Cybersecurity Threats—And What to do About Them
It had been months since a data breach had consumed the news when Equifax burst on the scene in September, announcing that hackers may have accessed information on 145 million Americans. The absence of a large retail breach like Target or Home Depot doesn’t mean the threats have subsided, however. If anything, 2017 has shown how crucial cybersecurity preparedness can be.
A constant drumbeat of targeted but smaller attacks dominated much of 2017. The year started — as each year seems to — with a wave of tax-related phishing attacks. Attackers “spoofed” the email of a C-level executive, requesting that a front-line HR or finance personnel immediately provide sensitive employee information, such as W-2 data.
When the unwitting employee replied, the phisher obtained the information necessary to file fraudulent tax returns, a highly profitable fraud that is difficult to catch and causes considerable headaches for victims. In only the second year of wide-spread attacks, nearly 1,000 organizations reported to the IRS that they had received scam emails this year, 200 of whom disclosed data to the scammers. These attacks hit all kinds of organizations, but retailers present particularly attractive targets because of their large, geographically-dispersed workforces.
Skimmers — devices or malware placed on or in a POS device — have also increased in scope and sophistication over the past year. After rising 30% in 2016, reports of compromised POS devices rose another 21% in 2017. Installing (and requiring customers to use) chip readers helps, but retailers should also train employees to spot skimmers and anomalous payment activity that could signal skimmer installation.
These data breaches might have been prevented or avoided had the victim companies taken basic steps to secure their systems and to respond effectively to the discovery of an incident, by training employees, implementing written procedures requiring safeguards for the disclosure of sensitive information, managing patches and updates, and exercising incident response capabilities. These same steps might have prevented or contained Equifax’s breach.
Equifax has said failed to patch a known vulnerability after its process for tracking and confirming patches broke down. After discovering the breach, Equifax did not notify the public for nearly six weeks, and the eventual disclosure was fraught with errors and confusion. Equifax’s errors will likely cost it hundreds of millions of dollars (not including the $4 billion drop in market cap) and disrupt its business for years. Just this year, several past data breach victims have entered into large settlement agreements relating to breaches years ago, including Target, with $18 million to settle with state attorneys general added to over $290 million in costs previously reported related to its Christmas 2013 breach), Home Depot ($25 million to settle suit with financial institutions over its 2014 breach, in addition to $154 million in other settlements), and Anthem ($115 million to settle class action claims stemming from its 2015 breach).
Cyberattacks can’t be entirely avoided, but careful preparation and effective data security can lower the likelihood of a successful attack, improve the response, and lower the resulting costs. Covering the fundamentals is essential.
• A documented, company-wide security program. Designate a responsible official and develop policies addressing crucial security issues faced by your company. Train employees regularly on emerging threats, develop procedures for regularly identifying and remedying vulnerabilities, and establish — and exercise — an incident response plan. These measures protect companies not only from breach, but also from the wrath of regulators and the public who have (understandably) grown to expect companies to implement them. Recent regulatory settlements with Target and Home Depot require them to adopt written information security programs in addition to paying fines.
• Vendor and service provider security. Retailers increasingly rely upon vendors, embedded third party applications and technologies, and cloud services to process or host their most sensitive data, including payment and payroll information. To effectively address this risk, retailers should ensure that the relevant contracts appropriately allocate security-related risks and obligations and conduct appropriate due diligence regarding vendor and service provider security practices.
• Cybersecurity Insurance. Retailers face increasingly diverse, sophisticated, and well-resourced threat actors. Even the most developed cybersecurity program may not stop them all. Retailers should manage their risk with effective cybersecurity insurance coverage, relying on the advice of experienced counsel to identify the pitfalls and exceptions present in many cybersecurity policies.
These basic steps can help your company manage the risk associated with cybersecurity threats. Companies that start early, keep improving, and get help where they need it are best positioned to withstand new threats — and the old ones, too.
Todd Hinnen is a partner at Perkins Coie, which has offices across the U.S. and Asia, and provides a full array of corporate, commercial litigation and intellectual property legal services to a broad range of clients. Amelia Gerlicher is a counsel at the firm.
No comments found
Amazon’s Australian operation could be open for the holidays
Amazon is about to make its debut Down Under.
While he would not commit to a specific date, Amazon’s country manager Rocco Braeuniger teased that the company is “really, really close” to opening in Australia. He also hinted that the company will ship goods from its first Australian warehouse in time for the end-of-year holiday season, according to Reuters.
According to the report, Braeuniger made the announcement while addressing 600 prospective product merchants at a suppliers’ summit on the Sydney waterfront. The event is held to encourage merchants to sell on its website.
According to another report from the Sidney Morning Herald, Braeuniger added that when Amazon does open, the rollout would be similar to those in other European markets. That said, the company will launch with a wide range of products and delivery options, in effort to build a local customer base. Once that customer segment is in place, then Amazon will consider introducing products like its fast-delivery subscription service Prime Now or the fresh food delivery AmazonFresh.
The new operation gives Australian shoppers the opportunity to buy merchandise locally, rather than place orders on Amazon’s Marketplace — a global marketplace for third-party sellers. Currently, more than 1,000 Australian companies sell their wares on the platform. However, shoppers can wait up to 12 days to receive merchandise — and be subject to hefty shipping fees.
By opening a 93,000 square m (Australian) warehouse in Melbourne, Amazon will stock “hundreds of thousands of products” ready to deliver to local customers.
In addition to shipping merchandise out of its new Australian warehouse, Amazon will continue hosting third-party retailers on its online marketplace.
The Australian operation will also put local brick-and-mortar retailers in the hot-seat to protect their sales. Earlier this month, Myer Holdings Ltd. cut its growth targets, citing weak trading conditions. Meanwhile, David Jones recently contributed to the first profit decline in eight years for its owner, South Africa’s Woolworths Holdings, Reuters said.
No comments found