More
law firms are attempting to provide counsel to companies that want to
avoid cyber attacks, as well as put in place a proper response if it
does happen.
These firms
realize that, for their clients, it could mean the difference between
staying afloat and going out of business, said McCartney, the company’s
president and CEO who’s a former government worker and member of the law
enforcement community.
Digits, which
recently merged with Avalon Document Services, has been working with and
educating law firms how to set up cyber security practices. Together
they provide joint services — with technical and legal aid — to clients
throughout various industries.
“A lot of these
issues are legal,” McCartney said. “At the end of the day, the decision
to have to notify and disclose what happened to you is a legal decision.
Businesses are having to execute those disclosures and notifications
across multiple states and to different government agencies, while
trying to manage the reputation and brand harm.”
After a breach,
companies typically will have to hire a law firm to determine
notification and disclosure procedures, as well as hire a forensic
investigator, such as Digits. McCartney said he works with law firms to
determine how the hacker entered the network and where they went from
there, what information was taken and what states were affected.
In addition to
absorbing those costs, fines and penalties can be hefty for entities
that did not have the correct policies and protocols in place to comply
with state business laws, he added.
In New York
state, a business must not only notify employees and customers of a
breach, but also three government agencies — the Attorney General’s
Office, Homeland Security and the state Consumer Frauds and Protection
Bureau. All three will open investigations.
Yet, owners of
small and mid-size businesses have almost become immune to all they’ve
heard about hackers, believing that because they’re not a company such
as Sony or a national retailer, they’re not a target, according to
McCartney.
However, hackers
will seek everything they can get their hands on, he said. They are
looking for an entity’s business process, competitive intelligence and
employee data.
“The problem,
from a small to mid-size company perspective, is that they have very
little defense against this stuff. If you think about the big companies,
those are companies spending significant dollars on their information
technology and security, and they are still getting breached. So, small
to mid-size companies really need to look at this and make an investment
to protect themselves.”
According to
studies, 60 percent of small to mid-size companies that get breached
will be out of business within six months, because they are unable to
recover from the financial consequences of a response.
McCartney added:
“If a company had to write all of these checks to respond to one of
these things, if you’re a small to mid-size company and don’t have a lot
of profit on the bottom line, it could put you out of business quick.”
MVP Network
Consulting LLC is a Buffalo-based IT services company that’s been in
business for 14 years. It specializes in helping small to medium-sized
companies help avoid cyber breaches by providing network security, help
desk support, backup disaster recovery and CIO services.
Many of its clients come to the IT service provider when they’ve outgrown their system and need an upgrade, according to Kevin Kirby, the company’s vice president of sales. They may be starting a business or looking for additional security, he added.
“We’re getting a
lot of mobile device management questions, how to make sure their
systems won’t get breached and how to make sure they can access all of
their data and have 100 percent up time on their system so that they can
work more efficiently,” Kirby said.
There isn’t one
solution for all clients’ needs because every business and network is
unique, Kirby pointed out. MVP Network Consulting can do anything from
securing email to creating a back-up disaster solution to keep a server
running, he said.
“We come in and
look at your business’ processes and how you work and try to create a
unique solution around your environment using our own best practices and
what we’ve learned through our experience,” Kirby said.
Law and CPA firms at risk
Law firms and
CPA firms have not been immune to cyber attacks, according to McCartney.
It makes sense for hackers to attack these entities because of the
amount of key client data that is in one spot.
“If a hacker can
compromise one law firm or CPA firm they have access to the really
important information of hundreds of clients, as opposed to having to go
to each one of those clients and hack them individually to get their
stuff,” he said.
Law firms can be
an easier target because some are behind on their security measures,
Kirby said. They may not have the same technologies and safety measures
in place, such as monitoring software for their network or an alert
system, as other industries.
Kirby said his
company works with more than 20 law firms, as well as having a
significant amount of clients in the healthcare system.
“By nature, law
firms are easier to hack than other practices that would have more
stringent standards and compliance regulations like HIPAA,” Kirby said.
The month before
the annual tax filing deadline is also a busy time for Digits,
McCartney said. Tax refund fraud is about a $30 billion per year issue
and nearly $6 billion worth of fraudulent refunds are issued every year.
Hackers are
attacking every company they can to access their human resources
database and employee’s W-2s to file fraudulent tax forms, according to
McCartney. Every March, he said his company handles several major
tax-season related cases.
Cyber crime evolves
Cyber attacks
have evolved to become even more strategic, according to McCartney. They
impact all industries, from construction to retail to county and local
governments. Attackers can be anyone from a computer-savvy youth to
nation-sponsored activity in an effort to wage war against the U.S.
infrastructure.
According
to McCartney, the biggest challenge in the effort to stop this activity
is that it takes a very limited investment to get into the business of
hacking. He said hackers from all over the world can learn and perfect
their craft while in pajamas at home.
“The risk of
apprehension is almost zero and the take and reward is so high that
there are so many people doing it,” he said. “We’re not catching them.
It’s very few and far between. There are more of these hackers than
there are the people with the white hats trying to defend against them.”
Hackers have
become smarter and use more robust tools, as well, Kirby said. Before
they would be able to create software that would attack a thousand
computers; now it’s a couple thousand computers in a few seconds. In
addition to trying to attain credit card and personal information, they
also steal the hard drive space on a server and use its bandwidth, which
is what a lot of companies don’t realize is occurring, according to
Kirby. They’ll implant their cookies into a server so they can send out
emails and spam from its IP address.
Proactive approach taken
McCartney
advises companies, such as law firms, to consult with professionals in
the business who can place security around the perimeter of their
computer network.
The average time
before a company finds out that it has been breached is 292 days,
almost 10 months, according to McCartney. He calls it the “detection
deficit.”
“We’re looking
to move that detection deficit from 292 days down to 292 seconds,
because now someone is watching the windows and doors,” he said. “If
doors and windows are getting kicked in all the time and nobody is
watching or calling anybody or addressing it, bad guys can steal a whole
lot of data in 292 days.”
McCartney said
Digits has bolstered its cyber security offerings over the past few
years, adding that the partnership with Avalon’s project management and
technical team helped create the infrastructure necessary to do so. He
said the company is developing services on the front end to help avoid
hacks and monitor cyber security.
Using what Kirby
called intrusion prevention services, MVP Network Consulting is also
attempting to be more proactive for clients from a monitoring standpoint
and with installing automatic updates for a company’s computers. Some
companies haven’t had any security updates on their PCs for years, he
added. Also helping to prevent cyber attacks, according to Kirby, is
offering software that connects a company’s computers to the network of
MVP Network Consulting.
“A trusted IT
provider can help facilitate a preventive approach,” he said. “So if
someone was trying to hack your network, you would be getting alerts and
certain things would be blocked and there should be reports of what was
happening and what kind of threats came into your network.”
bizjournals