You’ve done everything right: identified and addressed weak areas, set up an adequate framework with the proper safeguards, and made sure your company’s cybersecurity is up to snuff with regulatory requirements. You’re sure that your system is foolproof—until someone comes along and proves you wrong, exposing your organization’s data (and potentially that of your customers).
If/when this happens, you can at least take solace in the fact that you’re in good company (as evidenced by the list of recent cyber breaches in the next page’s sidebar). Amazingly, despite the growing level of confidence among businesses in their cybersecurity frameworks, many organizations are still shockingly unprepared. In its 2016 Global Information Security Survey, Ernst & Young found that while 50 percent of responding organizations felt confident in their ability to predict and detect a cyberattack:
Recent Major Cyber Breaches
Besides those mentioned in the article, there have been plenty of other organizational victims of major cyber breaches recently. Courtesy of IdentityForce, here are some others that have taken place so far in 2017 alone:
- Verifone: Attackers reportedly breached the company’s corporate network in January.
- Dun & Bradstreet: This famous firm’s marketing database (which included more than 33 million corporate contacts) spread across the internet in March, impacting millions of employees from dozens of organizations. D&B claims it sold the database to thousands of companies nationwide.
- FAFSA: As high school seniors across the country looked ahead toward college, the IRS revealed in April that information from up to 100,000 taxpayers may have been compromised through a tool used to complete the Free Application for Federal Student Aid (FAFSA).
- Gmail: In a single one-hour incident in May, phishers attempted a mass scam to gain access to victims’ accounts, with an estimated one million users affected.
- DocuSign: Also in May, e-signature provider DocuSign was breached by hackers, who managed to obtain email addresses later used for a phishing and malware scheme.
- California Association of Realtors: The CAR’s Real Estate Business Services subsidiary experienced a breach through its online payment system, which was reportedly infected with malware between March and May. The organization is now using PayPal to handle payments.
- Equifax: One of the country’s three largest credit agencies reported in September a breach discovered over the summer. This attack is estimated to have affected 143 million consumers, whose full names, addresses, credit card numbers, and more may have been accessed.
- U.S. Securities and Exchange Commission: In late September, SEC Chair Jay Clayton brought up a 2016 breach in an announcement about cybersecurity measures. The vulnerability was reportedly in the test filing component of the SEC’s EDGAR system.
Click Here to find a more complete list.
- 44 percent did not have a security operating center;
- 64 percent either did not have a threat intelligence program or had an “informal” one;
- 55 percent did have vulnerability identification capabilities (or only had “informal” capabilities); and
- 62 percent would not increase their cybersecurity spending even after a breach, as long as it appeared there was no harm done.
Also alarming is that 68 percent of respondents said they would not increase their information security spending if a supplier was attacked, while 58 percent said the same for an attack on a major competitor. Coming off of last month’s much-reported breach of Equifax’s consumer data, it’s disturbing to see how few organizations would be willing to step up their own spending to respond.
So, knowing that breaches are impossible to cut off completely and that your own peers, suppliers, and partners may not be taking cybersecurity as seriously—what do you do when someone does get through? Part of setting up a functioning security system, whether it’s digital or physical, is recognizing that because no wall is completely impenetrable, it’s crucial to have a fallback plan in place for when a threat does manage to slip in.
Gather the crisis team
If you’ve prepared correctly, you should have in place a group of representatives from all relevant departments in your company: HR, IT, legal, etc. Discussions must take place regarding not only the vulnerability and type of data that was breached (and who it affects), but also the liability fallout from regulators, shareholders, and consumers.
Identify and monitor
This is where the technical experts on your team come in. They will need to sniff out where the breach occurred and monitor the network to see how extensive the intrusion is (and whether it is still ongoing). At this point, it may be necessary to briefly isolate part of the network to prevent further access—cutting off a limb to save the body, in other words.
It’s not an easy job to report a security breach, but you’re not doing yourself any favors by keeping it secret. Customers who may have been affected have a right to know, and telling them to update their access credentials can keep one attack from coming back to bite you later. All partners should also be made aware, as well as regulators—especially in this industry, where transactions can be interwoven throughout businesses.
Review and take action
Now comes the recovery. Comb over the method and point of intrusion and ensure that it and any similar entry points your system are patched securely. If the breach was the result of an employee’s carelessness—perhaps their information was phished, for example—update training to reflect such scenarios (you do have security training, right?). Make all partners aware of the changes to both put them at ease and inform them of any policy revisions that might affect them. Finally, consider hiring a security consultant to review your systems and procedures.
Without a doubt, a cybersecurity attack can cause massive harm to your business and leave you feeling exposed. With the right response, however, you can come out of the situation stronger as a result.
Tory Barringer is the managing editor of Mortgage Compliance Magazine. He can be reached at TBarringer@MortgageComplianceMagazine.com.