Cybersecurity Threats—And What to do About Them

11/13/2017
It had been months since a data breach had consumed the news when Equifax burst on the scene in September, announcing that hackers may have accessed information on 145 million Americans. The absence of a large retail breach like Target or Home Depot doesn’t mean the threats have subsided, however. If anything, 2017 has shown how crucial cybersecurity preparedness can be.

A constant drumbeat of targeted but smaller attacks dominated much of 2017. The year started — as each year seems to — with a wave of tax-related phishing attacks. Attackers “spoofed” the email of a C-level executive, requesting that a front-line HR or finance personnel immediately provide sensitive employee information, such as W-2 data.

When the unwitting employee replied, the phisher obtained the information necessary to file fraudulent tax returns, a highly profitable fraud that is difficult to catch and causes considerable headaches for victims. In only the second year of wide-spread attacks, nearly 1,000 organizations reported to the IRS that they had received scam emails this year, 200 of whom disclosed data to the scammers. These attacks hit all kinds of organizations, but retailers present particularly attractive targets because of their large, geographically-dispersed workforces.

Skimmers — devices or malware placed on or in a POS device — have also increased in scope and sophistication over the past year. After rising 30% in 2016, reports of compromised POS devices rose another 21% in 2017.  Installing (and requiring customers to use) chip readers helps, but retailers should also train employees to spot skimmers and anomalous payment activity that could signal skimmer installation.

These data breaches might have been prevented or avoided had the victim companies taken basic steps to secure their systems and to respond effectively to the discovery of an incident, by training employees, implementing written procedures requiring safeguards for the disclosure of sensitive information, managing patches and updates, and exercising incident response capabilities. These same steps might have prevented or contained Equifax’s breach.

Equifax has said failed to patch a known vulnerability after its process for tracking and confirming patches broke down. After discovering the breach, Equifax did not notify the public for nearly six weeks, and the eventual disclosure was fraught with errors and confusion. Equifax’s errors will likely cost it hundreds of millions of dollars (not including the $4 billion drop in market cap) and disrupt its business for years.  Just this year, several past data breach victims have entered into large settlement agreements relating to breaches years ago, including Target, with $18 million to settle with state attorneys general added to over $290 million in costs previously reported related to its Christmas 2013 breach), Home Depot ($25 million to settle suit with financial institutions over its 2014 breach, in addition to $154 million in other settlements), and Anthem ($115 million to settle class action claims stemming from its 2015 breach).

Cyberattacks can’t be entirely avoided, but careful preparation and effective data security can lower the likelihood of a successful attack, improve the response, and lower the resulting costs. Covering the fundamentals is essential.

• A documented, company-wide security program. Designate a responsible official and develop policies addressing crucial security issues faced by your company. Train employees regularly on emerging threats, develop procedures for regularly identifying and remedying vulnerabilities, and establish — and exercise — an incident response plan. These measures protect companies not only from breach, but also from the wrath of regulators and the public who have (understandably) grown to expect companies to implement them. Recent regulatory settlements with Target and Home Depot require them to adopt written information security programs in addition to paying fines.

• Vendor and service provider security. Retailers increasingly rely upon vendors, embedded third party applications and technologies, and cloud services to process or host their most sensitive data, including payment and payroll information. To effectively address this risk, retailers should ensure that the relevant contracts appropriately allocate security-related risks and obligations and conduct appropriate due diligence regarding vendor and service provider security practices.

• Cybersecurity Insurance. Retailers face increasingly diverse, sophisticated, and well-resourced threat actors. Even the most developed cybersecurity program may not stop them all. Retailers should manage their risk with effective cybersecurity insurance coverage, relying on the advice of experienced counsel to identify the pitfalls and exceptions present in many cybersecurity policies.

These basic steps can help your company manage the risk associated with cybersecurity threats. Companies that start early, keep improving, and get help where they need it are best positioned to withstand new threats — and the old ones, too.

Todd Hinnen is a partner at Perkins Coie, which has offices across the U.S. and Asia, and provides a full array of corporate, commercial litigation and intellectual property legal services to a broad range of clients. Amelia Gerlicher is a counsel at the firm.

X
This ad will auto-close in 10 seconds