There’s no shortage of coverage out there about large-scale cybersecurity breaches; one only has to look to today’s headlines to see the latest charges facing Equifax, or the far-reaching implications of recent hacks to Target, Home Depot or Yahoo!
What we hear about less, though, are the local firms and New Hampshire organizations whose businesses may be just as vulnerable as these industry leaders. Breaches have happened — and are happening — right here.
Last year, a sneaky hacker posed as a vendor and convinced someone at the Community College System of New Hampshire to move from paper to electronic billing, resulting in a transfer of $130,000 via wire before CCSNH discovered the scam.
Also last year, an imposter procured financial records from the Concord school district by posing as an official who accessed financial paperwork and tax forms, giving a cybercriminal all the opportunity needed to steal it and use it to commit identity theft.
And Whole Foods is right now working with a cybersecurity forensics firm and authorities as it investigates a credit card data breach at in-store eateries at locations in Bedford and Nashua, among others in New England.
Organizations by default are vulnerable because they are filled with people who are hard-wired to trust — it’s how we build community and grow companies. Unfortunately, that leaves a door open for scammers to use technology, social situations, or a combination of both to compromise organizations of all types and sizes.
How you handle a data breach is often the difference between minimal impact and a potentially career-ending event. So, if hackers get into your server and have access to everything on it, or your intern got scammed and gave out the password to your financial software, here’s what to do.
1. Call your insurance provider and inform them of the issue. They may have a protocol for you per your cyber liability policy (assuming you have one) and may also point you toward an attorney or cybersecurity firm to start the response process.
2. Find an attorney who is a specialist in the area and knows how to manage the legal and communications issues around this type of disaster — someone with experience walking multiple firms through actual breaches and managing the PR, compliance audits, and all that can result.
3. Call an information security firm to conduct a forensic analysis to identify the details of the breach, figure out what happened, close the gaps, and start working on a plan for moving forward. You’ll want to have an expert who has done this before.
A wise organization will analyze the value and risk of the data it is trusted to protect. You might think your company doesn’t have anything worth a hacker’s time, but just as an identity fraudster found value in scamming a New Hampshire school district, you probably have tax records, Social Security numbers, or health information about your employees and your clients easily accessible on your computer or in your office. Or you have trusted contacts and your email or environment could be used to attack those contacts. Is that data protected by the right technology and correct processes? Do you have a response plan if the unthinkable does happen?
Until businesses of all sizes and types start taking information security seriously, breaches will increase in frequency. The strongest motivator for a hacker is financial gain. An endless Rolodex of vulnerable companies and increasingly clever overseas call centers full of hackers with no fear of negative repercussions suggests that we’re only seeing the tip of the iceberg.
The best time to work on your company’s information security plan is when you don’t have a breach. Now is when you want to implement the right systems, policies, and exercises so you know what would happen if the unthinkable happens. Ask yourself: what would I do if I believed I had a breach, or someone from the outside came and said, “I can tell my records are compromised?” Who would you talk to? Where would you go?
If you don’t know, it’s time to start developing a plan and identifying resources who can help.
Ryan Barton is the CEO of Mainstay Technologies, an information technology and cybersecurity firm with offices in Manchester and Belmont.