The cybersecurity breach of Equifax this past spring, which unloosed the personal financial and identity information of 145 million Americans, “was a game changer,” said Matt Cullina, CEO of CyberScout, at the third annual Providence Business News Cybersecurity Summit on Oct. 31.
“After Equifax hit the news, our call volume spiked,” he said. “Normally when people call, they are fearful or concerned. These callers were angry.”
Much of the summit’s panel discussion at the Crowne Plaza Providence-Warwick covered ways to protect individuals and businesses from cybercrime. Tactics range from training of employees to alerting them to ways that criminals can slip into computer systems.
Easy tip: Never access sensitive information for work via public Wi-Fi, such as at a Starbucks. And always encrypt sensitive information before sending it out via email.
Weak spots in internet-connected systems, including software and people, where cybercriminals can penetrate computer systems are called the “attack surface.”
Mike Steinmetz, state cybersecurity officer, told attendees that this surface is getting bigger all the time. He cited the addition of consumer products that communicate with your iPhone or with each other, such as so-called smart-heating systems, or even appliances such as refrigerators.
All of these things can be hacked, and the hacker can then go sideways into other systems. “Ten years ago, savvy hackers had to go to the dark corners of the internet” to find the technology and means to enter legitimate systems, Steinmetz added. Now, almost anyone can find these tools on the dark web.
Asked to name the major trends in fraud and cyberthreats, John Alfred, a captain with the R.I. State Police and head of the state’s Joint Cyber Task Force, first named spear phishing. That’s when a hacker poses as a legitimate person, say, as your boss or a co-worker contacting you by email.
To defend against spear phishing, Alfred said, make sure the person on the email is who he claims to be. That can be as easy as making a phone call on the spot.
Jeff Ziplow, cybersecurity risk assessment partner with regional accounting firm BlumShapiro, agreed. “You might think you are talking (via email) to your CEO, but you are really talking with an attacker,” he said. “Pick up the phone.” Another basic rule is to never send money in response to any email communication. Also, inoculate your system with firewalls.
Second on Alfred’s list of trends was ransomware, when a bad actor locks up your system until you pay ransom to have it unlocked.
Linn Foster Freedman, a partner with Connecticut-based Robinson+Cole, who practices data privacy and security law, noted ruefully that cybercriminals are often sophisticated, even offering customer service, such as a link for buying Bitcoins. The defense from ransom attacks is to back up your information somewhere off your network.
Mobile phones also are a highway to your data, Alfred said. Androids are an open-source program, which makes it easy for hackers to write software applications that contain malware. Download a malware-infected app and you could let the enemy in. More recently, hackers are inserting malware in any phone – Android or iOS – via attachments to text messages, Alfred said. Defenses are to install antivirus software on your phone, and to never open a suspicious attachment received via text.
More than once, panelists noted the grim expressions on faces in the audience. Steinmetz assured people they have to face up to the reality of cybercrime and get ready for it. “There is no dialing back the clock on this. You need to listen and think seriously about how you are going to become more digital. Avail yourself of the information that is out there.”
‘You don’t want to become that low-hanging fruit. Clean up your online presence.’
FRANCESCA SPIDALIERI, Salve Regina University Pell Center senior fellow
Businesses, especially small business, also may be threatened by complacency. “A false sense of security puts people in great danger,” said Francesca Spidalieri, a senior fellow for cyber leadership at the Pell Center for International Relations and Public Policy at Salve Regina University. “You don’t want to become that low-hanging fruit. Clean up your online presence. You might be surprised what you put out every day through social media, such as when you are going on vacation, where your kids are.”
Scrutinize contracts with vendors – from insurance brokers to Cloud access – to make sure their systems are secure, panelists urged.
“When buying services from vendors, demand solid systems of security and privacy, said Cullina, whose Arizona-based company has a Providence office. “We must say to vendors, ‘Here is what I expect if I am going to do business with you.’ Businesses handling data badly will be called to task.”
Many defense tactics are more complicated than simply training. These include buying cyber insurance, with careful vetting of the policy; knowing the ins and outs of rules in other states and countries; and working with legal specialists if you need to report and ameliorate a real security breach.
Cyber liability insurance is relatively new, and many companies still don’t have sufficient defenses on this front. “Cyber insurance is tricky,” said Foster Freedman, whose firm has a Providence office. “It is not a one-size-fits-all situation. Work with an insurance broker that has experience in this area.”
The insurance industry itself is ramping up to understand and respond to cybercrime. “There are eight to 10 different parts of this coverage; the insurance industry is still trying to figure out the standards,” Cullina said.
Jerry Alderman, president of New England region property & casualty for New York-based Marsh & McLennan Agency LLC, noted that, for instance, just five years ago, cyber liability insurance did not include phishing. And, he said, homeowners insurance now may include cyber liability.
Another important protection may be business-interruption insurance. In case of a serious data breach, a company or part of it can go dark while data banks are locked up, or during the process of reporting and handling requirements of notification and compensation.
Getting properly insured is one piece of a company’s cyber program. Another is having a crisis-management team and response plan in place well before a criminal breach occurs.
“The day a breach happens, you are not going to get crisis-management professionals at a reasonable price,” said Alderman, whose firm has a Providence office.
‘Give [employees] the chance to be responsible for your information.’
LINN FOSTER FREEDMAN, Robinson+Cole partner
Foster Freedman, who has worked closely with companies to respond to and manage cyberattacks, said the response team should include people from the C-suite, finance, HR, communications and the company’s privacy officer. A whole panoply of actions unfolds after a breach, including legally required reporting to governments (in Rhode Island, the attorney general) and to affected individuals, restoration of system operations or data, public information and fines.
How should a company respond to a criminal breach?
The first rule Foster Freedman emphasized was to not call an incident a criminal “breach” – a legally technical term – until it is determined to be so, in contrast to a simple, possibly in-house, accident or misdirection.
“You don’t have a breach until I say you have a breach,” she declared. “Call it an ‘incident.’ And don’t send email to each other except to say, ‘Meet me in the conference room.’” Next, she said, “get your lawyer involved,” keeping the conversation, at the start, under attorney-client privilege.
Foster Freedman and Cullina said companies should not respond to an apparent cyberattack by trying to do their own forensics. Call in the specialists.
“We have handled 4,500 breaches,” said Cullina. “By the time the company calls us, they have already done stuff. They could be messing up the evidence trying to do [forensics] on their own. It can end up snowballing into something worse.”
Panelists said there are 48 different state laws about cyberattacks in the United States, with variations among them. Rhode Island’s Identity Theft Protection Act of 2015 requires that a cybersecurity breach be reported to the state attorney general within 45 days of its discovery by the victim.
Alfred said victims should report the incident to his Joint Cyber Task Force, partly because the police may know how your attack might fit into other cybercrime on their radar.
Hovering over the discussion, of course, is the Cloud. Is your data safe in the Cloud? Is its safety your responsibility?
“We assume that Cloud vendors are safe and that they have secure protocols in place,” said Ziplow, whose company has a Cranston office. “The reality is, we don’t know. Ask your vendor about procedures. Evaluate various Cloud vendors.”
Foster Freedman added, “The data are still yours.”
Other advice includes always encrypting personal data; changing passwords and using phrases for passwords; getting rid of personal data your business doesn’t need to have, thus reducing your exposure; maintain privacy, such as confining a notification that you will be out of the office to internal networks.
Finally, bring employees up to speed with knowledge and sensitivity to the dangers. “Give them the chance to be responsible for your information,” said Foster Freedman. “No one wants to be the dumb one who clicked on the Chinese website.”
