Earlier this week, I ventured to Carefree, Arizona to learn more about the state of cybersecurity at the IDT911 Privacy Xchange Forum.
My trip seemed fitting, as October is National Cybersecurity Awareness Month, and lately, I find myself inundated with more and more news of hacks and breaches, whether at medical institutions or more notably, during this year’s election cycle.
While some are tired of the constant cyberattack chatter, I’m not. A small part of me not-so-secretly hums the “Mission Impossible” tune as I plug USBs into one computer, share files on another, all while wishing I could be as cool as Lisbeth Salander.
Alas, I am not the Girl With The Dragon Tattoo. Instead, I’m the person curious why cyberattacks can dominate our news feeds, overtake our important data, and yet no one in the benefits industry is talking about this issue as much as they should be.
While cybersecurity should be every broker’s, benefits manager’s, and employer’s concern, as we get closer to open enrollment, we must worry even more about the protection of sensitive information. Although benefits selection has become simpler thanks to technology, it’s that same technology that puts us at greater risk.
So, here are a few things I learned this week about how we got here and what we can do about it.
The dawn of today’s hacking
In the opening session of IDT911’s Privacy Xchange Forum, Joel Brenner, former senior counsel at NSA, mused that espionage is one of the oldest professional businesses, but this ancient job has gone from “resale to wholesale.”
The focus has shifted to the hacking of the private sector, but it wasn’t always that way.
During the Gulf War, many were worried about how the land war would be fought by Americans — while it was clear what would be happening in the air, the same couldn’t be said for foot soldiers.
However, information was exchanged between satellites, empowering American troops to gain an almost clear view of the battlefield, giving them the leg up on adversaries.
Brenner said the Chinese and Russian governments realized that, if in addition to its financial power, Americans could use this “magic” to win a war, there was little way to defeat the U.S either in battle, or in any other meaningful geopolitical space.
“That’s why people are targeting American intellectual property today,” Brenner said.
Is ransomware changing the hacking game, or is it just another domino?
During a session titled “How to Evaluate Risk From the Inside Out,” Tim Francis, cyber lead at Travelers, and Graeme Newman from CFC Underwriting, tackled some of the changes we’ve seen in cyberattacks lately. They kicked it off with a popular worry: ransomware.
“Back in the day, extortion was going to be a disgruntled employee, someone close to the company,” Francis said. “It used to be infrequent and pretty much a ‘none thing.’”
But now, angry ex-employees aren’t the ones stealing a company’s data; it’s an entire business model that looks eerily similar to how most “legitimate” organizations are run. That’s because ransomware hackers believe what they are doing is a legitimate business, says Lance James, chief scientist at Flashpoint and cyber intelligence advisor. (“Remove the kingpin, put in a CEO, and you have the same outsourcing model most companies do.”)
Newman said ransomware was the leading cause of cyberinsurance claims last year, with 1 in 4 or 5 clients experiencing it, but not everyone admitting it.
Why? Because having your company’s data (and potentially, that of your clients’) compromised is pretty damaging for an organizational brand — and paying the ransom can be relatively cheaper than getting authorities and regulatory institutions involved.
In fact, James says most ransomware hackers take home $7,500 a month from their endeavors; that’s a drop in the bucket compared to some fines and costs organizations can accrue following a hack.
Just look at the case of WellPoint: It was issued a $2 million fine after a breach exposed over 600,000 people’s health information, but the costs associated with the hack skyrocketed to over $142 million after legal actions, recovery, new security investments, and extended protections for victims were put in place.
James singled out the hacks of website Ashley Madison and the emails of Hillary Clinton’s campaign chairman John Podesta, asking: “Wouldn’t they have rather paid the ransom than have those hacks go through?” Maybe WellPoint would’ve liked that option, too …
While Francis made note that ransomware will “get out of hand” in the coming years, Newman said he thinks 2015 and 2016 was the height of hackers holding information hostage. “Ransomware is just easy,” he said. “I would almost guarantee that next year we won’t be talking about ransomware, we’ll be talking about something else.”
For James, though, ransomware isn’t the problem, it’s just a symptom of something bigger. “It’s not necessarily about if it’s going to get worse or better next year.”
If you’re taking this as a suggestion to try to mitigate a ransomware hack on your own, don’t. First, there is no guarantee if you pay the ransom that your files will be returned. Second, even if you get your data back, there is no guarantee it hasn’t already been copied, downloaded, shared, or compromised. Third, hackers are smart — are you sure there isn’t any remaining virus lingering on your systems?
There is a silver lining though: James says the Russians believe there is something “intellectual” about hacking and don’t believe in doing it for money, so they won’t be the ones holding your company and employee data for ransom.
The C-suite is to blame
One resounding theme of the conference was accountability. When hacks happen, when breaches compromise data, when lives are put at risk — who is to blame? Hint: It’s not your IT team.
As vArmour Vice President Keith Stewart said in our article on health care hacking, security is a “board room conversation.” That sentiment was echoed throughout the conference, starting with Brenner.
“Network security is not even mostly an IT issue,” he said. “Sure, there are important issues dealing with IT, but it’s at most a governance issue.”
Brenner was quick to point out the gripes of some business teams, which often result in shifting responsibility across the board without anyone truly owning security measures:
Legal says security is a technical issue
CIOs and CTOs say it’s an employee issue
Management says it’s a technical and legal issue
HR says security is “trouble” and “our job is to avoid trouble”
“Operations management, IT, legal, and HR all need to work together, and someone at the C-suite level needs to work with these four groups to make them all understand that security is a high-level corporate problem.”
Adam Levin, chairman and founder of IDT911, weighed in further.
“Some of the most dangerous words from IT can be, ‘We got this,’” he said. “The C-suite doesn’t think cybersecurity is really a problem yet. My friend calls it ‘asleep at the laptop.’”
Levin says when it comes down to it, cybersecurity in the office is a culture issue. It’s imperative that companies operate in a culture that reverberates from the mail room to the board room, with C-suite players being the ones taking ownership.
As evidenced by the “Services in Action” session — a cautionary tale of a targeted IDT911 client was shared, wherein a spear-phishing scam resulted in the head of HR sharing all employee W2s to what he believed was the CFO’s email — Levin said there is a culture problem where employees don’t feel they are able to second guess orders from their higher-ups.
The employee from the session’s anecdote illustrated this feeling. Apparently, he felt he was supposed to follow orders rather than question a superior.
“There needs to be a culture shift,” Levin said. “The buck stops with the C-suite.”
“It won’t happen to us”
You’re wrong. It will happen to you.
“Every company will be breached — every customer will suffer some type of identity theft over the next few years,” said Levin.
Smaller companies often operate under a veil of ignorance, believing they aren’t coveted “gets” for hackers, but that couldn’t be further from the truth.
“Small companies are delicious targets because they probably aren’t protecting their systems, and by virtue of their relationship as a vendor, they can be a gateway into a large company,” Levin said.
Don’t think that could be you? I’m sure Target didn’t think its now-infamous breach would come at the hands of its HVAC vendor, either.
“You are your vendor,” Levin said, as he made the call for all companies to demand stringent privacy protocols from everyone they do business with.
Related: Keep employee data safe
Even if your small- to medium-sized business doesn’t have major clients, it’s naïve to think you’re safe for that reason alone.
“Small businesses will be a big target, especially as larger companies tighten security measures,” Levin said.
According to a recent Bloomberg article, the idea that “it won’t happen to me” sets a dangerous precedent. While hacking has certainly made its share of headlines this year, it still seems as though no one is really ready to change behaviors that leave them susceptible to a breach. Yes, Americans are worried about the (very real) possibility of losing their and others’ data, but if we aren’t willing to change, where does that leave us?
So, what do we do?
First, accept your fate. According to Brenner, there is no such thing as total security; it’s just a matter of deciding how much risk is acceptable (a decision that should be made by the C-suite, not your IT department).
“Figure out what information is critical to protect, and remember that you cannot protect everything,” he said. “If you try, you’ll protect everything poorly.”
Brenner also said it’s important to get a clear understanding of who has access to your systems. That might be difficult, considering so many workforces are now mobile, meaning employees might be working on shared devices or saving passwords automatically rather than filling them at every login (two faults I’m guilty of myself).
In this vein, he talked about what he calls the “Private Manning Problem,” referencing Private Chelsea Manning’s disclosure of nearly one million sensitive military documents to WikiLeaks.
“Why do low-level employees have access to important information?” According to Brenner, there needs to be limits on what information certain employees can access. “There is no reason someone in the mail room should have the same clearance as higher-level employees.”
He also suggests avoiding unnecessary collection of personal information.
“Personally identifiable information is a big get,” he said. “Don’t take more than you need, get rid of it when you stop needing it, and remember there are penalties for losing it.”
Chad Gray, senior director of business development and employee benefits at IDT911, says education and being proactive can make a world of difference when it comes to protecting your company, your employees, and your clients.
First, he proposes better training for employees on how to avoid cyber pitfalls by making security training a part of the employee onboarding process.
“Offer a phishing seminar or cyber protection class, and include an addendum in your employee handbook,” he says. “Make employees pass a cybersecurity test after the training, and have them sign a document that says they’ll follow their training.”
But cybersecurity shouldn’t just be a rule to follow; it should also be a benefit for employees. As the job market continues to get more competitive, Gray says it’s important to look to inventive solutions to retain workers.
“Employers need to innovate past dental and vision,” he said. “You go to the dentist once or twice a year, same with your eye doctor. But how often are you part of a breach?” (According to what I learned this week, even if you don’t know it, you probably already have been.)
He says this opens up the door for benefits managers and brokers to look at ID protection as a possible benefit.
“Education needs to come from the employer side, and it’s up to a good HR team to research out-of-the-box solutions,” he said. “Maybe that means cutting down on other voluntary benefits or not having a mid-year event in order to supplement or provide more funds for better security measures.”
While some brokers haven’t been eager to implement this offering, Gray said employers and employees have been quick to act on an ID protection benefit. He said between 40 percent to 60 percent of employer groups with two to 20,000 employees are looking into such benefits.
Because as Gray noted, “It’s not a matter of if something will happen; it’s a matter of when.”