Richard Levick , CONTRIBUTOR I write about the intersection of business and public affairs.
Opinions expressed by Forbes Contributors are their own.
This is the fourth in a series of columns addressing what companies can do to learn from activist investors, NGOs, the plaintiffs’ bar, and others to defend and grow their brands.
No corporate entity or institution – no matter how pure of heart – is immune from cyberattacks. When it comes to wreaking havoc or scamming money, cyber bandits are equal-opportunity thugs: if the cash or cause is right, they’ll go after anybody or anything.
Just ask some of the biggest companies in the world: Fedex, Maersk, Mondelez, and Merck, all of which have missed 2017 earnings projections because of ransomware attacks. The assault on Merck was so crippling that it was forced to halt production of its key drug lines, a disruption likely to undercut profits for the rest of the year.
Or ask these restaurant chains – Wendy’s, Noodles, and CiCi’s Pizza – which have been thwarted by recent breaches of customer payment information, malware contamination, and point-of-purchase hacking.
Or these technology companies – Yahoo, LinkedIn, MacKeeper (a performance-optimizing software for Apple computers), and Dropbox – which have had proprietary information on millions of their customers compromised.
Or the Hyatt chain, which revealed a year ago that malware had corrupted the customer credit card systems at 250 hotels.
Or Citibank, which was flummoxed by a vengeful ex-employee whose malicious tampering shut down nine of its 10 global control center routers.
Cyberattacks are not just getting more pervasive, malevolent, and destructive – they’re threatening the foundations of our economy and democracy. “Hackers with possible ties to nation-states continue to target infrastructure as well as systems for political insight,” warns a report from the Heritage Foundation that documents the nefarious activities of cyber criminals associated with the Russian government’s Russia Main Intelligence Directorate (GRU) and Federal Security Service (FSB).
Cyber warfare experts at the FBI and Department of Homeland Security are worried about far more than Russia. Not long ago, hackers tied to Iran’s Islamic Revolutionary Guard Corps tried to gain control of the sluice system at New York State’s Bowman Dam and nearly succeeded.
U.S. authorities believe that global activists and radical extremists, including ISIS, are launching cyberattacks against corporations and government agencies at the same time they’ve learned how to weaponize social media.
Paul Ferrillo, who helps direct Weil Gotshal & Manges LLP’s Cybersecurity, Data Privacy & Information Management practice, advises that, “There are tough times ahead for companies that are not prepared. With sophisticated exploits readily available on the Internet, it is hard to tell the difference between nation-state activity and cybercriminal activity – they are equally well equipped to do harm.”
Eddie Block, who helps lead Gardere Wynne Sewell LLP’s cybersecurity practice and served as the Chief Information Security Officer for the State of Texas, observes that, “Companies that ignore the threats to their technology infrastructures are sticking their heads in the sand. Cyberattacks are a ‘when not if’ event. Developing and testing response plans should be a key business priority.”
Matt Comyns, the managing partner of Caldwell Partners’ Cybersecurity Practice and an expert in helping companies institute anti-hacking measures, adds, “Jobs that focused on cybersecurity were once considered to be low-level and not strategic. Companies must now elevate those roles to keep pace with the serious risks posed by cyber threats. The best cyber leaders are much more than tactical technicians. They put cyber risk into real business terms that boards and C-level executives can understand.”
Not every company can put their employees through intensive off-campus training to contain cyberattacks. But here’s a quick Ferrillo-Block-Comyns- Levick prescription for what every company should be contemplating on the cyber front.
• Prepare, test, and evaluate an incident response plan (IRP), business continuity plan (BCP), and a crisis communications plan to streamline the investigation and remediation process and buoy communications with shareholders, customers, and other stakeholders when a breach does occur;
• Map data flows to assess where critical, personal, or regulated data is stored and how it is transmitted;
• Conduct a privacy impact assessment to assess depth and vulnerability of data (wherever it is located) and how it can be protected;
• Educate employees, executives, and board members on such cybersecurity must-knows as breach response, spear phishing, social media best practices, and password protocols;
• Prepare internal policies dealing with privacy issues at work (social media use, workplace surveillance, monitoring internet activity, etc.); and
• Get back to basics, such as timely patching of software and a regular back-up process for your networks and desktops.
Institutions need to do much more, of course. But nothing, no matter how comprehensive, guarantees 100 percent protection from cyber bandits.
In today’s world, cyberattacks are as inevitable as sluggish quarters and bumpy shareholder meetings. The companies that steel themselves for the cyber turbulence to come will be best equipped to contain the damage and recover quickly enough to make their numbers and return to normal operations.
# # #
Richard Levick, Esq., @richardlevick, is Chairman and CEO of LEVICK. He is a frequent television, radio, online, and print commentator.