Lessons Learned from Cyber Incidents in 2018 (article)
In 2018 cybersecurity is not a new topic. Although most understand the basics, the number of reported incidents has actually increased year over year. According to the Identity Theft Resource Center, the number of U.S. data breaches hit a record high in 2017 with a total of 1,579 breaches. This was a 44.7 percent increase over the record high figures for 2016. In this year alone, 864 breaches have been reported as of September 5 with an estimated 34,174,633 records exposed. As technology continues to advance, the need to evolve existing cybersecurity strategies is as prevalent as ever. Examining the shortcomings that resulted in high-profile cyber breaches can teach several cybersecurity lessons.
Early this year Brian Krebs broke a story that Panera Bread, an American fast casual restaurant chain, leaked millions of customer records that they had captured when the individuals registered for an account to place orders online. The journalist received a tip from a security researcher, Dylan Houlihan, who had discovered that Panera’s website was releasing plaintext data of customers including names, email addresses, birthdates, and digits of payment cards. After his initial discovery, Houlihan attempted to report the vulnerability in August 2017 directly to Panera’s information security team. His report was dismissed by the company as a scam. The story broke eight months after Panera received the initial tip from Houlihan, which led to Panera taking the site offline for a period to patch the issue. It is estimated that 37 million customer records were compromised due to the weakness.
Most organizations recognize the importance of having a cybersecurity strategy. In the case of Panera, it had an entire department designated to it. This incident highlights that even with information security controls in place, organizations may still be at risk if those controls fail to work properly. Implementing cybersecurity reviews and testing into your software development lifecycle will improve your development team’s security awareness and reduce the risk of a web application going live with potentially critical security vulnerabilities.
Using a third party to conduct your testing can take things a step further and allow you to uncover unknown shortcomings that might not be obvious to your development or security team. A third party can also assist in creating a specific remediation plan to address any identified gaps. At a minimum, your organization should plan to conduct cybersecurity tests on internal and external facing applications to account for hacker sophistication and technology development.
Delta Airlines outsources components of its customer service engine to 7.ai, an online chat services platform that allows businesses to interact with their customers. When 7.ai alerted Delta that it had experienced a data breach, Delta was forced to notify thousands of customers that their sensitive information had been exposed. It was revealed that customer payment information may have been accessed, but Delta assured customers that personal information such as passport, government ID, or SkyMiles information was not impacted. Retailers Best Buy and Sears Holding Corporation later announced that their customers may have also been affected by this breach.
Your cybersecurity strategy is only as strong as the third-party vendors on which you rely. While the data breach itself occurred on 7.ai’s end, it’s the responsibility of companies utilizing their services to ensure that 7.ai’s security controls meet or exceed their standards. Work with each of your third-party providers to understand their security protocols. Depending on your customer base and the types of data you collect and maintain, you should consider working with third-party vendors that have had a SOC 2, Type 2 report performed by a licensed CPA firm, are ISO 27001 certified, are PCI DSS and HIPAA compliant, or are HITRUST Certified. Your customers trust you with their sensitive information. While you can delegate duties to outside vendors, you can’t delegate the responsibility of securing your customers’ information.
In late 2015, hundreds of thousands of Facebook platform users were paid a fee to take a personality test through an integrated app called “thisisyourdigitallife”. The app was built by Aleksandr Kogan, an academic of Cambridge University, who claimed its purpose was for psychology research. The tests collected information from opted in users such as the city they lived in and the content they interacted with. It also went further and harvested this information from friends of the opted in users with low privacy settings who may have never actually opted in themselves. Once the information was gathered by the app, the data was shared with Cambridge Analytica, a political consulting firm that performed analysis services for Ted Cruz and Donald Trump’s presidential campaigns as well as organizations like Leave.EU. The company was able to mine and analyze the data to identify voter personalities and influence behavior. This was in breach of Facebook’s platform policies. Once alerted, the social networking giant admitted to users that their information may have been compromised. Facebook was scrutinized, however, because it took limited steps to secure the data and ensure that the leaked information was destroyed. It is estimated that 87 million Facebook users around the world were affected.
In today’s digital world, organizations thrive off of their ability to collect, manipulate, and ultimately monetize data. When customers release their sensitive information to you, they trust that your organization has the procedures and controls in place to protect them. In the case of Facebook, there were platform policies in place on the company’s end, but they were ultimately violated by a partner application. This instance highlights the importance of having an incident response and crisis communication plans in place.
Your cybersecurity strategy should account for the reality that something will likely happen to your organization and include steps to maintain operations when it does. Important components to include in your incident response plan are key individuals, steps to respond and recover from the incident, and communications protocol. Communications, both internal and external, are a critical aspect. Employees will need to know how this affects their work environment and customers and stakeholders will want to know how this affects their information. Take into consideration any breach notification procedures that might be required as well.
Consider covering yourself further with a cyber liability insurance policy. These policies address two critical risks: first, the liability risk to your business if sensitive client or employee information is compromised and second, the substantial cost of notifying clients that their information has been compromised, credit monitoring, fines, legal fees, and forensics. The average cost per stolen record can run anywhere from $158 to $355 depending on the industry class. Your policy should work as an extension of an incident response plan and not replace it.
Having a proactive and robust cybersecurity strategy that is clearly communicated across your organization is your company’s best defense against cyber attacks. If you have any specific questions, comments or concerns about your company’s cybersecurity strategy, please contact a CBIZ Risk & Advisory specialist.
Copyright © 2018, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).