When COVID-19 created a mountain of unforeseen issues for companies, pushing cybersecurity priorities down the to-do list in favor of more pressing matters was an understandable, if not ideal, solution for decision-makers.
But if protecting your business’s electronic data is not front of mind now, then addressing cybersecurity deficiencies as soon as possible is crucial, said Aaron Warner, CEO of ProCircular, during the 2021 Corridor Business Journal Cybersecurity Symposium Dec. 7, at the Hyatt Regency in Coralville.
“I think it’s safe to say that 2020 and 2021 were largely about getting our arms around reliable work from home [setups],” he said. “Everybody had things that they had to do to keep their organizations up and running. For 2022, a lot of the conversations that I have with chief information officers (CIOs) is about getting security right.”
Although it’s tempting to kick this topic down the road, the panel agreed that all businesses, whether big or small, are wise to heed this precautionary advice.
“Last December, we discovered that a few online transactions happened on our website from New York,” said John Lohman, CEO and publisher of the CBJ. “We contacted our credit card processing company. Apparently, we experienced what’s called a credit card BIN attack, which is relatively rare compared to phishing or some of the malware stuff that you might be familiar with.”
Mr. Lohman explains that this type of attack allows fraudsters to test thousands of credit card numbers until they get one that worked to “presumably go buy something more expensive than a [newspaper] subscription.”
After shutting down the website and having the credit card processing company lock down payments, implementing CAPTCHA as a security filter, and adding a rule-based fraud management utility called iSpyFraud, the CBJ website was operational again two days later and only down a couple of thousand dollars.
Until January, that is, when Mr. Lohman noticed a withdrawal of $32,000 from the business checking account. He later found out this was a monthly credit card processing fee due to the fraudsters trying 140,000 different credit card numbers back in December.
He canceled the payment. The credit card processing company, called Omega, credited $8,000 back because that was their hard cost but refused to give the CBJ more credit card money until the rest was paid off.
“We were essentially being held hostage by the company,” he explained. “I reluctantly paid the $24,000 to them because we’re a small business. About a third of our revenue comes in through credit cards. That’s the life of a small business. Not being able to get credit card money isn’t going to work.”
He then learned the CBJ’s cybersecurity insurance wouldn’t cover the incident since no data was technically stolen. The credit card processing company contended they weren’t liable because the CBJ was not Payment Card Industry (PCI) compliant. The headache is still ongoing as he is dealing with the FBI and the state of Iowa today.
His takeaway? Everybody, even a small business, needs to be “especially diligent” in making sure proper safety measures are in place.
“We had this old website then, and frankly, it wasn’t very good,” he added. “We knew we were going to update the website soon, so I didn’t want to spend a bunch of money on it. Well, you really need to make sure your website is protected, regardless of how old it is. Because if you don’t, you could go through an experience.”
As chief information security officer (CISO) of both the University of Iowa and the University of Iowa Hospitals & Clinics, Zach Furst references an analogy that likens the importance of solid cybersecurity to a museum.
“We all have people that are coming into our environment that may be interacting with us in some way,” he said. “How do you secure things that are most valuable?”
Mr. Furst emphasized the importance of ensuring systems are patched and websites are updated, as “that is the most frequent way people are getting compromised.” He also stressed that companies should not be afraid to call experts they trust in the event of an emergency.
Vendor security is another huge risk that organizations don’t immediately consider, said Gabe Kimbrough, CISO for Mercy Medical Center in Cedar Rapids. Each organization should have a framework they follow. Once that is developed, companies should define what elements of their plan can be automated, determine a vendor onboarding process and figure out how to acquire data.
“I think most people are probably at the infancy stage,” he said, referring to how many individuals understand they should be addressing cybersecurity but are unsure where to start. “You don’t have to start being the best, but you should be doing something and having those thoughts and conversations.”
He suggests focusing on two main areas: Security awareness for employees and overall preparation. Often, companies fail to safeguard how employees can expose aspects of their business and fail to educate everyone at an organization correctly. If an incident happens, there needs to be a system of tests run, a series of steps taken, and everyone should clearly understand who the decision-makers are in the room.
“Like most things when it comes to security, the answer is not only one thing but what layer controls you have in play,” Mr. Kimbrough explained. An organization should know how to handle ransomware issues versus simple phishing attacks, for example.
It’s a complex field that is ever-changing with new types of cyberattacks developing, which presents the larger issue that “it’s hard to know everything that is happening at all times,” said Mr. Furst. This makes it even more critical that organizations invest in cybersecurity before they run into irreversible problems.
“This incident we’re dealing with is probably going to take many more months,” said Mr. Lohman. “If I could have spent just a couple thousand dollars to update our old website, we wouldn’t be dealing with this headache. Just be prepared that an incident is probably going to take a long time to be resolved.”
Mr. Warner echoed his thoughts and said the advice applies to many businesses.
“You can quantify what the cybersecurity company is going to charge you, what the lawyers are going to charge you, and argue all that stuff with the insurance carrier,” he said, “but the real cost is the opportunity cost, right?”