By Edward M. Stroz and Eric M. Friedberg
Businesses are showing a growing understanding that cyber attacks are not a matter of if, but when, and that the best defense is being prepared with a good offense. They need to think proactively about protecting customer information, and in turn their own corporate reputations, by treating cyber security as a process rather than a one-time product.
Having handled many cyber incidents, here are the trends we have observed over the course of the last two years, which we expect to continue in 2012:
Sophistication of cyber attacks: Most organizations’ digital assets are threatened not by individual rogue hackers, but sophisticated teams of experts with relevant specialties operating with stealth and military precision to carry out an attack. Many organizations still rely on the individual “jack-of-all-trades” defense strategy, and are thus dangerously exposed to sophisticated, team cyber attacks. Today, organizations can only counter cyber threats with their own team of skilled and seasoned experts.
Rising audacity of hackers: Response to cyber attacks is now a board-level issue requiring mitigation plans as well as crisis plans. This has been vividly proven by attacks on companies such as Sony, Lockheed Martin and RSA, which raised the specter of just how secure any form of digital security can be for anyone, and it has had a profound impact on corporate reputation.
The spring 20011 attack on Epsilon Data Management, the world’s largest permission-based email marketing provider, exposed email addresses at about 2 percent of Epsilon’s customers in several industries. One of the victims, a major pharmaceutical customer, disclosed that the breach exposed information about prescription and nonprescription drugs and products used by consumers registered on its websites. Following the initial attack, hackers created a phony website targeting the consumer victims of the breach victims through installing malware on their PCs.
Whether a cyber threat involves hacktivism, state-sponsored data theft, malware or another technique, businesses must treat cyber security as a process rather than a product, by doing the following:
In advance of an incident: Establish a data breach response plan and a response team with an up-to-date notification plan. Preparations should include necessary steps to take in the first 72 hours after an attack, and having a crisis communications plan in place.
In the event of an attack: Respond by changing all passwords, including administrative passwords immediately; leave all computers powered on but disconnected from the Internet, if possible; isolate and preserve all compromised systems and data using forensic methods.
After the incident: Conduct a post-mortem to learn from mistakes. Assess gaps in your response plan and train staff based on the event; stay current on changing threats and laws, and update all plans and training.
and corporate governance
The adoption of cloud computing – in which public and private providers host computer applications and data in different physical locations, accessed via a web browser – has caused much concern over perceived security shortcomings. However, much less attention has been paid to the more subtle implications of cloud computing on a company’s governance, risk management and compliance. These implications can significantly increase legal exposure for a company victimized by a data breach, as not every cloud vendor is structured to quickly determine where the servers housing the breached data are located, delaying the ability to investigate and appropriately respond. Legal teams shouldn’t wake up to these risks when there’s an incident, but become aware of such risks ahead of time so they can be prepared to respond. For example, in selecting a provider, a business should secure contractual rights to image entire servers, take backup tapes out of circulation or turn off auto-delete functions in the event of a data breach.
The cyber threat of ‘bad leavers’
Corporate downsizing due to economic challenges and sudden changes in the workplace (such as mergers and takeovers) can trigger discontent that can transform otherwise happy and productive employees into potential “bad leavers,” a 21st-century phenomenon. Good workers can go bad when they feel devalued, left out of a financial windfall or otherwise disenfranchised. When a network administrator for the city of San Francisco became disenchanted in 2008 after being disciplined for poor job performance, and was unhappy with the management of his department, he “engineered a tracing system to monitor what other administrators were saying and doing related to his personnel case,” according to an article on SFGate.com, and set network devices that could erase vital configuration data with a single command. When it was time to let him go, for almost two weeks he held the network hostage until finally, after being arrested, he turned the passwords over – illustrating the massive damage that one employee can cause.
Bad leavers can destroy or alter critical evidence, plant forged documents on a server, or walk out with proprietary documents and trade secrets on a small external storage device. But while technology has certainly empowered bad leavers, technology can also contribute exponentially to their downfall. To combat this epidemic requires a thoughtful and deliberate plan, designed to pre-empt, counteract and remediate bad leaver situations. One innovative new methodology Stroz Friedberg sees gaining favor is a behavioral sciences approach that provides a psycholinguistic analysis of a subject’s emotional state, personal and risk, while tracking changes over time.
New SEC guidelines for disclosure
In October, the U.S. Securities and Exchange Commission released its first-ever staff guidance pertaining exclusively to the cyber security-related disclosure obligations of public companies. This development will prompt many, if not all, of the several hundred largest companies to start opening up about what they have lost and what they stand to lose. We believe that disclosure obligations related to a cyber attack is a far cry from the usual triggering events that prompt reporting obligations of today’s public companies.
Assessing and solving any cybercrime can necessitate a significant level of expertise that many public corporations simply might not have. The SEC’s guidance dovetails with the recent whistleblower provisions within the Dodd-Frank Wall Street Reform and Consumer Protection Act, which reward informants who provide certain types of information leading to successful securities actions, including failure to disclose actions, with between 10 and 30 percent of any recovery over $1 million. The result: public companies that may have previously believed they were not at risk for cyber attacks are now running a higher risk than ever before.
For a public company to effectively respond to a data breach, its technical incident response team should take five separate actions: prepare a full response plan; preserve any evidence of the breach while swapping in clean machines; execute an immediate digital forensic assessment; identify key compromised data; and notify and report to multiple parties, not just the SEC – including contracting parties, victims, credit reporting agencies, government agencies, even the media.
New technologies for
For legal counsel facing an explosion of data and growing complexity in cases, saving time and money in the discovery process is essential to success. Known as predictive coding, this process takes a random sampling of a large quantity of data for review; then software codes the subset and applies it to the entire collection of data. This algorithmic process provides the opportunity to make judgments without reviewing the entire data set. This result can be explained and verified in court but is not considered a black box technology. The well-known Pension Fund case, which found that data was not properly preserved, is an example of a case where analytics would have been beneficial in determining who was involved and who was missing. This directly points to risk reduction and what data needs to be preserved.
‘BYOD’ – Bring Your
The “consumerization of IT” – the desire of consumers that the simple, easy-to-use devices, software and services they use in their personal life to be part of the business enterprise’s communications and computing platform – is now one of the top three drivers of cyber security, resulting in new challenges for IT in securing these endpoints as well as the corporate enterprise.
Companies often are required to search their data for relevant documents as part of the discovery process in litigation. With BYOD policies, identifying the relevant data may not be as straightforward. For example, in addition to documents stored on computers, email, and file servers, employees may have notes stored on their iPads or other tablet devices. It may be necessary to use specialized software or employ assistance from digital forensic consultants to preserve data from mobile phones or tablet devices, particularly if employees choose sophisticated smartphones. While documents stored on a hard drive may be secured by encryption and security software, it is possible that copies of documents stored on a mobile phone may only be protected by a simple four-digit combination – or not at all.
With the growing adoption of BYOD policies, vendors are starting to offer solutions for securing mobile devices or creating protected areas on the devices where company data will be stored.
We hope this article will raise important questions and stimulate dialogue around complex digital risk and investigative issues. We would welcome the opportunity to discuss these trends and their implications for your business in greater detail.
Edward M. Stroz and Eric M. Friedberg are co-presidents of Stroz Friedberg, a global digital risk management and investigations firm.