For all the wonders and conveniences that come with this digital world, we must not allow ourselves to ignore the persistent threat of hackers. Technology accords us a great deal of new comforts – and with them, new perils. The global cyberattacks that erupted on Friday offered another profound object lesson. A massive infection of malware plagued at least 75,000 computers across nearly 100 countries. The perpetrators targeted dozens of hospitals in England, multinational businesses such as FedEx and Spain’s largest telecommunications provider. Companies in the United States were urged to place themselves on high alert and take precautions against intrusions. As contingent workforce leaders, we’re placing more of our business information and employee data into computers each year. That means we face greater losses if our systems are compromised. I think it’s a good time to discuss steps we can take to guard against cyberattacks.
Experts believe the latest attacks were inspired by a National Security Agency (NSA) tool kit that was leaked last year. The malicious software, called the Wanna Decryptor or WannCry, essential locks users out of a system and the files it contains until money is paid to the hackers. As NBC News reported, the malware spread through email phishing programs and specifically exploited a known bug in Windows operating systems:
It was the size of the attack that shocked experts. “The scale of it — that’s pretty unprecedented,” Ben Rapp, the CEO of IT support company Managed Networks, told NBC News' British partner ITV News. “There’s been a lot of ransomware in hospitals, but to see 16 hospitals, last time I looked, and reports of other people — this is probably the biggest ransomware attack we've seen.”
Yet the events of April 12, 2017, are not the headlines of the year in terms of data theft. Russia’s interference in the U.S. elections became a chilling example of how far-reaching, sophisticated and consequential cyberattacks have become. Regardless of who orchestrated Friday’s electronic ransom campaign, Michael Sulmeyer’s piece in the Harvard Business Review illustrates the growing risks business around the world must confront as hackers develop more aggressive and penetrating attacks.
Sulmeyer’s expose directly examines what the rise of Russian hackers means for our businesses – and the sensitive data we entrust to systems that may be more vulnerable than we suspect.
“On the geopolitical stage,” he explains, “Russian hackers have been busy: Their targets have included Estonia (using overwhelming denial-of-service attacks), Georgia (supporting ground operations with cyber operations), Germany (achieving unauthorized access to servers in the legislature), and the United States (stealing data from the Democratic National Committee and emails from John Podesta). But with the U.S. Department of Justice’s (DOJ) indictment of four Russian hackers for breaching Yahoo, the U.S. government is now on record that Russia’s targets are not just geopolitical — businesses are very much at risk as well.”
To emphasize the latter point, look at the ramifications of the breaches that shook Yahoo. Not only were datasets compromised, the fallout led to severe indirect costs for the company. Sulmeyer noted that “Verizon reached new terms for its acquisition of Yahoo and exacted a $350 million discount toward its purchase price because of the Russian hacks.”
Cybersecurity is Critical for Contingent Workforce Companies
The staffing industry isn’t exempt from or immune to these problems. In her recent article for SIA’s Staffing Stream, Diane Poljak recounted two tragic tales that underscore the importance of cybersecurity for contingent workforce firms:
Take, for example, an in-house staffing employee who mistakenly distributed copies of hundreds of staffing employee W2s to an email address that auto-populated into their email. It was an honest mistake, but cost the staffing company more than $75,000 in credit monitoring for those individuals, should their identities be stolen in the future.
Another industry example is when a hacker released a computer worm that launched a service attack against an IT placement firm’s entire system. The infection caused a 48-hour shutdown of its computer systems. The IT staffing firm incurred extensive costs to repair and restore their system as well as business interruption expenses that totaled more than $750,000.
Protecting Contingent Workforce Data
As we wrote this past November, “When data violations occur, the problems are almost always human in nature. They can be unwitting mistakes such as substandard, poorly implemented or outdated security protocols.” Of course, they can also be intentional. Yet, at their root, attacks succeed because of people, not machines. The good news is that because it’s a human problem, there’s a human solution.
Train Information Teams on Ethical Data Usage
Kaiser Fung, a renowned expert in business analytics and data visualization, observed that other business needs often take precedence over data ethics in the decision-making process: “Managers debate topics such as product innovation, user experience, resource requirements, competitive strategies, and return on investment.” Educating tech teams on the ethical standards of processing that data is an excellent starting point.
- Develop or refine onboarding processes to include training that covers the ethics of data use and handling.
- Bring in internal or external legal experts to coach team members on the legal obligations and best practices for data processing, storage, analysis and distribution.
- Ensure that all applicable contracts or agreements contain solid terms and conditions for data standards, and that related stakeholders are knowledgeable of them.
- Work to promote a business culture for tech teams that encourages open, supportive communications; team members need to be comfortable discussing or identifying topics related to data ethics, and managers must be willing to engage in those dialogs by creating a safe, repercussion-free environment.
As Sulmeyer observes in his article, there exists no foolproof way to defend all our data, systems and networks from every form of cyberattack. The best approach for a strong defense is to identify the assets that must be defended above all else. Sulmeyer recommends that data security professionals determine answers for these questions before creating their strategies:
- What data is so critical that unauthorized access would cripple the company?
- What data must remain available 24/7/365?
- What data needs to be stored?
“If your answer is ‘all of it,’ you’re doing security wrong,” Sulmeyer cautions.
Prepare for the Worst
Dire as it may sound, Sulmeyer suggests that we always presume our systems will be breached: “Assume that compliance is imperfect and that an adversary is already exploiting this imperfection.”
This is sound, practical advice. Now that every organization is becoming a technology company, so to speak, business leaders should adopt the same recovery, business continuity and emergency response plans that IT folks have been relying on for years.
“Investing in your company’s resilience in the face of cyberattacks that target your top priorities will be critical,” Sulmeyer writes. “What resilience looks like depends on the type of work you do and on your priorities. For example, if there is a particular system whose availability is required 24/7/365, have you tested fallback mechanisms and backups?”
Here is a sample outline we have used, which may help form the foundation of your own efforts.
- Stage 1: Immediate Response Steps
- Stage 2: Disaster Declaration and Communication Processes
- Stage 3: Functional Restoration
- Stage 4: “Day 2” Requirements
- Stage 5: Return to Normal
- Stage 6: Plan Distribution, Testing and Maintenance
MSPs who provide onsite coverage at client sites may encounter other complexities. For onsite engagements where a third-party VMS tool or technology is used, MSPs should obtain copies of the provider’s disaster recovery plan, distribute those documents to supplier partners and train their professionals in any scenarios that involve disaster preparedness.
Managing Cyber Liability Risk
Diane Poljak, in her post for Staffing Industry Analysts, also offered some excellent tips for mitigating and controlling risks associated with cyber liability.
- Develop and implement appropriate cyber security policies.
- Create formal processes for updating software, firewalls and antivirus programs.
- Safeguard mobile devices that could contain sensitive personal, corporate, client or talent data; make sure that data is encrypted.
- Implement regular staff training on security procedures and continuity plans.
- Safeguard all information within the workplace, segregating pay information and personally identifiable details on a separate space in the network, with access restrictions imposed.
- Have a breach response plan in place.
- Investigate a company’s security practices before outsourcing any business functions, such as payroll, web hosting or data processing.
- Purchase an insurance policy that covers cyber liability and related issues.
Securing our Workspace from Threats in Cyberspace
To deliver the superior service users expect, it falls on us to make sure that our data standards and security reflect the values and promises we champion in our products – and that those standards apply to every individual who relies on our platforms: hiring managers, contingent workforce program leaders, staffing providers, recruiters, executives and workers. To echo the sentiments of Michael Sulmeyer, progress begins with us. We can’t build impenetrable walls or forge a magic bullet, yet we can develop diverse approaches that will evolve over time to lend greater levels of protection.
“The cyber threat has arrived as a clear and present risk to businesses today,” Sulmeyer concludes, “and addressing it will become a growing cost of doing business.”