Potential dire effects vary by business, the type of computer-reliant operations it has and the nature of its data, and these effects can range from mere irritation to significant financial loss all the way up to a closing of the company doors.
Information technology security issues grow more important and urgent for business and industry week by week. Commerce-critical data today is made with intention at work stations as well as streamed by always-connected apps and devices into the cloud – streams that simultaneously make operations more efficient and more vulnerable.
Managers, accountants, healthcare providers, lawyers, retailers, bankers, public officials and more all are joining IT professionals in spending more of their time and energy on cybersecurity matters.
Anti-virus expert Eugene Kaspersky said at an IT security conference in October 2013 that the cost of data system disruption to business is “many times more than $100 billion.” Since then, data breaches have occurred at Target, Neiman Marcus, JP Morgan Chase, Home Depot, Sony Pictures, Anthem and others. However, while these large events attract news coverage, much of the overall cost of data breaches actually occurs at small- and medium-sized businesses because they are often easy targets.
“You have to assume that you have already been breached to some extent and determine how to continue running your business with that assumption,” according to John Askew, consulting manager and security team lead for SDGblue, a Lexington-based IT services firm.
“Hacking” into computer systems started three decades ago, largely among young men wanting to impress friends with their technical savvy. Nearly all data breaches today are by criminals looking to make money using an array of methods and powerful tools. The realities of computer security are much different than even just five years ago.
One result is that no one is too small to be a target. Thieves formerly tended to individually target the high-dollar score, like fishing with a large pole for that “big one.” Computer-powered automation today, however, enables thieves to fish with a net – which because of volume targeting creates large cumulative results.
Security experts all estimate the likelihood that a specific business’ computer systems will crash or be compromised at 100 percent – a matter not of if but of when. They also agree that most incidents are either preventable or can be cleaned up quickly with proper preparation. Money-sapping downtime can be averted or recovery expedited, reducing costs across the board. This security has a price, but prevention and planning tend to be far cheaper than curing a system shutdown for which a business is unprepared.
Most businesses today can’t run without computers, which are service platforms for credit card processing, tax filing, business websites and interacting with suppliers and customers.
Another recent computer security issue is that Kentucky and 47 other states along with Puerto Rico, the District of Columbia and the Virgin Islands have laws that punish companies found negligent in handling customer data, or that do not notify customers of a breach in a timely fashion.
Barbarians at the gate – and inside
Think of data security, experts say, in terms similar to doors to your business: The more data connection doors you have, the more security you need since doors are generally the most vulnerable points for unauthorized entry – or exit. Every email account is a potential door.
Further data vulnerability exists because businesses have to go through lot of other people’s “doors,” too. Cyber criminals watch that activity with programs designed to sniff out your and their weaknesses.
Many business people are shocked to learn that various studies find from 45 percent to 80 percent of data security issues originate inside the company. Not all are malicious; sometimes an employee password is easily hacked, like the word “password” or “1234567890” or their password is pasted on their desk for anyone passing by to see.
Data security becomes compromised because employees often aren’t trained, or no security guidelines exist and they innocently do something inappropriate. It can be a disgruntled employee or one paid to steal company data. “Drive-by downloads” into business networks can occur when an employee visits a web page with a malware delivery mechanism that is disguised as an ad. Sometimes network anti-virus programs are inadequate (such as free versions) or are not installed at all.
Phishing is most common attack mode
Internal breaches commonly come from “social engineering” attacks, which prey on human behavioral weaknesses. “Phishing,” a common social engineering method, is the most commonly used data assault process seen by those interviewed for this article. And it achieves the most success against users.
Phishing criminals, usually using stolen email addresses, “bait” users at a target business with what appears to be an urgent email from a familiar company, such as a bank or retail chain they use. Problems begin if a recipient clicks a link or opens an attached file promising f urther details. The 2013 Target stores holiday shopping season breach that led to 110 million customer credit card records being stolen started with a phishing attack against employees of a subcontractor; Home Depot’s 100-million-customer-records breach in 2014 was a phishing attack.
Phishing messages whose official-looking logos, headquarters information or other content succeed in prompting a click for details instead initiate a download of malware onto the recipient’s device that propagates across the network. The many variations of this trick have worked worldwide millions of times.
“Phishing is the No. 1 problem for us on campus, and that is across faculty, staff and students,” said Brian Purcell, Murray State University’s information security officer and the school’s interim chief information officer. “If we see a phishing attack on campus, we proactively look to see who has responded to it by examining data traffic leading to the offending site. We then change their password and user identification and notify them that we have done so … because data breaches are very expensive to correct.”
A sophisticated variation is “spear phishing” in which attackers research individuals at a company and target them with sometimes surprisingly personal appeals. This technique increases the odds of success so much that spear phishing accounts for 91 percent of attacks. At financial institutions specifically, reported individual losses average $55,000 and some have exceeded $800,000, according to the Washington-based Internet Crime Complaint Center.
Phishing is one of the most common consumer complaints the Kentucky Attorney General’s Office gets, said Daniel Kemp, deputy communication director.
“Many of the calls lately extended from attempts to dupe consumers affected by the recent Anthem (Blue Cross Blue Shied) data breach,” Kemp said. “Getting trained in spotting these threats is one of the most effective defenses a business or consumer has. We have staff who go around the state training consumers in our Scam Jam classes. Face-to-face training is always effective, and every business should consider it for their employees.”
Who are the phishers? They come from around the world. The Chinese and North Korean governments have often been accused (e.g., the Sony Pictures Entertainment hack), as have criminals in former communist bloc countries, South America and in the United States. A town in Romania’s Transylvanian Alps, Râmnicu Vâlcea, population 120,000, is called the cyber-crime capital of the world, but it has only two government agents assigned to combat digital law-breaking. Regardless of their origin or motivation, the criminals are after your system, your data, your customers and your money.
Those illegally harvesting customer data often bundle their stolen info and sell it to others to avoid being caught using it – they let others do the phishing or scamming. It makes arrests and prosecutions difficult, and even if they are caught, restitution for victims’ losses is rare.
Assessing costs, value, safety and savings
The good news is that with appropriate measures, a business network can be kept reasonably-to-very safe. Although the due diligence of installing, maintaining and securing computer systems can be costly, security breach costs can be far, far more.
“PCs and computing resources are now a utility, not a luxury. IT security is often regarded as a discretionary cost, but it’s not – it should be fixed in the budget of every business,” Purcell said.
The term “disaster recovery” refers to being able to restore a computer system to the state it was in a short time before a failure. Only very rarely is this the result of a fire, flood, lightning strike or tornado, although those are considerations. Much more commonly it means a single computer’s hard drive fails and ruins all its data, which a business must recover to get back to work; or a server dies, corrupts a wider swath of data and shuts down daily operations.
Business IT disaster recovery plans often mean having off-site backup in case equipment is
tolen or offices are too damaged to use. With off-site data storage, operations can be restored in a temporary location and to continue to serve customers and avoid losing revenue also.
“A company with six PCs that has no regular service vendor for support, and that hasn’t been getting regular system evaluations, is usually down two or three days,” according to Dave Sevigny, president of Frankfort-based DMD Data Systems, a regional IT services provider. “A company that has an established relationship is usually down about a half day. There is no substitute for qualified help.”
Sevigny and others advise considering the question: How would being without computers for two or three days affect your company?
“Today’s technology is more robust, more resilient and has more ‘call home’ properties that alert us, often before the customer knows they have a problem,” he said. Clients “have fewer problems if they make an effort to keep up their systems and allow us to help them. That’s what IT professionals do.”
An office technology policy can avert some of the latest threats to business. Sevigny advises caution regarding “the bring-your-own-device (BYOD) trend of letting employees bring smart phones and tablets into the office with no supervision, and even letting them do (company) work with them.
“While an employer might think he’s saving money by having employees use their own equipment to perform tasks for which the business formerly provided the equipment,” he said, “they are also opening themselves up to some real security problems. Giving someone open access to a business network when you can’t control what happens with that device after work is a very risky proposition.”
Lack of knowledge, lack of preparation
Investing in IT security and disaster recovery is less costly than restoring data from bits and pieces, or going back to printed records. Data breaches mean lost customers and tarnished business reputations, especially when customers must be contacted to inform them sensitive personal data is now “in the wild” and in the hands of criminals.
In calculating a budget for IT security and disaster recovery, managers are advised to consider their company’s average revenue or profit per hour or per customer, then assess the potential cost of lost operating hours or customers. At what point would losses become critical? At what point would the business be fatally crippled?
Many businesses lack security and data recovery plans.
“Kentucky lags the national averages for a variety of reasons,” said Russ Hensley, CEO of Hensley Elam Associates, a regional data services firm with headquarters in Lexington. “Despite the routinely quoted (estimate that there are only) 30 percent of businesses with adequate protection, we may be as low as 10 percent for companies with appropriate backup and disaster recovery plans.”
Lack of knowledge is thought to be the main reason why. “Most of them simply don’t know the risks, or they think it won’t happen to them because it hasn’t happened yet,” Hensley said. “They don’t realize their employees are usually their biggest threat. They often see the backups and IT security as something being sold to them versus being a real asset. Since they have never had an incident – despite some of them already being infected with malware and they don’t know it – they either balk at the cost or don’t see the need.”
Studies estimate the cost of repairing a data breach at $185-$195 per customer. That’s $18,500 for 100 customers or $185,000 in losses for 1,000 customers. Repairs can take months as little issues continue to present themselves. It’s fairly common for some data to be lost forever, complicating making financial books whole again. Damage to reputation and trust can mean a loss of current customers and future business.
Studies show preventive measures do reduce per-customer losses for data breaches: $14 less for companies with comprehensive security policies and procedures; $13 less when the company has an incident response or disaster recovery plan; another $7 less if a well-trained staff person serves as the chief information security officer. Those steps lower average losses to $151 per customer.
Mitigation but no 100% guarantee
“There’s a saying in our industry that computer security always seems to cost too much, but still is never enough,” said Jerry Bell, a computer security consultant and founder of the DefensiveSecurity.org website and blog in Atlanta. “Computer security is something like what they say about those who fight terrorism: We have to be right all the time, but they only have to be right once.
“There is no 100 percent guarantee against hacks or data loss,” Bell said. “Everyone is a target, too. There are breaches and attacks going on at all levels – from giant financial firms all the way down to parking garages. Statistics don’t tell the whole story because many breaches are not reported to authorities. The fear of damage to a company’s reputation is pretty powerful.”
One product that can mitigate the cost of data breaches, he said, is cyber-security insurance, which many companies now offer. Data breach coverage can mitigate costs in any case, and especially when the policyholder is not to blame.
“When a breach happens and a claim is paid, the insurance companies are looking for those responsible for the breach,” said Bell. “If (the insurance company) pays a claim, then someone else is likely to wind up paying the insurance company.
“Take some of the big, well-known, national companies whose data breaches made headlines in 2014. There are lawsuits against some of them by their vendors, like credit card processing companies, and those vendors’ insurers to cover the costs of cleaning up the mess,” he said. “They lay the blame at the feet of the big company, and that mess includes new cards, reimbursements, credit monitoring and many other charges.”
All the experts in this article concur that, on average, only about 30 percent of businesses today have adequate security and a disaster recovery plans – not elaborate security, but decent protection and enough to help with recovery.
“The one thing that keeps me awake the most at night is how our data is handled,” said Purcell at Murray State. “We’ve been collecting people’s personal data since the late ’80s, and the standards for security were different then. We’re like any other business in that regard. That legacy data is very valuable, and we have the responsibility for protecting it.” Most businesses are in the same boat.
The most common lament among the IT security professionals interviewed is that customers reel when told the cost to adequately protect their systems but don’t understand the value of that investment.
For example, initiating recommended system security measures might cost a small to medium-sized business $10,000 up front and another $300 in costs per month to monitor the system security, perform maintenance and pay for regular professional services ($3,600 per year). Under this scenario, first year expenses are $13,600; subsequent years might total $5,000 when software upgrades, checkups, equipment replacements, etc., are included. This is a five-year cost of $33,600, or $6,720 per year. It’s a considerable budget line.
If this business has 300 customers, however, using the $185-per-customer cost for a breach that studies found, a data system problem could cost $55,500. That’s about $22,000 more than the cost of IT system security.
Compliance does not mean security
In managing costs, businesses generally opt for meeting legal or regulatory obligations as an expense baseline.
“Compliance does not equal security,” warns Michael Gilliam, consulting manager and security team lead for SDGblue. “Security is a very complex issue to tackle (and) it becomes harder to defend the individual information systems and the organization as a whole as it grows.”
A lack of dedicated resources to implement an effective security program is the biggest issue SDGblue sees, Gilliam said.
“Security (is) often viewed as a cost center that needs to be minimized,” he said.
That anemic approach is further weakened when “combined with a confusion with regulatory compliance,” Gilliam said. A managerial view that data security resources are “dedicated to avoiding fines stemming from violations makes security often nothing more than an afterthought, prioritized only when it is too late.”
State and federal government requirements to notify customers of a breach are considered burdensome and complicating factors. However, the cost of doing so is small compared to the fines and penalties for not doing it in a timely fashion, and far less than criminal or civil charges, or lawsuits by customers.
There are major additional compliance issues in the medical field, which also must comply with complicated federal HIPAA and HITECH regulations.
The Health Insurance Portability and Accountability Act of 1996 mandates the confidentiality and security of healthcare information. Health Information Technology for Economic and Clinical Health Act of 2009 anticipates a massive expansion in the exchange of electronic protected health information.
“The cost of a breach to medical clinics can be staggering,” Hensley said. “One doctor had a laptop stolen with 2,000 patient records, and none of the data was encrypted (to make it unreadable to the thieves). They were fined $150,000 by the government for non-compliance – un-encrypted laptops are the No. 1 cause of fines. It used to be that large clinics were the ones fined, but now smaller offices are seeing fines, and they are never cheap. For the largest companies, there have been fines of $12-14 million. It’s quite serious.”
Breaches trigger legal obligations
Hensley holds the advanced Certified Information Systems Security Professional credential, which in addition to technical expertise requires knowledge of IT’s legal and financial issues. The CISSP credential is valued especially in the healthcare sector and other operations with high-stakes compliance obligations. Hensley said it improves his ability to advise clients about avoiding potentially expensive situations.
“For instance, I’ve seen cases where attorneys took a patient’s medical records into their office for a case. This puts the lawyers at tremendous risk because they think the attorney-client privilege protects them, but that’s not entirely true,” he said. “By assuming responsibility for those records, they are now under HIPAA laws and subject to penalties.”
Meanwhile, state legislatures are enacting new cybersecurity laws and reporting requirements, creating legal obligations sometimes to notify customers and staff about a data breach – or to not notify them because the breach is under a criminal investigation.
In Kentucky, HB5 and HB232 cybersecurity laws passed in the General Assembly in 2014 are now in effect. They changed the way the commonwealth’s businesses are required to store customer data and protect confidentiality. Depending on who is potentially affected, businesses and other entities that experience a data breach must contact the Kentucky State Police, state auditor of public accounts, state attorney general, Kentucky Department of Education or the Council on Postsecondary Education.
HB 232 defines what businesses must know about an electronic security breach, sets deadlines for informing customers and staff and whether to notify law enforcement.
Frank Goad is digital editor of The Lane Report. He can be reached at [email protected]