Cybersecurity Hits Home: Don’t Get Caught Unprepared

April 09, 2014

By Robert Cresanti, CFE

Imagine returning from your biggest and most important conference of the year, after spending five days on the road, working around the clock meeting with key clients, you are ready for a few quiet days at your desk. A relatively calm morning would be a welcome change of pace from the convention hustle.

Well, forget about that — when you land near midnight, your phone has more than a half-dozen voicemail messages on it. Your company has just been hacked. Now the flood of emails from staff begin to hit your inbox, because your plane had a broken wifi system. Next come the notes from clients that they don’t have access to certain data they need.

Immediately, you pick up the phone to connect with your IT staff. They have never seen anything like this. They have been working for hours and cannot find a way to reach the data. Everything they do leads them to a page that demands a giant ransom to decrypt your data drive that contains all of the information you need to do business — key graphics, client logos and designs that represent months of work, as well as business addresses and contact information for your clients and associates. It makes you want to despair. I understand the feeling because this is what happened to IFA in February of this year.

What can you do? Eat a lot of crow because you are supposedly a “cyber expert.” No, you have to roll up your sleeves and clear the decks because this is going to get complicated.

Well, the good news is that what hit IFA was not unknown; it was new but had hit several hospitals in the U.S. already. This attack had a name: The Crypto-Locker virus. IFA was struck with a full-blown ransomware attack that held its hard drives hostage while demanding payment. The virus shut down IFA’s systems and resulted in hundreds of lost hours and productivity, as we worked to identify the problem, find a solution and set in place additional comprehensive defensive measures to protect against this type of attack occurring again.

I’ve been a prolific speaker on cyber crime, critical infrastructure protection and corporate/government resilience for over 15 years. I’m not a technician, but I sure thought I knew what questions to ask, and ask I did. All of the answers I received were satisfactory and by the book. However, I have learned cybersecurity is no longer simply an IT problem that can be managed by a checklist. Doing the minimum to protect your company from a cyber attack is not enough. It took key leaders inside IFA and outside resources (along with an enormous amount of good luck) to pick our systems up off the floor and put them together again. Special thanks to IFA First Vice Chair Shelly Sun, CFE and her BrightStar IT team, Dan Caprio and Jonathan Litchman at The Providence Group, as well as Edible Arrangements CEO Tariq Farid, CFE, for his personal engagement.

One of the takeaways from the IFA hack is that cyber risk is actually different from all other risks because it touches on all types of risk, including operational risk, reputational risk, regulatory risk, etc. It is because cyber is such a complex and multifaceted risk that it needs to be addressed through an enterprise risk management approach. Every business must take strategic steps to prepare for a cybersecurity incident and have a response plan in place for when it does occur. The risk continues to grow as the number of hacking incidents rise, ranging from attacks on large multinational corporations to local small businesses. Some of the headline-grabbing hacks include at corporations like Anthem, Dropbox, Home Depot, Target, Sony and Yahoo; government agencies such as the U.S. Department of Justice, National Security Agency and Internal Revenue Service; and even in the U.S. Presidential campaign, with the recent leak of hacked Democratic National Committee emails. It’s not just limited to big targets. In recent years, hacks have also impacted small businesses, including a significant number of IFA member companies.

No organization, regardless of size or industry, is safe from a malicious attack. Avoid becoming the next victim. With National Cyber Security Awareness Month just passed in October, now is a good time to review your enterprise to ensure that you’re as prepared as possible. Put the proper controls in place to avoid learning the hard way.

IFA has increased its conference programming dedicated toward getting the word out about the importance of cybersecurity, including at the May 2016 Legal Symposium in Washington, D.C., where I sat on a panel with Wyndham’s Scott McLester, Daniel Castro with the Information Technology and Innovation Foundation, and Douglas Meal of Ropes & Gray. McLester discussed the lessons learned from a series of hacks on Wyndham from 2008 to 2010, including that companies need a comprehensive response plan and management needs to take a hands-on approach when a data breach occurs.

Cybersecurity was a frequent topic during sessions at FranTech 2016 last month in Austin, Texas. IFA will continue to dedicate resources to informing members about cybersecurity at future events, including at #IFA2017 in Las Vegas. Look for more about the IFA hack in an upcoming feature by Dan Caprio, Chairman of The Providence Group.

Listen to the experts: take cybersecurity seriously and you might just avoid what IFA experienced. There is never perfect protection, but you can take steps to plan for resilience. As with many things, taking a proactive approach over the long run instead of reacting to a crisis after it happens can be much less costly in terms of time and wasted resources.