Israel Martinez and Richard Schroth | May 17th, 2016 | MMG
Here’s a cyber story worth recounting: Not too long ago, some institutional investors gathered to invest in a relatively small technology company with approximately $25 million in revenue. It was profitable, a leader in its field, a provider of IT security solutions to the government and to the private sector. Deal flow for the deal-makers (in this case, investor business development analysts) had dropped and everyone at the table was striving to make the deal happen. It was a $50 million investment proposal of new capital and smart money (from investors who know how to get the company to the next $100 million in revenue).
But suddenly there was a problem. During the cyber due diligence phase, the potential investors discovered that the company had been infected with particularly malicious malware, possibly exposing the intellectual property to theft. Within 48 hours, the deal fell apart and the would-be investors scrambled, regardless of indications that the infection could be cleaned and contained.
It turned out that fleeing was the right call in this case. Within two weeks, evidence outside of the company network revealed that the technology company was aware it was infecting others. The damage to the reputation of the company was extensive—particularly because it engaged in technology and security solutions. The harm reduced this rising star to its former fledgling state of two founders with now-questionable intellectual property that was compromised. Years of hard work evaporated.
And it’s not fiction. This happens to be an anonymized but true story discussed in meetings between our firm, the Department of Homeland Security and leadership at the Association for Corporate Growth, which are working together to find ways to prevent this from happening to other midsize companies. Meanwhile, the hackers, the real guilty parties, remain unidentifiable and cannot be held accountable because they operate internationally and are insulated.
How could this happen? How could the selling company not have known? Moreover, how did the investors discover the problem without touching the target company’s network?
Beyond Company Walls
Are you at risk for reputational damage to you or your organization due to a similar cybercompromise? These days it’s not only plausible but probable that when a cyberevent does happen, you won’t know about it before others do. The reason? The recent evolution of tools used by sophisticated investors during cyber due diligence have become quite powerful. These discovery tools and services crawl through the dark web, collecting, analyzing and reporting information about data breaches, compromises and vulnerabilities communicated about your IT assets among the “bad guy” community. What this means is that much of the documented activity in your organization’s network or your personal device already exists in the public domain, beyond the company walls or outside of your devices. This includes which devices are vulnerable and how, which are infected, when they became infected, and often whether the organization knew about it and did nothing.
Why is that important? In previous articles, we’ve discussed how general liability and even cybersecurity-specific insurance policies are now riddled with exclusions, limitations or constraints that cause inadvertent exceptions to payment.
The publishing of vulnerabilities about your network domain represents a strategic shift in the bad guy community. This group is now not only selling stolen data, intellectual property and other digital assets, but it’s also selling and distributing vulnerabilities—that is to say, specific information about your weaknesses that would allow someone else to enter the weak point and exploit it in your network. This behavior multiplies the number of people and groups that can potentially commit a cybercrime. By the way, your pockets of formerly confidential information abruptly made public also provide evidence to investors or others who may want to hold you accountable for a host of fiduciary or contractual obligations, whether or not you are culpable. The recent publication of the Panama Papers serves as a prime example of this point.
Assuming you’ve done the basics in hacking prevention, here are some additional tips to keep your organization safe:
- Encrypt your local hard drive. Contrary to popular belief, after the first run, encryption won’t cause your computer to slow.
- Don’t use public wifi sites anywhere, including at your hotel or Starbucks. These are often cesspools of bad guys waiting to attack. Just don’t do it. Use your mobile device to tether instead.
- If you get a suspicious pop-up window that forces an “ok” click, immediately disconnect from the internet and turn off your computer. Restart without accessing the internet and run anti-malware.
- Never call the number in a scamware pop-up tech support message and give personal information unless you know it’s legitimate.
- Keep moving. Speed and change are your friends. Change passwords frequently. In fact, while you’re at it, change primary, clearing and secure bank accounts at least once every two years. Yes, that’s right: Call your bank, close your account and open a new one. It’s a hassle but a good practice.
- Try not to use debit cards. Banks are not required to reimburse funds stolen via a debit card; however, credit cards are reimbursable because they’re insured.
- Use multi-factor authentication as often as possible—you know the drill, like when Facebook texts you a code before you can access the social media platform from an unknown computer.
Even if you use appropriate password etiquette, are caught up on updates and use anti-malware, etc., trends demonstrate you can still be targeted and infected. We’ve entered a new era, where you must be proactive and learn if you’re compromised before a breach or before someone else knows about your breach. How will you know? The technical approaches are myriad and if you’re interested, there’s a better-than-average process available at CSO Online. It works, but it’s a bit tedious.
Don’t Be Afraid to Ask
What questions and processes should you be asking from your technical support cadre? How about from your management and executive team? Below are some of the tough questions you should consider:
- Did you know that evidence about compromises exists outside of the company walls? How should that affect our policies, processes, procedures and communications?
- How do I learn what evidence there is about my company in the dark net?
- How do I learn what bad guys know about us right now that I don’t know?
- How do I know if bad actors are already “talking” to my devices and at what level?
- How do I know if I’m infected?
- How do I know whether or not one of our partners is infecting us?
- How do I learn whether that target M&A company has had intellectual property stolen?
- How do I know if our insurance will cover specific events or compromises, such as stolen intellectual property (this is coverage beyond the common theft coverage of personally identifiable information, known as PII)?
- Why is merger insurance no longer enough?
- Is there a way to know if any of my devices, employees or social media profiles have been targeted before infection?
It’s important to note that a review for adequate polices, procedures, risk management and risk mitigation in the event of a cybercrime is extremely important. Remember, an ounce of prevention is worth a pound of cure. //
Israel Martinez is president and CEO of Axon Global, a cyber-counterintelligence company recognized by the Department of Homeland Security as a leader in its field. He is certified by the DHS in cyber-counterterrorism and defense, and has more than 20 years of experience in cyber enterprise risk management and governance.
Richard Schroth, Ph.D., is managing director for the The Newport Board Group’s global cyberpractice. He actively leads world-class teams of cyberprofessionals and board-level advisers seeking to minimize cyberrisk with public boards and private equity firms. Additionally, Schroth is a senior adviser to the CEO of ACG for cybersecurity and serves as the executive director of American University’s Kogod School of Business Cyber Governance Center in Washington, D.C.