By Stephanie Douglas, Senior Managing Director, Guidepost Solutions
Just about every possible facet of your personal information can be subject to compromise: credit card or social security numbers, social media profiles, even your actual computer or mobile device. And while those breaches can seemingly turn your life upside-down, they only affect you and the people close to you. Cyberattacks focused on large organizations, on the other hand, can affect hundreds or thousands of people’s personal information and have long-lasting effects on the company’s shareholders, customers, and reputation.
Recent conversations in the media and political spheres have concentrated on threats posed by foreign countries hacking and interfering in elections. The bulk of this focus has been on the Russian government but both foreign and domestic attackers can pose a serious danger to businesses. Think back to the reputational harm that Sony Pictures suffered after a hack by North Korea in October 2014 or the 2017 WannaCry hacking that shut down hundreds of businesses and is estimated to have cost the British healthcare service more than $100 million and businesses around the globe as much as $4 billion.[1], [2], [3]
A cyberattack doesn’t need to make headlines in order to be devastating. The theft, resale and manipulation of both private and public information can potentially have lasting impacts to every part of our business and personal lives and the number of attacks – and the corresponding impact – continues to rise. Every day, it seems, we read about another significant breach of personal data, often from companies that we implicitly trust.
Perhaps most troubling is that the methods of attack keep evolving, thwarting business leaders’ attempts to keep them at bay. It seems like there are never-ending ways for hackers to expose critical information, even when organizations have undertaken significant investments in protecting that information. As the risks evolve and become more widely known, regulators, shareholders and the general public are increasingly holding executives accountable. Aside from the obvious political concerns for the U.S., organizations should be taking these risks seriously and be thinking through efforts to protect data and their reputations from bad actors, both foreign and domestic. While many organizations are ahead of the curve when it comes to bolstering their cyber defenses, here’s how many needlessly also put themselves at risk.
Providing equal-opportunity access to sensitive information. While many developed organizations practice sound data security practices by instituting role-based access for specific parts of the organization’s network and information, some early-stage and quick-growing companies do not. For these organizations, data security protocols can be slow to take hold. An expectation that everyone other than Human Resources and Finance should have access to every part of a product code or development provides wide access to sensitive company intellectual property. Having so many or even a few individuals with access to everything is an understated risk that many companies are willing to take for the sake of collaboration or product development agility. Some of the hesitancy to make the switch to role-based access can be attributed to organizational culture, but it is often an unsustainable culture in the face of a system compromise.
Self-exposing too much information. As more and more executives and companies turn to social media and professional networking sites such as LinkedIn, individuals and organizations alike can potentially further their risk exposure simply by providing access to too much employee and personal information. On company websites and social profiles, organizations often highlight personal biographies and CVs of staff, investors and board members, complete with photos and cell phone numbers. While these can be a great way to celebrate employees and emphasize expertise, this information is also commonly used in the successful social engineering and targeting of individuals.
Cell phones are also becoming a more common target for hackers. Text messages with links containing malware can be easily sent to compromise personal or business devices. While many companies find that making this information publicly available is a necessity, it’s vital that employees are aware of the risks and are trained to spot potential hacking efforts.
Undisciplined social media presence and response. In today’s digital world, companies are driven to use social media to engage with customers and the general public. Social media can be vital in communicating updates and highlighting the good work done by many. But organizations often forget that competitors can also collect intelligence on them through their own social media. Businesses often take advantage of competitor information wherever they can, from insights into the valuable intellectual property to information about key customers or even internal personnel or corporate financial information. New information, such as the announcement of a product launch, can seem exciting to a company and to its investors; but to a competitor, it may be helpful in planning its own announcements and competing for a product launch.
While organizations generally use social media to push out positive information, it has to be prepared to respond to negative information as well. Picture a scenario where a CEO is speaking to key stakeholders, while a disgruntled shareholder simultaneously is tweeting a long list of complaints about the CEO. An organization has to be disciplined and cautious about when and if it should respond to negative comments, even though such events can occur in a matter of minutes. Having a solid communications plan and a bit of thick skin is important to ensure the organization does not overreact and make matters worse.
Employee personal social media use. Security leaders see careless or unaware employees as the number one threat to digital security, according to a 2017 survey of key security executives from 1,200 companies by consultancy EY.[4] There is a fine line between free speech and irresponsible representations. Publicly available social media profiles are helpful to hackers looking to build a social engineering profile for the purpose of compromising key employees. Individual use of social media in an irresponsible manner can also subject the organization to public scrutiny and reputational impact. Having a responsible social media policy and training around its data protection and appropriate communications is helpful in navigating this sometimes-complicated issue.
Today’s organizations bear a heavy burden to protect sensitive information and are spending billions in cybersecurity tools and mitigations. Specific regulatory requirements including GDPR and CCPA attempt to mandate specific efforts to protect sensitive personal information. Even if an organization is compliant with the most stringent regulations, it can still put itself at risk by its own business decisions, and that is something that should keep management up at night.
About the Author
Stephanie Douglas is Senior Managing Director at Guidepost Solutions. She focuses on sensitive internal investigations, white-collar crime investigations, building corporate compliance programs, holistic corporate security programs, and proactively educating executives about crisis management and insider threats. She is sought after for her invaluable insight and judgment and is sensitive to the needs of the business, working with corporations to identify risks, think through sensible and cost-efficient mitigations, and engage leadership with making long-term and productive corporate changes. Stephanie can be reached online at [email protected] and at https://www.guidepostsolutions.com/
[1] Kang, Cecila. “Sony Pictures hack cost the movie studio at least $15 million.” Washington Post. 4 February 2015. https://www.washingtonpost.com/news/business/wp/2015/02/04/sony-pictures-hack-cost-the-movie-studio-at-least-15-million/?utm_term=.d6b8ca62782a
[2] Field, Matthew. “WannaCry cyberattack cost the NHS £92m as 19,000 appointments canceled.” The Telegraph. 11 October 2018. https://www.telegraph.co.uk/technology/2018/10/11/wannacry-cyber-attack-cost-nhs-92m-19000-appointments-cancelled/
[3] Berr, Jonathan. “’WannaCry’ ransomware attack losses could reach $4 billion.” CBS News. 16 May 2017. https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/
[4] 20th Global Information Security Survey 2017-18. EY. 21 November 2017. https://consulting.ey.com/cybersecurity-regained/
