Cyber Security Rant

September 30, 2017

There is so much happening in the Cyber Security front. It affects you. You can learn from it. As a bonus, you can rant along with me. Hardly anyone takes the time to read insurance policy fine print. Likewise, few business people really want to deal with cyber security. Dig in and understand it.

According to Microsoft, in companies with less that 250 employees, 75% use the same two to four passwords on nearly everything. In fact, 87% of senior managers have unwittingly leaked corporate data; 57% sent it to the wrong person. Top executives and administration officials alike, use personal email accounts for official business. Do not be like them. (Go back and read the last two week’s columns to learn how to save yourself, if you can’t wait until next week: Would You Know if You Had Been Hacked? and An Ounce of Data Loss Prevention is Worth a Pound of Cure) Did you know, on average, over 200 days pass before organizations realize their data or network has been hacked? More than 300,000 new malicious files are created every day. Cut this article out. It’ll make great cocktail party conversation. Everyone loves to talk about how “scary it is!”

Does your organization have a “diligence in depth” plan to combat these vulnerabilities? Today, every company can afford to take advantage of fantastic protection tools. Pay attention and spend just a little.

What’s been happening lately?

According to FedEx, a June 27 “Petya” attack cost them $300,000. DLA Piper, one of the world’s largest law firms, was crippled for over three weeks this summer, and continues to reel in the devastation of lost revenue and client confidence. Princeton Hospital was forced to scrap and replace its entire computer network this summer. These were all ransomware or faux-ransomware attacks. Avoidable, all of it.

You are lucky if your breach is just about a ransom payment. Maybe your data is worth more.

Take Equifax. The Wall Street Journal reports, “Hackers roamed undetected in the Equifax computer network for more than four months.” Experts believe bad guys gained entry simply because DinosaurFax hadn’t patched their systems. Even a small company can do that, right? (See how I am giving you hints along the way?) On Tuesday, CEO Richard Smith resigned as I predicted. Last week, the SEC announced hackers penetrated their systems, and may have even traded, undetected, for over a year!

This of course came from the institution that allowed big traders pre-knowledge of market disclosures – ahead of the rest of us. I think it is better they get hacked and embarrassed than be allowed to operate with total impunity. Gosh, they don’t even have to disclose their breaches like the rest of you. Sorry to rant. SEC Chairman, Jay Clayton, cannot discuss the details due to, “an ongoing enforcement probe.” Sounds very official. Accounting firm Deloitte just reported a hacker accessed “very few” client records, and there was “no disruption of client business.” Sounds like a huge cover-up to me. The “Krebs on Security” website quoted a Deloitte insider who indicated the hacker, through their email system, accessed all of their internal systems and all administrative accounts.

This week, the Commodity Futures Trading Commission advocated significantly reduced fines for companies who report breaches. The idea being, breached companies would be more likely to come forward if they didn’t face such huge punitive penalties. But that won’t work because most breaches occur because of gross negligence, and nobody wants to admit to their customers, shareholders, and the world at large that they are inept executives. Especially not a “master of the universe.” Just ask Richard Smith, though he is certain to be paid handsomely for his fine work not paying attention and obscuring the truth. You see, protecting against most threats is not “high cyber science,” just common sense and fundamental management. This is what explains the lies we read each week. I guess it is easier to lie than do your job.

Bet you didn’t know that the SEC applies its cyber security rules in mysterious ways. Jay Clayton, now a beacon on this subject, says recent cyber security lapses have, “highlighted the importance of cyber security…to market participants.” Why then, doesn’t Congress and the Commission work toward changing application and adherence to Reg SCI. Reg SCI is a requirement that, if it applies, requires complete, deep procedures to ensure robust and resilient technological trading systems and controls are in place. This is a rather vague regulation and is applied to exchanges and certain trading venues. Not all. It doesn’t apply to Morgan Stanley, Charles Schwab, E-Trade, Scottrade, or Citadel, who handles over one-third of all trades executed in the United States. Nor does the SEC publish a list of who needs to comply. This sort of reminds me of “double secret probation” in the movie, “Animal House.” I guess it really matters, but we don’t need to know who is cyber secure or not?

To wrap all this directionlessness (new word just invented) up, according to a recent Wall Street Journal headline, “In Today’s Cyber War, Everyone Is a Target.” The FBI agrees, threats against small business are growing at an escalating rate (over 35% annually). So, if these large outfits, with all sorts of resources can’t keep out the bad guys, should smaller outfits even try?

Yes, and yes, bad things will happen to your company if you don’t. The reason small companies are a target is they pay even less attention to security than your higher paid brethren. Bad actors can gain access to your best customers (who are much bigger than you) through you. Sound like a good deal? It is much worse than you think. In spite of all you read, most cybercrime is not reported. Again, business executives don’t like advertising they are unconscientious. You might even say unconscious. I think it was Dan Quale who said, “What a waste it is to lose one’s mind. Or not to have a mind is being very wasteful. How true that is.”

Sorry, we used up too much space ranting today. Next week we will discuss what you can do, without breaking the bank, to protect your business and critical customer relationships. In half the space! In the meantime, do worry about it, and what you will do if a weather disaster strikes our area again.

Brian Desrosier has been serving the Greenwich community for over thirty years as the owner of Lighthouse Technology Partners.