Cybersecurity is not only a concern for technology fi rms and giant corporations. Small and midsize companies with inadequate data protection are low-hanging fruit for ransomware attacks, in which hackers deny companies access to critical data and demand a payoff to restore it. And as virtually every industry relies on digital records, every industry makes a suitable target.
The Identity Theft Center found that while the number of publicly disclosed data breaches has dipped recently, the number of records exposed from those breaches jumped from about 198 million in 2017 to more than 446 million in 2018. And the business sector continues to bear the brunt. Regulatory bodies are just beginning to catch up, requiring fi rms to comply with an array of overlapping security standards. Just this year, New York’s passage of the
Stop Hacks and Improve Electronic Data Security Act, known as the SHIELD Act, has brought new cybersecurity and disclosure responsibilities not only for New York businesses but for all businesses that retain the private information of state residents.
The issue goes beyond external hacks. Employees and other parties with legitimate access to your data can expose private information through simple error.
To better understand what businesses need to do to meet these evolving threats and obligations, Crain’s turned to experts in cybersecurity with experience working with clients in several different industries:
- Lena Licata, CISA, CISSP, director specializing in process, risk and technology solutions (PRTS) at EisnerAmper.
- Carl Oliveri, CPA, CCIFP, CFE, MBA, NYC market leader and construction practice leader at Grassi & Co.
- John Roman, Jr., CISSP, chief information officer of The Bonadio Group; president and chief operating officer at FoxPointe Solutions.
Crain’s: Industries that retain high volumes of personal data, such as retail, financial services and health care, often see the highest rates of cybercrimes. Do businesses in other industries really need to go to the same lengths to protect themselves?
Lena Licata: Every industry has information that they consider to be important. Intellectual property may not be regulated in the same way that retail, financial services or health care data is, but it doesn’t mean that the data being stolen, manipulated or made public wouldn’t hurt in the same or even more ways. Although direct harm is one way businesses can be exploited, reputational harm can often be even more painful, depending on the industry. Smaller, more niche industries may be most susceptible to reputational harm because relationships can be key to securing customers.
Carl Oliveri: Data security policies have long been guided by the CIA triad (confidentiality, integrity, availability). While not all industries deal with the same level of data confidentiality, they all need to worry about data availability. Cyberattacks are increasingly focused on any available data that a business can’t operate without—confidential or otherwise. By holding essential data “hostage” through ransomware, hackers can cripple a business and force submission to their demands. As someone who advises construction companies, I have seen the effects of that industry’s slow adoption of cybersecurity. While there is greater awareness now, the majority of contractors say data security is still inadequate at the job site itself, according to a construction industry survey Grassi just conducted.
Crain’s: In July, Gov. Andrew Cuomo signed the SHIELD Act, an extensive new data-breach law with major impacts on businesses in New York state and beyond. What are the implications?
Licata: The SHIELD Act is the latest in the stream of new privacy laws copying the European Union’s 2016 GDPR legislation, which became effective in 2018. There is a movement to shift the responsibility for the privacy of customer data from a sheet of paper into an actual obligation, complete with real fines and actions on the companies storing the information. The SHIELD Act modifies the scope of what is considered private information as well as what is considered a breach. It also requires companies to have reasonable safeguards for that private information.
John Roman, Jr.: The SHIELD Act imposes stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach. Among other rules, the law adds multiple requirements for protection of usernames, email addresses, passwords, biometrics and more for all residents of New York state providing their personal information to any U.S. business. The law also states that if an organization is required to report a regulatory breach of another rule (such as HIPAA and other laws), the breach must also be communicated to the attorney general within 10 days of reporting it to the required regulatory agency. Further legislation signed at the same time as SHIELD requires consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency’s system.
Crain’s: Who is impacted by the SHIELD Act, and what should they do to comply with the legislation?
Licata: Anyone who retains the private information of New York state residents is impacted by the SHIELD Act, not just companies that operate in New York state. This can be customer or employee data. In order to comply with the legislation, companies should understand their requirements under the law or partner with someone to help them attain that knowledge. They should then perform a risk assessment as to their current state of compliance and perform remediation to address the observations resulting from that review. Lastly, they should perform regular monitoring to ensure continued compliance.
Roman: One advantage in the SHIELD law is the provision that states if a business already complies with HIPAA, GLBA and 23 NYCRR 500, it may also already comply with this new legislation. Furthermore, it states that SHIELD can be applied to other data privacy/security laws and regulations. But be cautious—other standards (e.g., NIST, PCI DSS, ISO27001/2) are not specifically called out as being in compliance with the SHIELD Act.
Businesses should consult their IT staff and cybersecurity advisors to ensure they have a plan in place to address each aspect of the law before the deadline, keeping in mind any other legislation that requires their compliance (based on specific industry, location, etc.) in addition to the New York SHIELD Act.
Crain’s: What do Fortune 100 companies do regarding cyber readiness that middle-market companies can adopt right now?
Oliveri: We all know that middle-market companies are more limited by internal resources than large enterprises. But often they are limiting themselves needlessly in other ways. Because most middle-market companies are large enough to have an internal IT staff, overconfidence in the department’s abilities to detect and handle a cybersecurity incident can leave them unknowingly exposed. Businesses should have periodic third-party assessments of their cybersecurity resources to gauge their level of cyber readiness. Middle-market companies should also consider segregating the duties of their IT staff, with support services on one side and security responsibilities on the other. This approach can help the business identify skills gaps as well. In addition, there are affordable ways to make network monitoring more effective. Large corporations use SIEM (security information and event management) tools that help them detect and address potential threats far earlier, and these are available in a broad range of products today.
Licata: The first step in cyber readiness is a cyber-risk assessment. Fortune 100 companies perform an annual review of their IT environment against industry standards and create strategic plans to address those risks in their one-, three- and five-year plans. Another critical component to addressing cyber concerns is the human risk. Fortune 100 companies provide cyber training to employees in many ways. No longer a one-time activity, training prepares employees through regular communications, phishing tests and annual training modules. Preparing for cyber attacks is about creating a culture of security and not merely checking off compliance boxes.
Crain’s: How can companies protect themselves from vendors or subservice organizations that have weak controls?
Oliveri: One of the most commonly overlooked safeguards in dealing with vendors is properly managing and limiting access to accounts when the vendor or subservice organization is not onsite. Even Target was guilty of this in their major data breach, which was caused by a third-party HVAC provider accessing the retailer’s network. Many vendors—including HVAC, phone companies and printer and copy machine vendors—will need access to your network for troubleshooting purposes. But they do not need it on a daily or continuous basis. Disabling their accounts when the vendor is not onsite is an easy and cost-effective way to prevent major problems.
Licata: Outsourcing is incredibly convenient and all the craze. However, it also creates a lot of risk that needs to be mitigated. Once we hand our data over to another organization, we’re at the mercy of how they’re securing it, unless we perform the right due diligence and review. Risk mitigation begins during the vendor selection process, and the right to review a vendor’s controls should be in every contract a company signs. If the vendor cannot provide a third-party audit report of its controls, the company should perform either a risk assessment or direct audit of the security, infrastructure and backup for its data. When third-party audit reports are provided, they should be reviewed for control weaknesses and relevancy of scope covering their data. Any observations noted in either review should be discussed with the vendor, along with action plans to remediate those risks. Perform annual reviews to make sure the vendors’ controls remain effective.
Crain’s: When business owners think of cyber risks, they often go straight to attacks from hackers on the outside. What are some of the internal threats to cybersecurity, and how can businesses detect and prevent them?
Roman: Most business owners don’t realize that threats may come from inside the company—whether it be a malicious act by a disgruntled employee, customer, contractor or vendor, or a simple mistake by one of those parties that can compromise security or wipe out data. There are several ways to reduce internal threats. Education of employees related to the proper use of company computing and data, and their role in protecting these entities, is a must. Comprehensive policies instructing employees about the acceptable use of computing are also important; all employees must acknowledge the receipt of these policies. As part of this eff ort, every employee-related information technology policy should have a section outlining what may happen to an employee should they violate the rules. Finally, all contract employees and contractors/vendors should sign business associate or vendor agreements that hold them to the same data protection standards as full-time company employees.
Oliveri: The biggest internal threats to a business’s cybersecurity are employee behavior and lack of knowledge. By educating the employee base and monitoring their behavior, a business can help prevent breaches caused by innocent employee errors. Awareness programs, simulated phishing emails and remediation training are all services we provide to our clients who don’t have them in place already. Daily monitoring of login information is also important to detect suspicious activity, either conducted by an employee unknowingly or by an outside threat, such as a login from an unexpected foreign country. Role-based access to the network is another best practice. No one—including IT team members—should have any more access than is needed to perform their job functions.
Licata: Fostering a culture of security through regular training, notices, case studies and other scenarios can help prevent employees from falling victim to ransomware and other phishing scams. By limiting access to personal email, USB drives and online data-sharing sites, you can limit the ability to funnel data out of the company. There is also technology to set alerts on data fi les by type, size and recipient to help identify insider threats. Lastly, regularly update and socialize your incident response plans so that your internal team can investigate and remediate data leaks as soon as they occur.
Crain’s: Why is it important for an organization to create an incident response plan?
Oliveri: A formal incident response plan is important because it enables security measures to be rolled out immediately upon a security breach or cyberattack, regardless of whether the decision makers are available or reachable at the time. The plan will tell responders not only what actions to take to mitigate the damage of the attack, but also the thresholds at which other parties need to be notified. The severity of the data breach will determine whether or not outside parties—the authorities, insurance companies, clients—should be alerted. The incident response plan will spell this out.
Licata: You always hear “it’s not if, but when” an organization will experience some form of cyber incident. It could be as simple as an employee sending a file to the wrong recipient and not being able to retrieve it, or as complex as a massive data breach impacting thousands of customers. Either way, the ability to react quickly and effectively is key to remediating the event. Having an incident response plan will not solve every problem, but it will ensure that the company and key players are prepared and know a proven process to follow to quarantine or remediate an event. Testing and reviewing the plan annually will ensure that everyone understands the process and is ready to act when required.
Crain’s: What can members of the executive team do to get more engaged with the cybersecurity process?
Roman: From the side of the IT department, make sure the information you’re sharing is understandable across the board. Don’t “geek it up,” so to speak. You want the C-suite to understand the real business impacts of cybersecurity, so speak their language.
The goal here is to collaborate to define and implement a cybersecurity solution that provides the best return on protection (ROP) for your unique business needs. This requires regular face-to-face, unbiased and open communications between the IT team and executive leadership. One way of doing so is to build a cybersecurity steering committee with one senior management sponsor to represent the C-suite’s perspective.
Oliveri: The executive team needs to recognize that cybersecurity is a business issue, not a technology issue. We advise our clients to form a risk committee with representatives from each department. Not only will this committee be responsible for developing and evaluating the incident response plan, but it will also review any interruptions that arise, such as power outages or floods, and determine if the continuity controls were adequate. The committee also plays a proactive role in assessing new technology initiatives at the fi rm. HR plays an important role in cybersecurity as well—from employee training and regulatory control to policies and procedures.
Licata: The executive team should first ensure that IT security has a seat at the leadership table. They should be involved in strategic decisions to ensure that there isn’t an unnecessary security risk posed to the company from new initiatives. Secondly, critical company leadership should have a basic understanding of security risks and how the company is addressing them. Long gone are the days where management can just assume IT is doing its job. If management has outsourced IT security to a managed security fi rm, they should meet regularly with that fi rm to understand how they’re securing their data and discuss any unaddressed risks. I also recommend performing an independent review of any outsourced fi rms through a vulnerability or penetration scan to monitor performance.
Crain’s: How often should a company re-evaluate its cybersecurity tactics?
Oliveri: Our consulting group recommends an external evaluation by a third-party advisor every three years, and an internal “mini-assessment” annually. The external unbiased evaluation will allow for proper controls and accountability over the IT department, while the internal assessments will alert the risk committee to any new issues that arise over time. After an incident, a mini-assessment should be conducted by the risk committee around that incident and the vulnerabilities it exposed.
Licata: In order to create a culture of security, cyber risks and tactics should always be top of mind. That being said, evaluating how that culture is implemented should be reviewed through an annual risk assessment in addition to the organization’s one- three- and five-year plans.
Crain’s: What do you expect to be the key cybersecurity issues in the next three to five years?
Roman: Increasingly over the next few years, artificial-intelligence-based systems will be used to filter, correlate and alert businesses to anomalies coming from the immense amount of data generated by system event logs, firewalls, intrusion prevention systems and more. Companies simply will not be able to hire enough information security personnel to review these logs effectively, especially as the average salary of cybersecurity professionals will be six figures. Additionally, the use of biometrics for access into systems will become the standard. One or two additional forms of authentication—such as a security code sent to a user’s phone or tablet—will be necessary to access both consumer-based and commercial financial systems.
Licata: Security is always evolving. With each new technology, we are both mitigating and creating new risks. I believe that the configurability of technology will be a key issue in the next few years. I think people underestimate the power and risk they have in moving to cloud technology. I’m also amazed at how the risk of identity access management has yet to be conquered by so many companies. I think we’ll continue to see breaches occurring as a result of too much or incorrect access being assigned to employees, consultants and vendors. I’m hopeful that the adoption of automation will assist in this risk and companies will allocate the correct budget to finally tackle logical security.
Oliveri: We believe cybersecurity threats will continue to advance in complexity and sophistication, similar to the Ryuk ransomware attacks that we are seeing now. More targeted and denial-of-service attacks are inevitable, especially as certain confidential data loses its appeal. Credit card numbers, for example, are changed regularly, impacting the longevity of that data’s usefulness. Companies will also be faced with increasing regulations. We would not be surprised to see the U.S. move toward regulations similar to the GDPR laws in Europe.
Download the PDF of this conversation here.