It was a bellwether year for cyber-crime worldwide in 2019. As a patchwork of new regulations began to emerge in the United States and the General Data Protection Regulation (GDPR) completed its first calendar year of enforcement in the EU, organizations continued to struggle with how to respond to the ever-growing threat from cyber-crime. The global economy remains on pace to suffer from $6 trillion in worldwide cybercrime costs by 2021 (“Cybercrime Could Cost the World over $6 Trillion Annually by 2021,” Enterprise Management 360, Apr. 26, 2019, http://bit.ly/39AMTgQ), and ransomware attacks continue to grow exponentially, now occurring approximately every 12 seconds in the United States alone.
As businesses continue to aver that “we have great cybersecurity tools and a great IT department,” cybercriminals continue to drain the global economy, with poorly understood consequences. Privacy has become a fiction in the United States, and companies continue to leverage and mistreat the data of individuals. In 2019, the top 20 breaches compromised over 500 million people’s records (see Exhibit), over and above what is already on the dark web.
Top 20 Cyberbreaches in 2019
On February 8, 2020, Experian released an email to clients who signed up for monitoring indicating that it had discovered 4.4 billion records on the dark web in 2019. On January 27, 2020, the black market payment card retailer Joker’s Stash listed 30.4 million credit and debit card numbers from the United States, the EU, and Asia that were exfiltrated from Wawa’s point-of-sale breach in March 2019 (“Wawa Breach May Have Compromised More Than 30 Million Payment Cards,” KrebsonSecurity.com, Jan. 28, 2020, http://bit.ly/2OWzcB3). In the week following the Wawa sale, Joker’s Stash added over 7.5 million new cards, including over 75,000 new platinum cards from the Middle East, with average credit limits of $100,000.
Healthcare is faring worse than most industries, as hospitals are a prime target for ransomware attacks (along with state and local governments). The risks to hospitals are both care-related and financial, including to the municipal-bond issuers that fund many hospitals (Mallika Mitra, “Ransomware Attack on Hospital Shows New Risk for Multi-Bond Issuers,” Bloomberg News, Feb. 5, 2020, http://bit.ly/2wiMzFk). The potential impact of hospitals falling victim to ransomware attacks could be devastating on multiple levels.
How Businesses Can Protect Themselves
All of the above sounds overwhelming, but it does not have to be. Addressing the problem of cybercrime effectively requires every organization to accept that responsibility for cybersecurity lies at the corporate (i.e., board) level. The next step is to expressly acknowledge that cyber protection is a business issue and not a technology problem. Businesses need to minimally do the following to protect their core assets and their clients:
- If handling New York–based clients and customers, get into compliance with the New York Shield Act.
- If handling California-based clients and customers, get into compliance with the California Consumer Privacy Act (CCPA).
- If handling EU-based clients and customers, get into compliance with the GDPR.
Of course this costs money, and businesses hate spending money on sunkcost items. But this is, as the saying goes, penny-wise and pound-foolish. Spend the pennies now, but spend them wisely. Do not just buy tools and expect things to be resolved overnight; rather, spend the money on effective cybersecurity programs that include tools:
- Build a cybersecurity program, headed by the general counsel or CFO, and reporting to the board.
- Build, test, and revise an incident response plan.
- Ensure that the organization implements critical patches within days, not months, of their release.
- Engage a third-party organization to provide, at minimum, an annual cyber-security assessment.
- Go passwordless or move to multi-factor authentication.
- Leverage the major National Institute of Science and Technology (NIST) Frameworks, including—
- NIST SP 800-53 Rev 4—Security and Privacy Controls for Federal Information Systems and Organizations,
- NIST SP 800-171A—Assessing Security Requirement for Controlled Unclassified Information,
- NIST Framework for Improving Critical Infrastructure Cybersecurity v1.1, and
- NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.
Doing nothing is always an option for those who wish to to play Russian roulette with their businesses. But by taking the remediation steps above, organizations will end up making more money, and managers will have an easier time sleeping.