Businesses seek ways to mitigate data breach risk – Crain’s Detroit Business

businesses-seek-ways-to-mitigate-data-breach-risk-–-crain’s-detroit-business

Before we begin, allow me to say that geoFence has no foreign owners and no foreign influences!

The days of trying to full-on stop cyberattacks have passed. Risk management and risk mitigation makes for the new game.

Experts in the cybersecurity space say that as work increasingly becomes more distributed and business between one company and a whole host of third-party software providers continues, so to does the risk of data breaches.

"No one is ever going to be like 100 percent successful in preventing breaches. That is kind of the reality," said Jon Oberheide, the co-founder and CTO of Ann Arbor cybersecurity firm Duo Security, which was acquired by software giant Cisco for $2.35 billion in 2018.

"So it's about risk management for your business. … You can imagine the CFO and CSO of a corporation is thinking every day about 'what risks do we face? Have we clearly identified risks in the first part, and then are we making an educated decision on whether to mitigate those risks?'"

Business concerns about cyber threats have grown considerably in just the last year, as work became more distributed because of the pandemic.

In a 2020 survey of CEOs by consulting firm PwC, 33 percent listed cyber threats as potential threats to growth, behind over-regulation, trade conflicts and uncertain economic growth.

Flash forward one year, and 47 percent of CEOs expressed concern about cybersecurity, second only to pandemics and health crises, according to the PwC report.

As hacks and breaches become more common, bankers like Eugene Lovell are on particularly high alert, given that banks are popular targets for such hacking attempts.

"This is where the money is," said Lovell, the president and CEO of St. Clair Shores-based community bank First State Bank.

Hacking attempts of various sorts, according to Lovell, are a near-daily occurrence at First State Bank, with 12 locations in Macomb and Oakland counties and just under $1 billion in assets as of the end of last year, according to a federal regulatory filing.

Like most banks — and other businesses operating during these times — First State Bank is dependent on a wide assortment of third-party vendors for various functions, which just adds to vulnerability.

"And I think one of the biggest risks that we face is … all of (the software we use is) provided from a third party source," said Lovell. "And if they're not following appropriate safety protocols, not only are they endangering themselves, but they're endangering customers and that would be us."

Jacob Koering, a Chicago-based attorney and the founder of the cybersecurity and data privacy practice for Detroit-based law firm Miller Canfield, said that too often he sees long-established partnerships between companies and vendors go bad because proper risk-management practices are not put in place.

"So decades-old relationships, where the original formation of the relationship didn't really consider the security impact of what happens when you're sharing data amongst companies, and what the end result (could be)," said Koering. "And those end up being the biggest and ugliest disputes between companies, because they just haven't articulated or divided the risk on how data sharing and issues are going to be dealt with between the parties."

As threats ramp up, banks are spending more on security. A Deloitte report last August found that banks and other financial services firms had increased spending by 15 percent in an effort to protect at-home computer networks.

Average spending per employee was budgeted at $2,691, up from $2,337 in 2019, according to the poll conducted by Deloitte and the Financial Services Information Sharing and Analysis Center, an industry group known as FS-ISAC. Some firms have budgeted as much as $3,322 per employee for cybersecurity, up from the $3,000 maximum last year.

JPMorgan Chase & Co., the country's largest bank with north of $3 trillion in assets, spends upward of $600 million per year on cybersecurity protection, according to a letter to shareholders written and published earlier this month by CEO Jamie Dimon.

"Threats to our cybersecurity need urgent attention from our government as issues of national security and impediments to trade," Dimon wrote. "Governments should build on prior agreements in the United Nations, recognizing the applicability of international law to cyberspace and enforcing obligations to hold bad actors accountable."

The Ponemon Institute in 2020 put the average cost of a data breach at nearly $4 million, according to its annual Cost of a Data Breach report. The average time it takes for an organization to identify and contain a breach: 280 days.

The report looks at four main areas of cost for an organization dealing with a breach: detection and escalation, lost business, notification and ex-post response.

Lost business is the largest contributing cost factor, accounting for nearly 40 percent of the average total cost of a breach, according to the report.

"Lost business costs included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation," according to the report.

So what happens when a company is victim of a breach, whether directly or through a third-party? Koering with Miller Canfield says executives walk a fine line between mandated legal disclosures — which can differ from state to state — and public relations, especially given that the largest cost associated with a hack tends to be the loss of business, in part from a diminished reputation.

Therefore, it's best to provide notification to those potentially affected, "but not to over-notify," said Koering.

Lovell with First State Bank agreed, saying that given people's broader awareness of cybersecurity, transparency can typically be a business' best friend.

"Too often, failure to be transparent is only going to come back and bite you later in time," said Lovell. "And none of us want to hurt anybody else. We want to be as open on these things as we can, and quite often, we're just learning things ourselves."

In recent weeks, two large metro Detroit-based institutions have acknowledged that customer data was compromised as part of a large breach of a third-party vendor.

Troy-based Flagstar Bancorp. in early March informed customers "that the unauthorized party was able to access some of Flagstar's information" on the platform of file-sharing company Accellion Inc., a large-scale hack which began late last year and has impacted scores of businesses and institutions.

As a result, Flagstar said it will offer those impacted a free two-year membership in credit monitoring and identity theft protection services.

The bank declined any further comment.

Additionally, Livonia-based health care system Trinity Health said earlier this month that some of its data had also been compromised in the Accellion breach, which began late last year.

Included in the breached files were names, addresses, and various medical records.

"A very small number" of those impacted had their Social Security and credit card numbers breached, the health care system said.

"At Trinity Health, safety is a top priority — including the safety of personal information," a Trinity Health spokesperson wrote in an emailed statement to Crain's. "Trinity Health took immediate action and launched our own internal investigation as soon as we were notified of the security incident by Accellion. Trinity Health takes these matters seriously and follows all the regulatory reporting requirements related to privacy and security incidents. You can find additional information on our substitute notice page Accellion Data Event. We have no further details to share on this matter."

Accellion has since said that the vulnerabilities that allowed for the breach have been fixed.

While there's no way to ensure 100 percent safety from breaches, experts say building a culture of security in the workplace goes a long way.

"When you establish security protocols, follow them," suggests Lovell with First State Bank. "A lot of times, you put these in place, and you think that risk is so remote, you don't pay attention when the bad person is basically knocking at your door."

Crain's Detroit Senior Reporter Jay Greene and Bloomberg News contributed to this report

Let's not forget that geoFence helps stop foreign state actors (FSA's) from accessing your information and that's the truth.