While the massive malware attacks like WannaCry or NotPetya garner all the headlines, these are relative rarities in cybercrime. Joe Scargill, U.S. Secret Service Agent, explains that the true culprit is “phishing – business email compromising – almost 100% of the time. The massive breaches at corporations are almost once-in-a-lifetime cases. These business email compromises are very convincing. They’re relatively ‘low-tech’ and use a little bit of social engineering.”
Mary Frantz, Managing Partner at Enterprise Knowledge Partners (a cyber security, forensics, and compliance consultancy), notes that, “One of the things our company does is security posture assessments. We come in as a legal black hat hacker with the permission of the company and find ways to break in. When we get the permission, we have a near 100% success rate of breaking into their children’s smart phones and sending an email laced with something into your organization. You click on it, thinking that it’s from your kid, and it’s in your company. That’s been a fun one, and it’s a really scary one for people.”
The Importance of an Incident Response Plan
So, the question is not whether a cyber breach will occur – it’s when and how to best mitigate its negative impacts. Each member of the panel at Financial Executives International’s (FEI) Technology for Finance Leaders highlighted the importance of not only having an organizational incidence response plan but testing the plan regularly.
Frantz advises that, “crises happen in real life and you have to continually practice it. As you practice it, it becomes more commonplace. As you practice it with more people in the company – they become more knowledgeable about what to look for, who to contact, etcetera. An incident doesn’t give you a two-month leeway to start planning. It happens right away. When our clients call us to perform or run through their incident response plans, it’s pretty immature. What that means is that when an actual incident happens, they are not prepared. If your company gets hit by ransomware, you don’t have an hour to get everyone into a room to think about it. You better have a plan on what you’re going to do: are you going to unplug the computers, are you going to shut down the internet, what’s your backup, did you practice restoring, what can they get, do you know who your law enforcement officer is, do you know who your insurance agent is, do you have a lawyer? Ninety percent of the time we come in to handle an incident our statement of work is immediately signed by the company’s counsel, so everything we do and say is under attorney-client privilege.”
Bridget Sakach, a Network Security & Privacy Specialist at AIG, says, “When it comes to claims, those who have plans, who have tested their plans – tend to recoup more quickly and their reputation tends to recover more quickly after a breach, because they were prepared and mitigated it upfront. Companies suffer serious reputational harm when they are not prepared for a breach, then it’s like a huge fire drill. Companies that aren’t prepared are more likely to get fines than those that had plans in place.”
In the Event of a Breach
In the event of a breach, Sakach advises clients to “contact their privacy attorney, if they have one. The attorney will liaise with the cyber insurance provider and forensic investigators. If you don’t have a privacy attorney, your insurance provider can provide forensic investigators, as well as public relations firms and privacy attorneys in order to help mitigate reputational harm from an incident.”
In addition to the resources Sakach addresses, Officer Scargill notes that organizations should contact law enforcement as soon as a breach or incident occurs. He related an experience he had where a company came to law enforcement reporting that they paid a fake invoice. In the case, Scargill and his team found that the hackers spoofed the CFO’s email to one of the accounts payable employees. The hackers impersonating the CFO complained that an invoice was late and needed to be paid immediately. Given the urgency expressed in the email, the accounts payable employee paid the invoice without question. After paying the invoice, the company realized that it was a fake, but waited several days before involving law enforcement. Had the company involved law enforcement as soon as they realized the mistake, Scargill explains that they could have seized the money before the transfer completed. Unfortunately, this company waited too long, and the money was gone.
Frantz notes that breaches and incidents represent opportunities to revise and refine their organizational incident response plan; however, this area is where organizations fail most often. This is due primarily to a fear to inform the company’s board, who often react punitively to incidents or breaches. This apprehension drives what Frantz describes as an “organizational mindset of see no evil – hear no evil.”
Beyond facing the board, Melissa Krasnow, Partner at VLP Law Group, notes that disclosing the breach or incident outside the organization is vital, arguing “there might be some short-term pain, but if you get out ahead and disclose it – you won’t be accused of hiding it. You have to weigh the risks. It’s not easy or fun to disclose it, there are costs associated with disclosing it, in terms of engaging forensics and legal counsel.” Furthermore, Krasnow notes that companies are being required to disclose with increasing frequency whether they have had a breach in mergers and acquisitions, transactions, and even technology purchases.
Looking Ahead
When responding to cyber incidents, Frantz has discovered vulnerabilities that the hackers took advantage of years in advance. When considering organizational cyber resiliency, it is important to consider not only present capabilities, but those in the past. If the organization had vulnerabilities in the past, they must consider how they can mitigate those risks moving forward.
Additionally, organizations need to stop hiding behind technology. After all, an organization is only as secure as its personnel allow.