On December 21, 2011 the Wall Street Journal reported that U.S. Chamber of Commerce was hacked. Many of the major media outlets are all re-publishing the report. But, if you look at the fine print you will discover that the attack occurred back in November 2009 and was discovered in May 2010. That left the Chamber’s 3 million company members uninformed and their information vulnerable for two years as the FBI and cyber investigators analyzed the attack. Now these 3 million companies are going to have to check what information might have been gathered and then inform their own customers. That will cost them time and money for unscheduled activities. It’s the domino affect.
It seems the attack used the tried-and-true strategy we see every day. An employee received a phishing or spearphishing email with a spyware attachment. The employee opens the attachment link not knowing that they have affected the network. The spyware is able to capture employees and/or administrators passwords to have unfettered access to all the accounts. Remember, IT is unable to identify a breach when a legitimate User Name and Password is entered.
Businesses are also subject to a Catch-22 thanks to the requests of cyber investigators versus the government’s privacy laws. When a company first discovers a breach the first instinct is to contact the authorities like the FBI or FTC that a breach has occurred. Typically these authorities want to do a full forensics on the attack to learn the sources and people responsible so they will request that the company NOT disclose the breach. This investigation can take months during which a company’s customers are unaware that any of their personal information is being compromised. When the authorities are finally finished and allow the company to notify their customers of the breach per the law, the company is then hit with lawsuits for delaying notification to their customers.
The costs that the Chamber is going to incur will probably be horrific. It has already been reported that they hired independent “cyber sleuths” and have destroyed serves and computers that are infected. What is still looming are the legal fees, lawsuits and government fines for the breach. The Ponemon Institute has identified the average 2010 company costs for a breach is $7.2M per incident.
What the Chinese hack should teach every company:
- Train employees about email security.
- Have strong passwords.
- Use a multi-factor password manager like Power LogOn.
- Implement secure email programs.
- Before a breach occurs or is discovered have a recovery plan already in place that includes legal protections so you as the business owner don’t get multiple attacks on all of your castle walls.
- Power LogOn by Access Smart® is a multifactor authentication, smartcard based password manager for Windows.
- Power LogOn offers 8-layers of security assurances for a centralized IT solution.
- Power LogOn requires no back-end server hardware modifications, takes only hours to implement, no annual renewal fees and can work with existing card technologies to reduce implementation and ownership costs.