Early Detection and Response Plans Are Essential Elements of Cybersecurity Policies

Posted by Jeanine Gagliardi on Tue, 09/09/2014 - 04:00

If you read the news, you are probably accustomed to hearing about customer data being stolen by hackers. In 2008, hackers accessed Wyndham Worldwide Corporation’s computer system through a single computer that an employee in a franchised hotel had connected to the Internet. Just before Christmas 2013, hackers obtained the payment card data of tens of millions of Target shoppers. At the start of the New Year, craft store Michaels discovered that its customer data had been stolen.

Although businesses are required to take reasonable steps to protect the data in their control, most experts concur that breaches are unavoidable. Thus, the key elements of every cybersecurity policy should be protocols to detect and respond to breaches once they occur. If they had implemented or followed such protocols, Wyndham, Target, and Michaels could have avoided at least some of the harm resulting from their breaches. Follow the jump to read how.

Several months passed before Wyndham even recognized that it had been hacked. Then, it mistakenly believed that it had fixed the weaknesses which allowed the hack. This allowed the hackers to return and steal additional data on multiple occasions. The vulnerabilities in Michaels’ system remained and allowed hackers to steal its data for more than eight months.

Target had a plan to detect precisely the type of attack it suffered. Before the hack, Target installed a detection tool and had a team of security specialists in India constantly monitoring its computers. These monitors discovered the attack and, in accordance with Target’s plan, notified headquarters in Minneapolis before any data was stolen. Target inexplicably did nothing, allowing forty million credit card numbers and seventy million addresses, phone numbers, and other pieces of personal information to be stolen.

Wyndham, Target, and Michaels, like most others who have been victimized by a data breach, have suffered serious consequences, including:

• The expense of notifying affected individuals (which is required by forty-seven states’ laws);

• The cost of providing credit monitoring to affected customers;

• The time and resources required to respond to state investigations;

• Having to reimburse financial institutions for issuing new credit and debit cards and for fraudulent charges;

• Lawsuits filed by customers, shareholders, the Federal Trade Commission, insurance companies, and financial institutions; and

• Damage to their reputation.

These expenses could have been allayed, and some avoided altogether, had the companies implemented and followed protocols that (1) called for tighter monitoring to detect breaches earlier and (2) established response plans. All businesses that collect or maintain customers’ private data should take these steps to protect themselves from the harm resulting from a breach.

Call Today (301) 657-8184

 Google+  View Edward Sharkey's profile on LinkedIn