Multinational banks and major healthcare systems aren’t the only companies that need to be concerned about cybersecurity. As some of our crisis management clients can attest, even if your company does not deal with large amounts of sensitive financial or personal healthcare information, you can still be the victim of a cybersecurity breach that can disrupt your business.
A global manufacturer contacted PCI when it discovered its database of distributors and their customers had been compromised by a data breach. As a business-to-business manufacturer, this company was not a high-profile target. IT forensics eventually found that the breach occurred when an employee visited an overseas website to research an issue for a client. The website that the employee visited contained a virus that infected the manufacturer’s network and compromised at least 1,000 distributors and more than 18,000 credit card records. In this case, the data breach was a crime of opportunity rather than a targeted attack.
Here are some cybersecurity myths we’re going to bust, starting right now:
Myth: My organization's network is secure
There’s no way to say this gently: You can be doing everything right — antivirus software, firewalls, two-step encryption, passwords and more — and still fall victim to a cyber attack. Ethical hackers we work with — professionals who hack without criminal intent in order to test or evaluate security for their clients — have a 100 percent success rate of hacking into their clients’ networks. No network is totally secure.
Myth: My company is not a target
Actually, this might be true. As our clients have learned, though, that doesn’t protect you. You don’t have to be a strategically chosen target to be a victim. You can be collateral damage in a ransomware attack in which the victims are not targeted, but merely have the specific vulnerability that attracts that particular ransomware infection. An employee or vendor can inadvertently expose your network to a breach. There are an alarming number of ways for your computer network to be compromised without your company being targeted.
Myth: Our IT department can help protect and defend us from data breaches
Your IT department may be top-notch, but they are not likely to be cyber crime experts. Their job is to keep your network running and oversee the day-to-day operations of your technology equipment. They play a vital role but are not routinely equipped to help you prevent, mitigate or recover from a cyber incident.
Myth: If we're the victim of a data breach, we'll just handle it quietly and no one outside our organization will know
If this ever was possible, it is certainly not possible now. Most U.S. states have laws that require a breached company to notify its affected customers within a specific timeframe – often within days. You must communicate your data breach and you must do it quickly. One of our clients had distributors in all 50 U.S. states, all provinces and territories of Canada, and other countries. We worked with the manufacturer and their teams of attorneys to notify all 1,000 distributors within one week.
Myth: If a data breach happens, we'll figure it out then
OK, this isn’t exactly a myth. It’s just a really bad idea. And expensive, too: According to Experian’s 2015-2016 Data Breach Response Guide, when a pre-breach plan is in place and successfully executed, the average cost of the response can be up to 25 percent lower.
Developing a cyber attack response plan now -- before you need it -- will be a huge relief when you actually are in the midst of an incident. Get your rapid response team in place, outline a communications plan and line up your forensic IT, communications and legal consultants so you have everything in place before you need it. Your future you will thank you.
We are thrilled when clients who are prepared experience few complaints and no disruption of business, when the breach attracts no attention by traditional media or social media and they quickly return to business as usual.
What is your company doing to help ensure a smooth recovery in case of a data breach? Let’s talk.