Lessons Learned from Cyber Incidents in 2016 (article)

Lessons Learned from Cyber Incidents in 2016 (article)

Home /  Insights / Articles / Article Details

Cybersecurity incidents in 2016 can take provide best practices for information security.

Throughout 2016, many organizations have fallen victim to sophisticated cyberattacks. According to the Identity Theft Resource Center, more than 35 million records have been exposed from 957 reported breaches as of December 2016. Examining the shortcomings that resulted in high-profile cyber breaches can teach several cybersecurity lessons.

Wendy's

The Attack: In early 2016, the popular fast food chain Wendy’s began investigating claims of unusual activity on customers’ credit or debit cards at some of their locations. Initial reports indicated that payment cards used legitimately at Wendy’s may have been used fraudulently elsewhere. After several months of investigation, the Company announced that malware had been discovered on the point of sale (POS) systems of several hundred franchise locations. Many franchisees contract with third-party service providers to maintain their POS systems, and Wendy’s believes that the cybersecurity attacks resulted from remote access credentials being compromised on their vendors’ end.

Key Takeaways: Large corporations that operate multiple independent stores or franchises need to establish a base-line framework of data security guidelines that can be implemented at the individual store level. Standardizing your security strategy across all locations and training each member of the management team on these procedures protects both your brand and franchisees. Your corporate brand is protected from breaches that occur based on weak infrastructures at the store level, and the franchisee is protected from liability if a breach occurs on their end. Remember that your cybersecurity program is only as strong as the third-party vendors on which you rely. Require that each of your third-party providers meets your defined minimum security standards, such as maintain up-to-date virus detection software, standard device configurations or user training best practices. Have each provider share their cybersecurity strategy with you so that you can evaluate that their standards meet or exceed your expectations.

Snapchat

The Attack: In the spring of 2016 Snapchat, an image messaging mobile application, was the victim of a phishing scam. Hackers posing as the CEO convinced an employee to email them the personal information of about 700 current and former employees of the organization. The hackers received W-2 tax form data, which included employee names, Social Security numbers, wages, stock-option gains and benefits. Shortly after the information was released, the employee realized that the original request was not legitimate. Everyone affected by the scam was quickly notified and offered free credit monitoring and identify theft insurance.

Key Takeaways: Regardless of how strong your company’s security program is, you are still vulnerable to incidents that result from human error. According to Verizon’s 2016 Data Breach Investigations Report, human error remains the leading cause of cyber incidents, and these situations often result from an end user’s failure to follow policies and procedures. Every employee poses a risk so training each individual is a critical element of cybersecurity. Employees need to understand how to identify risks and the appropriate individuals or departments where they should report findings. In addition, every employee should be taught best practices, like how to create stronger passwords or how to spot suspicious emails, so that they can use good judgement when online.

Premier Healthcare

The Attack: Premier Healthcare, a multispecialty healthcare provider, was breached in spring 2016 after a laptop computer was stolen from the billing department of their headquarters. The electronic protected health information (ePHI) that could have been accessed from the single laptop could affect roughly 200,000 patients. The laptop was password-protected but not encrypted. Employees reported the stolen laptop as soon as they realized it was missing, and the company took a number of steps to locate the laptop and identify the thief.

Key Takeaways: A breach may not always take the form of a digital attack. Companies should prepare for the possibility that an unauthorized user may attempt to access confidential information directly from company-owned devices. In addition to protecting the device with a password, companies should encrypt data that contains personally-identifiable or protected health information in order to reduce their data security risks. Encrypting files requires a user to have access to an additional secret key or password to decrypt the data in order to read the file. Companies may also want to consider software that would allow them to wipe the laptop remotely or automatically after unauthorized attempts to access have been identified.

Yahoo

The Attack: In September 2016, the search engine and email hosting company Yahoo confirmed that a breach occurring in 2014 resulted in stolen personal information from at least 500 million user accounts. Stolen information was believed to include names, email addresses, telephone numbers, passwords and in certain cases, security questions and answers. The company urged users to change their password and security questions, but stated that they did not believe any financial data were compromised in the attack.

Key Takeaways: When a personal email account is compromised, hackers have the ability to not only access information directly affiliated with that account, but also to reset the password for any associated accounts, like a bank account or online subscription. It is important that confidential company information is never accessed or transmitted using a personal email account. Online subscriptions or accounts should always be set up by employees using a work email address and should not include any secondary personal email accounts, even as a backup. Instruct your employees to use different passwords for their corporate accounts than the ones they use for personal accounts.

Dyn

The Attack: Dyn, a cloud-based company that manages website domains and routes internet traffic, was the victim of a distributed denial-of-service (DDoS) attack in October 2016. The attack attempted to flood websites with traffic so that it would impair normal service. The result was a massive outage that primarily affected the eastern United States, taking down a number of popular websites like Twitter, Spotify and Netflix. Representatives from Dyn stated that the attacks were well executed, but engineers at the company were ultimately able to mitigate each attack and restore service.

Key Takeaways: Designing and implementing an incident response strategy is a critical component of any cybersecurity program. Your strategy should consider the constant changes to the cyber risk landscape. Focusing too narrowly on specific incidents could hinder your company’s ability to respond. Including recovery steps for all possible scenarios likely will result in a complex document that isn’t practical when employees need to act quickly. The key to a strong incident response strategy is not to over-complicate the context. Your strategy should account for places, people, procedures and communications, and it should be able to work in multiple situations. Given the nature and impact of the Dyn attack, companies should insure their incident response strategies include steps to maintain operations and communications should Internet access be disrupted.

For More Information

Having a proactive and robust cybersecurity strategy that is clearly communicated across your organization is your company’s best defense against cyber-attacks. If you have any specific questions, comments or concerns about your company’s cybersecurity strategy, please contact a CBIZ Risk & Advisory specialist.

Copyright © 2016, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).

Lessons Learned from Cyber Incidents in 2016 (article)Reviewing the major information security incidents in 2016 can provide best practices for shoring up cybersecurity protocol. ...2016-12-14T13:29:00-05:00

Reviewing the major information security incidents in 2016 can provide best practices for shoring up cybersecurity protocol.

    Your Team is always ready, no matter what you need. Connect with an expert today.

    Connect with Us