Think it can’t happen to you? Here’s how three NH organizations got hacked and what you can learn from it
The cybersecurity threat in New Hampshire is real.
There’s no shortage of coverage out there about large-scale cybersecurity breaches; one only has to look to today’s headlines to see the latest charges facing Equifax, or the far-reaching implications of recent hacks to Target, Home Depot or Yahoo! What we hear about less, though, are the local firms and New Hampshire organizations whose businesses may be just as vulnerable as these industry leaders. Breaches have happened – and are happening – right here.
A tale of three breaches
Last year, a sneaky hacker posed as a vendor and convinced someone at the Community College System of New Hampshire to move from paper to electronic billing, resulting in a transfer of $130,000 via wire before CCSNH discovered the scam.
Also last year, an impostor procured financial records from the Concord, New Hampshire school district by posing as an official who accessed financial paperwork and tax forms, giving a cybercriminal all the opportunity they needed to steal it and use it to commit identity theft.
And Whole Foods is right now working with a cybersecurity forensics firm and authorities as it investigates a credit card data breach at in-store eateries at locations in Bedford and Nashua, among others in New England.
Numerous small companies, trusted in their local communities, had to notify the state Attorney General’s office and work hard to stay out of the news.
Along with the recent Equifax situation, the local hacks are instructive when thinking about the best way to protect your organization. From a systems and information security perspective, the Equifax breach exposed problems in the company’s process and lapses in its technology updates that left its valuable data open and accessible to tech-savvy attackers with equipment and know-how to steal it. In two of the local examples, almost no technology was involved in the scam itself: a hacker intentionally impersonated an authorized individual to trick a CCSNH staff member into submitting funds to a fraudulent account (it is still unclear what happened at Whole Foods).
Organizations by default are vulnerable because they are filled with people who are hard-wired to trust – it’s how we build community and grow companies. Unfortunately, that leaves a door open for scammers to use technology, social situations, or a combination of both to compromise organizations of all types and sizes.
What to do when your company has been hacked
How you handle a data breach is often the difference between minimal impact and a potentially career-ending event. So, if hackers get into your server and have access to everything on it, or your intern got scammed and gave out the password to your financial software, here’s what to do.
- Call your insurance provider and inform them of the issue. They may have a protocol for you per your cyber liability policy (assuming you have one) and may also point you toward an attorney or cybersecurity firm to start the response process.
- Find an attorney who is a specialist in the area and knows how to manage the legal and communications issues around this type of disaster – someone with experience walking multiple firms through actual breaches and all that can result.
- Call an information security firm to conduct a forensic analysis to identify the details of the breach, figure out what happened, close the gaps, and start working on a plan for moving forward. You’ll want to have an expert who has done this before.
You’ll be required to notify the state’s Attorney General’s office if social security numbers were involved, and you’ll be publicly listed among hundreds of other Granite State companies that fell victim to a data breach. You might also be required to notify other governing bodies (such as the Attorney Generals of other states) and pay hefty fines, depending on the type of data involved. That often also results in expensive regulatory audits and, worst-case scenario, legal action.
All data has value
A wise organization will analyze the value and risk of the data it is trusted to protect. You might think your company doesn’t have anything worth a hacker’s time, but just as an identity fraudster found value in scamming a New Hampshire school district, you probably have tax records, social security numbers, or health information about your employees and your clients easily accessible on your computer or in your office. It doesn’t matter whether it’s on servers or in paper files. Or you have trusted contacts and your email or environment could be used to attack those contacts. Is that data protected by the right technology and correct processes? Do you have a response plan if the unthinkable does happen? We all want to avoid the fate of the former Equifax CEO Richard Smith, “stepping down” from his position.
No end in sight
Until businesses of all sizes and types start taking information security seriously, breaches will increase in frequency. The strongest motivator for a hacker is financial gain. An endless rolodex of vulnerable companies and increasingly clever overseas call centers full of hackers with no fear of negative repercussions suggests that we’re only seeing the tip of the iceberg.
The Equifax breach is a perfect example of what not to do when something like this happens: wait too long to announce the issue; provide few details; and bungle the response website – not to mention allegedly violating anti-trust regulations by selling off stock before the bad news hits!
The best time to work on your company’s information security plan is when you don’t have a breach. Now is when you want to implement the right systems, policies, and exercises so you know what would happen if the unthinkable happens. Ask yourself: what would I do if I believed I had a breach, or someone from the outside came and said, “I can tell my records are compromised?” Who would you talk to? Where would you go? If you don’t know, it’s time to start developing a plan and identifying resources who can help.