Last weekend, online broker Scottrade became the latest company to become a victim of a data breach, when cyber criminals stole personal information from 4.6 million people using the company’s services.
The company wasn’t even aware of the breach until the FBI let Scottrade officials know that someone hacked into their system.
Scottrade isn’t alone. Cybersecurity officials say cyber crime strips $5 trillion out of the economy every year — the equivalent of one-third of the nation’s gross domestic product. On average, cyber criminals spend 220 days inside networks before they’re detected.
With cyber crimes increasing 400 percent in 2015, it’s not just an issue for information technology departments — it’s a problem that should be addressed at the highest levels of every company, they say.
“Most companies have been hacked,” said Casey Fleming, chairman and CEO of BlackOps Partner Corp., a Cybersecurity firm. Fleming is former founding executive director for IBM’s cyber division. “They just don’t know they’ve been hacked. And it’s often years later they find out that their intellectual property, their trade secrets, their customer information is compromised.”
Breaches like the one at Scottrade, or similar attacks at eBay and Target, make the news because the companies have to let people know their personal information is at risk. But only 10 percent of attacks are ever reported.
Where does all the stolen information go? Cyber experts say the Dark Net, a part of the Internet not accessible by regular browsers. It is used by criminals not only to plan their crimes, but also to sell their ill-gotten information.
“The Dark Net is 400 times bigger than the surface Internet,” Fleming said. “And it’s growing. You need a browser you can use with anonymity, like Tor, but once you have that, you can buy and sell information anywhere in the world.”
The BlackOps team spoke at an AIG webinar this week about steps CEOs and upper management should take to become more cyber savvy, since attacks on data can undermine not only a company’s brand, but also its finances.
The human factor
CEOs should keep one thing in mind: It’s only a matter of time, said Eric Qualkenbush, a BlackOps board member who used to work for the CIA.
“Most attacks come when someone who has legal access to the system allows a criminal in,” he said. “There’s always a human factor — so keep in mind your company will be attacked — if it hasn’t been already — and have a plan in place.”
Qualkenbush tells a story of an executive who took a company laptop home and allowed her son to enter a gaming room via the Internet. Chinese hackers were lurking, and with a few keystrokes, were able to get the teenager to click on exactly the right link. That link installed a keystroke monitor on the laptop.
“The next day, she logs back into the work system, and within hours, the Chinese had access to every server at the company,” he said. “And it wasn’t malicious on her part — they just didn’t know.”
So what can a company do?
Doug DePeppe, a member of the BlackOps Partners Board of Advisers and founder of local law firm eosedge Legal, says companies should plan for a cyber attack and their response to it — and keep their legal team apprised of the plan.
“If you have legal counsel involved, then you can use attorney-client privilege to keep that plan private,” he said. “That’s essential. It protects the company, and it protects the plan.”
Next, CEOs and senior management should become fluent in Cybersecurity — not necessarily the technical language, but they should understand their fiduciary responsibilities.
“Cybersecurity isn’t just the realm of the IT department or the CIO,” said Fleming. “The senior level of every company should be aware of what’s in place to protect sensitive data and they should know what the plan is when there is a breach.”
“There needs to be a moat around the castle, and security — and the king of the castle needs to know the plan to keep everyone inside safe.”
– Casey Fleming
Sensitive data should never be stored with other information, said Qualkenbush. It’s too easy to get to on regular servers.
“Your sensitive data — intellectual property, trade secrets, personal information — should be compartmentalized and kept apart from other information,” he said. “You should limit access to those who absolutely need to know and then monitor their access.”
Those people need training as well, he said.
“When I was in the CIA, I knew it was easier to get to information from someone already on the inside than trying to get to it illegally through outside channels,” he said. “People need training; they need to know it’s their responsibility to protect information. There needs to be a moat around the castle, and security — and the king of the castle needs to know the plan to keep everyone inside safe.”
Without a plan, executives could find themselves out of a job, in front of Congress or facing shareholder and customer revolts, Fleming said.
They could lose market share as customers flee to more secure brands; they could lose the trade secrets that keep them in business.
“It takes active oversight from the board,” said DePeppe. “That’s the key word: ‘active.’ IT professionals should have routine, regular meetings with the board to talk about their plans. Boards know there is a problem: They’re throwing more and more money at it, and it’s only getting worse.”
Cybersecurity requires a holistic approach, he said. CEOs should monitor Cybersecurity plans, prepare for a breach and do regular cyber breach exercises with everyone on staff.
And reduce your legal exposure, DePeppe said.
“Boards need outside counsel, as well as inside attorneys,” he said. “Cyber counsel can help reduce your legal exposure, and any advice or plan is protected not only by attorney-client privilege, but also by attorney work privileges.”
It all comes down to one thing: “It’s due diligence,” DePeppe said. “This is no longer a separate issue from the rest of the CEO responsibilities — it’s something every company’s highest executives should be aware of.
“It’s a fiduciary responsibility. Customers and shareholders are going to start holding companies accountable for these breaches. Companies need to be prepared.”