In the wake of the pre-Christmas data breach at Target in 2013 that exposed the personal data of as many as 40 million people, Umesh Verma, chief executive of Houston’s Blue Lance, a cyber security firm, decided an education campaign was needed.
“We saw an increase in enterprises worrying about third-party risk, particularly service and supply chain providers who had remote access into their systems,” Verma explained. “We wanted to help small- and mid-sized businesses improve their cyber maturity and resilience so that they’d become more reliable and better service and supply chain providers to their enterprise clients.”
That led Verma to start Cyber Houston, an information-sharing and analysis organization providing resources and guidance to businesses for improving their cybersecurity posture and managing risks, in 2017.
Texas Inc.: Get the best of business news sent directly to your inbox
Cyber Houston produces the annual Houston Cyber Summit, a forum for educating business leaders about protecting their businesses from cyberattacks.
For Verma, “It’s all about people, process and technology.”
Cybersecurity attacks are becoming increasingly more common. Verma said he has dozens examples of ransomware attacks on businesses including car dealerships, accounting firms, law firms, health care clinics and doctor’s offices.
Businesses are not alone. The recent ransomware attack on 22 cities and towns in Texas targeted city services such as payment processing. The hackers, who apparently gained access to the systems via one third-party IT contractor, demanded a total of $2.5 million in ransom to release the data.
A 2018 study by risk compliance company Opus and the Ponemon Institute, a Traverse City, Mich., research institute focused on data privacy and protection, found that 59 percent of companies surveyed experienced a data breach due to a vendor or third party.
The costs of cyberattacks are rising. IBM Security’s 2019 Cost of a Data Breach Report, also conducted by Ponemon, found the average cost of a data breach worldwide had risen 12 percent to $3.92 million over the last five years. Between July 2018 and April 2019, the average cost of a breach in the U.S. was $8.19 million. The study was based on interviews with more than 500 companies that had experienced data breaches, and it evaluated hundreds of factors impacting costs. According to the Cisco/Cybersecurity Ventures 2019 Cybersecurity Almanac, the global cost of cybercrime damages — the fastest growing crime worldwide — will reach $6 trillion annually by 2021.
Release Notes: Dwight Silverman’s weekly tech newsletter featuring insights, news and occasional whimsy about the latest in the industry
“Ransoms are getting higher,” said Lisa Sotto, managing partner of Hunton Andrews Kurth’s New York office. “They used to be small amounts like $300 in bitcoin. But we just saw a recent one … and they asked for $600,000 in bitcoin.”
Sotto, chair of HAK’s Global Privacy and Cybersecurity practice and chair of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, remarked on the ease with which these attacks can be mounted.
“It’s such a great scheme because you don’t have to sell anything,” she said. “You just shut down a network, you get money, and then you give back the encryption key — maybe you give it back — not always. You don’t have to sell anything. It’s a lot easier than stealing data and selling it.”
Threat assessment
Sotto identified three primary threat sources.
“There are really three buckets of threat actors that we’re seeing on the data security side,” she said. “One is nation-state actors. The second is traditional hackers. Third is ‘hacktivists.’”
It is the second bucket that most small and medium-sized businesses need to worry about most.
“The traditional hackers are in it for pecuniary gain; they steal whatever they can sell,” she said. “They have a very significant infrastructure on the dark web to both acquire and then sell data that they’ve stolen.
On HoustonChronicle.com: Gaps in cyber insurance can cost businesses
Sotto emphasized the importance of having an incident response team and incident response plans that can be set into motion quickly in case of a data breach incident. Maintaining strong data security policies and procedures, patching system vulnerabilities, and establishing significant access controls so no one has access to data they don’t need are all important.
She noted that it’s difficult to protect against hackers getting into a system, particularly with respect to sophisticated phishing attempts. Having good back-up systems in place is another defense against having to meet the hackers’ demands.
Internal actors
Many data breaches involve internal actors; sometimes acting intentionally, sometimes inadvertently. Verizon’s 2019 Data Breach Investigations Report found that 34 percent of attacks involved internal actors.
Verma described a situation in which a family-owned retailer with a few locations discovered that fake vendors were being set up in payables, and checks were being processed to pay them.
“The access logs from the Accounts Payable module were showing that the Accounts Payable manager was setting up these vendors and authorizing payment. The AP manager had been with the company for a short time and immediately came under suspicion. … (We) discovered that a help desk support person was logged in at a workstation in the test lab and was accessing the AP module with the AP manager’s credentials. We brought this to the CEO’s attention and were able to help catch the thief in the act.”
Small and midsize companies often have insufficient IT resources and cybersecurity talent as well as weak policies for internal security controls.
“Almost two thirds of small-to-midsize companies allow passwords not to expire and have no account lock-out policies, so hackers can attack using brute force, without getting locked out,” Verma said.
On HoustonChronicle.com: FBI warns energy sector about cyber threats
In addition, many of these companies do not monitor their users or administrators and have “dormant accounts” — accounts with administrative privileges that are not in use. These, he said, may provide backdoors that cyber thieves can exploit to get into the system.
Verma estimated that 75 percent of midsize businesses do not use multifactor authentication, which requires a second degree of authentication such as texting a code to a mobile phone, that would reduce the risk of cyberattack.
“Hackers can break in and deposit ransomware or hit the company with a phishing attack, and move laterally within the company and essentially steal data and intellectual property, and leave bombs behind so, when they get detected, they can zip up data and leave a computer screen that asks for money in exchange for the return of data,” Verma said.
“It’s all about cyber hygiene; if you have better hygiene, you will be more resilient,” Verma said.
Vendor management
Vendor management programs are another line of defense. Easy, streamlined consumer experiences in e-commerce are facilitated by the interconnected systems of different parties. However, data breaches often occur through third parties, and, as systems become increasingly interconnected, third-party risk increases.
“Vendor management is critical,” Sotto said. “Making sure that you have done appropriate diligence on your vendors to ensure that they can protect data in the way you expect, making sure you have appropriate contractual provisions in place so that you have a contractual backstop if they don’t protect the data.”
Sotto also noted that ongoing monitoring is vital, as is training and having a plan in place to address a breach when it occurs.
As with other emergencies – fire, hurricane or active shooter – companies need to have an incident response plan for digital attacks.
Morning Report: Get the top stories on HoustonChronicle.com sent directly to your inbox
Following a cybersecurity breach, “many different work-streams will be happening at the same time,” Sotto said, “including the PR work-stream. Attorneys draft communications documents and deal with media communications, employee communications, regulators, affected individuals, business partners and service providers. When sufficient information is known, the attorney starts a legal analysis which involves looking at the laws of each state or jurisdiction where affected individuals reside and analyzing their differing notification schemes.”
According to Sotto, the most basic aspects in cybersecurity are identifying the threat actors and taking proactive steps.
“The effectiveness of these steps, I think, varies, but it is extremely difficult to protect a system because you only need one successful attempt by a hacker to get into your system,” she said. “But businesses need to be successful 100 percent of the time. Particularly with respect to phishing, where employees or individuals are targeted by phishing attempts — some of them are very carefully targeted. We’re not talking about the Nigerian prince anymore. We’re talking about extremely sophisticated phishing attacks and it only takes one person to click on one bad link that will download malware.”