Surviving a cybersecurity breach

Lessons from an area company

UTICA — The day started out like any other workday, except the anonymous local company’s phone system and servers were down. When rebooting the server didn’t solve things, officials at the business (which we’ll call Company A) knew something was wrong. “Then I called our IT guys,” an official at Company A said. The day turned out to be anything other than normal. Company A had experienced a cyber breach, and it started a reaction and recovery process that has lasted months. At Company A’s request, CNYBJ is not disclosing the real name of the business, the official, and the industry the firm serves. Company A wanted to stay private so that it can more freely share its cyberattack experience for other businesses to learn from, while protecting itself and clients impacted by the breach. “We felt we had all the things we needed to have,” the Company A official says. “It turns out we didn’t.” Like everyone else, he and his employees have seen the increasing notices from large companies like Prudential and Ticketmaster about cyber breaches, but never thought it would happen to them. “You think you’re small-town potatoes,” he says. “You’re not really a huge piece of the internet puzzle, so why would they come after us?”

Expert advice

The reality is that cybercrime is a multi-tiered industry, often led by organized crime or even foreign states, says Dan Kalil, chief commercial officer at Assured Information Security (AIS) in Rome. “Every business regardless of size and industry is a target,” he says. Kalil was not speaking about Company A’s situation in particular, just business cybersecurity in general. That means every business should be taking steps to protect themselves, their information, and their clients, he adds. “You should take the basic steps to understand what your threat space looks like,” Kalil says. That means doing a little research to learn what businesses in your industry have been breached and how. For most businesses, it also means working with a third-party company for cybersecurity. The key there, Kalil says, is finding a firm that understands the industry your company operates in and will work to design and manage a system that meets the needs of your business. That system should include technology, policy, and training. That training for employees is critical, he adds. “A lot of it still comes down to the human element,” says Kalil. “At the end of the day, these exploits occur because people are tricked.” Small businesses can look to the Federal Trade Commission for information on how to get started, Kalil says.

Company A lessons

Even months later, Company A is unsure exactly how the breach happened, the official says. It has signed up for additional cyber protections including end-point monitoring to help prevent future breaches, he adds. The company did not experience business interruption due to the breach because its data is regularly backed up, but the breach has created a lot of additional work and expense. Company A has worked with its regular IT provider, attorneys, and forensic IT specialists, some of which charge more than $400 an hour, since the breach to determine what data was taken and which of its clients were impacted. The financial impact is yet to be determined, the official says. “The total overall cost could very well be exceptional.” Company A is also preparing to notify those clients that were affected, the official says. “…It’s almost expected you will offer credit monitoring to them.” That will carry its own expense depending on how many people sign up for monitoring. After going through this experience, the official has advice for other businesses. “The first thing is to make sure you’re up to date with your IT provider and asking them for all the services they recommend,” he says. “The other would be strongly consider cyber insurance. Three, be aware of all the little things going on in the network.”