner said, which involves a comprehensive evaluation of the company’s IT security practices and vulnerabilities. Companies can perform a risk assessment internally using their IT department, but typically contract for an independent assessment by an outside consultant to obtain a more impartial, informed and objective opinion.
“It is a huge speed bump for them to get over, because they [business executives] are afraid of what they’ll find,” Mr. Warner said. “It’s like somebody who has put off going to the doctor, thinking they probably have cancer, and then they go to doctor and find out they don’t have cancer. It’s a huge relief. They just need to stop eating so much steak; they need to exercise.”
The size and detail of the assessment varies with the needs of the client, including whether it is in a lightly or heavily regulated industry. Data privacy regulations such as HIPAA for medical service providers) and Part 500 of Title 23 (for financial companies doing business in the state of New York) require more in-depth analysis.
Turning the risk assessment into a profile and building a set of action items to ensure the risks are mitigated is critical to making the process work, Mr. Warner said. Action plans should identify an outside specialist that can provide support when a data breach occurs and guidelines for who decides when an outside specialist is brought in, and when.
Tackling the risks can take many forms, although some of the steps are so obvious that they can easily be overlooked.
“The number-one deterrent is apply the patches,” said Greg Edwards, CEO of Cedar Rapids-based data security company WatchPoint, which offers products and services designed to make data protection practical for smaller companies. They include CryptoStopper, a product that uses deception technology to thwart ransomware attacks.
“Every month Microsoft comes out with security patches,” Mr. Edwards said. “Companies and individuals need to install them, because on the first Tuesday of the month, Microsoft tells the hacker community what the vulnerabilities in its system are.”
Patch management tools offered by WatchPoint and other companies can help companies track patch releases and update their software for those who don’t have the IT staff or expertise to do it.
Educating employees and vendors is another simple strategy that shouldn’t be overlooked.
“The human factor – it’s always the weakest link,” said Shadrack Roberts, a data security specialist at HQ Army Sustainment Command at the Rock Island Arsenal, adding that it’s common for individuals with access to valuable data or with valuable connections to be targeted using techniques known as social engineering. Mr. Roberts experiences it “all of the time” in his role with Army cybersecurity, he told an audience at EntreFEST.
Social engineering impacted thousands of UnityPoint Health patients, customers and employees in a data breach reported this summer that used a strategy known as “spearphishing.”
“Our investigation shows that our organization received a series of fraudulent emails known as ‘phishing’ that were disguised to appear to have come from a trusted executive within our organization,” said a letter to patients from UnityPoint Privacy Officer RaeAnn Isaacson. “The phishing emails tricked some of our employees into providing their confidential sign-in information, which gave attackers access to their internal email accounts between March 14, 2018, and April 3, 2018.”
The letter said the attacker appeared to be hacking emails to try to divert payroll or vendor payments to its own accounts, and that medical records of patients were not exposed. However the attackers may have gotten some patients’ medical treatment or surgical information, diagnoses, lab results and/or date of birth, among other things.
Just 10 days after the UnityPoint breach was reported, it was the topic du jour at a monthly gathering of IT security professionals, who get together over beers at Big Grove Brewery in Iowa City. They mulled over the common spearphishing strategy of using a faked email from a familiar source to get a targeted individual to click a link to a website that would require them to reveal their email name and password.
“Even if you were a trained professional, you might not notice that it wasn’t real,” said Kellie Conner, an IT security specialist at Transamerica in Cedar Rapids. “You know they get an email every week that looks like this, so you send them an identical email except the link in it is different.”
Ms. Conner said Transamerica sends out test phishing emails to employees intermittently to see who clicks and who doesn’t. While such exercises help, she said, 100 percent compliance remains an elusive goal.
Time is on the hackers’ side, according to ProCircular’s Warner. He said attackers may spend five or six months studying a target and analyzing its defenses before deciding how to get in.
“They found ‘Dave’ was the head of IT on LinkedIn – private information which Dave has chosen to make public,” Mr. Warner said. “They call the front desk and say, ‘I’m Tim and work in IT for Dave. I’m going to email you a quick link and we’ve got to get this done today. It only will take a minute, but it will make your computer about 30 times faster. I’ll send you the link – will you click on it now?’”
The link typically takes the user to a fraudulent website that might upload a virus to his or her computer or simply record their login credentials to be used later.
“Cybersecurity is not a technical problem – it’s a human problem,” said Jaret Pfluger, of the ISACA, a certifying and education organization for IT security professionals, who was attending the Iowa City gathering. “Humans create technology, and they utilize it.”
For every outside attack, Mr. Pfluger says there’s a good chance that an insider could do an equivalent amount of damage.
“You may have an employee who has a grudge against you,” he said. “From the inside, they may have [administrative] permissions that let you share customer data.”
Lax data security at a company’s vendors and partnering businesses can have the same severe consequences – or worse.
A textbook example was the 2013 data breach at retailer Target, which exposed the credit and debit card information of more than 40 million customers. That occurred after malware introduced to Target’s IT system through an email from a vendor with security flaws in its own system infected the retailer’s point-of-sale terminals.
Huge amounts of data can change hands between vendors and clients, posing existential security risks for both.
“If you were to screw up and leave data in a place where it can be hacked or appropriated illegally, the liability would be enormous,” said Steven Keith, founder of customer experience consultancy CX Pilots, which has Corridor operations in North Liberty.
CX Pilots analyzes massive amounts of data sent by customers for useful patterns that can inform ways of improving the customer experience. Not infrequently, clients send files attached to emails that include private consumer data.
“Before I open it, I call and say, ‘can you assure me there’s no sensitive data?’” Mr. Keith said. “When there’s a breach, they [investigators] identify every single person inside or outside the firm who has access to that information, and they become a part of that investigation.”
Mr. Keith said some customers have sent large files of unencrypted customer data that the company would not open, out of concern for violating privacy standards, and must sometimes ask them to mask sensitive data.
“It’s generally because they have terabytes of customer data and don’t know how to configure it to leave out the sensitive data,” he noted.
Creating a “privacy culture”
The risks of data breaches don’t end at the company’s front door or at the firewall of its network. Employees and managers themselves can be vulnerable to security breaches, both individually and as agents of their companies.
“You may not care that somebody knows where your house is or who you voted for, and any of those things individually may not be that important,” Mr. Warner said. “But collectively, they can be used to gain control over you very easily, and we at ProCircular see it every day.”
A classic example, Mr. Warner said, was the infamous Ashley Madison breach in 2015, which disclosed the identities of thousands of users of a web-based service for facilitating extramarital affairs. The threat of disclosing an employee’s Ashley Madison data to a spouse or loved one is the kind of thing that pushes an employee or manager into revealing company secrets, he said.
Creating a privacy culture within an organization and communicating it to employees is vital, according to Mark Hudson, an attorney at Shuttleworth & Ingersoll in Cedar Rapids who specializes in privacy issues. Although individuals run the risk of leaving themselves vulnerable, he said one of the more pressing issues in the workplace today is the posting of information on social media that could embarrass or jeopardize an individual’s employer.
“If I’m the marketing director, and I make a racist or sexist comment on Facebook, that’s a problem,” Mr. Hudson said. “It hinders your ability to do your job.”
Concerns were so great on that front that federal legislation was proposed within the last few years to ban employers from asking employees for social media passwords. Mr. Hudson said he knows of no employers who were asking for those passwords, however.
Employees should typically know that their supervisors and employers have access to all the information they store on company-furnished equipment, including computers, servers, email systems and smartphones.
Smartphones are probably the toughest area within the employer-employee privacy interface, Mr. Hudson added. If an employee uses their personal smartphone for work, he said the issue of who owns the data can get sticky without established workplace rules.
“There are certain places where you’re going to have strict rules [governing smartphones],” he added. “Having someone with essentially a camera walking around on a medical floor in a hospital is a problem. You’ll see some employers go further to address those types of things.”
Given the myriad threats, the future of data security for businesses may seem bleak. But Mr. Warner says it’s important to keep it in perspective.
“Cybersecurity and compliance – a lot of people like to paint that as a new thing in the history of the world,” he said. “But every problem that’s been painted in the history of the world was a brand new thing. There are age-old methods of measuring and addressing risk, and cybersecurity is just another organization risk.”