Don't Be the Reason For the Next Headline - Implications of the Home Depot Hack
We've reported to you before on the hacking by criminals of the computer systems of such large corporations as Target, Macy's, and Michael's. We can now add Home Depot to that list. Initial reports indicate that cash registers at many Home Depot locations had software that was transmitting credit card information to the same group that hit Target. We also are well aware that the computer systems of the U.S. Government - arguably equipped with the best software and hardware in the world - are constantly attacked (sometimes successfully) by terrorists, criminals, and foreign agents. The government and larger corporations are already taking steps to shore up their defenses from such attacks but they know that they can only do so much.
Reports have indicated that the way Target was hacked was not through their systems but by vulnerabilities in the computer systems of one of its suppliers (a Pennsylvania based-company). If corporations haven't figured out where some of their greatest vulnerabilities are yet, they will soon: it's with their suppliers and other entities that have backdoor access to their secured systems. These are small and medium sized companies throughout the country who don't think that their computer systems are important enough for cyber criminals to care about. Well, the stronger that the bigger players make their systems, the more inviting smaller computer systems become as possible backdoors into the larger targets. It's not a question of if your company will be a target of hackers, but when. If that's case, what are you going to do about it?
If you are already a supplier to larger corporations, you may begin to see pressure to improve the security of your computer systems. Some of your clients may already require it! If you haven't seen calls to strengthen your systems yet, taking a proactive approach could have positive marketing benefits to current and potential customers and clients. While we can't predict what specific requirements each client may have, there are already some basic steps that you can take to begin the process. Here are a few action items that every organization should consider with respect to their data security:
1. Test Your Network
Are you confident your network can withstand an attack? Do you know if your network is currently under attack? You may wish to consult a cybersecurity expert to determine the vulnerabilities in your system and how best to protect yourself. Getting an independent third party to review your systems goes a long way to instill confidence that the steps you are taking are meaningful and in line with industry standards.
2. Develop Procedures for Handling Personally Identifiable Information (PII)
How are you encrypting PII, including customer lists, credit card and financial information, and anything else that has names and contact information of clients and customers? Is access to this information restricted? Do your employees know how to handle PII? How do your customers and clients provide you with it? You should develop practices and procedures to better protect this information.
3. Develop a Response Plan
What do you do when are you hacked? Do you know who to inform and what to say? How would you respond to those who have had their information stolen from or through your system? How would you handle the media? What about potential lawsuits? You should develop a response plan to handle a data security breach. Data security breaches can be legal nightmares as there is no single standard for compliance in the event of a loss of PII. If PII of a citizen of another state is stolen (or in some cases potentially stolen), you may have to comply with the laws of that state as well. If you have customer data from across the country, that could mean lawsuits in every state!
Understand that cybercrime is a real and present danger in the modern marketplace. Even taking simple basic steps in your systems and procedures will make your company that much harder of a target. If you can divert the hackers to seek easier prey, that's a win. Remember that the goal isn't ironclad protection, because no system is perfect, but mitigation and discouragement. Having a plan to deal with the aftermath of an attack means putting in place policies and procedures before the attack happens. Identify a trusted team of cybersecurity, public relations, and legal advisors to give you at least the peace of mind that you know who can help you when it does happen.
If you have specific questions in this regard, please contact a member of our Emerging Technologies Practice Group.
Reports have indicated that the way Target was hacked was not through their systems but by vulnerabilities in the computer systems of one of its suppliers (a Pennsylvania based-company). If corporations haven't figured out where some of their greatest vulnerabilities are yet, they will soon: it's with their suppliers and other entities that have backdoor access to their secured systems. These are small and medium sized companies throughout the country who don't think that their computer systems are important enough for cyber criminals to care about. Well, the stronger that the bigger players make their systems, the more inviting smaller computer systems become as possible backdoors into the larger targets. It's not a question of if your company will be a target of hackers, but when. If that's case, what are you going to do about it?
If you are already a supplier to larger corporations, you may begin to see pressure to improve the security of your computer systems. Some of your clients may already require it! If you haven't seen calls to strengthen your systems yet, taking a proactive approach could have positive marketing benefits to current and potential customers and clients. While we can't predict what specific requirements each client may have, there are already some basic steps that you can take to begin the process. Here are a few action items that every organization should consider with respect to their data security:
1. Test Your Network
Are you confident your network can withstand an attack? Do you know if your network is currently under attack? You may wish to consult a cybersecurity expert to determine the vulnerabilities in your system and how best to protect yourself. Getting an independent third party to review your systems goes a long way to instill confidence that the steps you are taking are meaningful and in line with industry standards.
2. Develop Procedures for Handling Personally Identifiable Information (PII)
How are you encrypting PII, including customer lists, credit card and financial information, and anything else that has names and contact information of clients and customers? Is access to this information restricted? Do your employees know how to handle PII? How do your customers and clients provide you with it? You should develop practices and procedures to better protect this information.
3. Develop a Response Plan
What do you do when are you hacked? Do you know who to inform and what to say? How would you respond to those who have had their information stolen from or through your system? How would you handle the media? What about potential lawsuits? You should develop a response plan to handle a data security breach. Data security breaches can be legal nightmares as there is no single standard for compliance in the event of a loss of PII. If PII of a citizen of another state is stolen (or in some cases potentially stolen), you may have to comply with the laws of that state as well. If you have customer data from across the country, that could mean lawsuits in every state!
Understand that cybercrime is a real and present danger in the modern marketplace. Even taking simple basic steps in your systems and procedures will make your company that much harder of a target. If you can divert the hackers to seek easier prey, that's a win. Remember that the goal isn't ironclad protection, because no system is perfect, but mitigation and discouragement. Having a plan to deal with the aftermath of an attack means putting in place policies and procedures before the attack happens. Identify a trusted team of cybersecurity, public relations, and legal advisors to give you at least the peace of mind that you know who can help you when it does happen.
If you have specific questions in this regard, please contact a member of our Emerging Technologies Practice Group.