May 19, 2020Read More
For all the wonders and conveniences that come with this digital world, we must not allow ourselves to ignore the persistent threat of hackers. Technology accords us a great deal of new comforts – and with them, new perils. The global cyberattacks that erupted on Friday offered another profound object lesson. A massive infection of malware plagued at least 75,000 computers across nearly 100 countries. The perpetrators targeted dozens of hospitals in England, multinational businesses such as FedEx and Spain’s largest telecommunications provider. Companies in the United States were urged to place themselves on high alert and take precautions against intrusions. As contingent workforce leaders, we’re placing more of our business information and employee data into computers each year. That means we face greater losses if our systems are compromised. I think it’s a good time to discuss steps we can take to guard against cyberattacks.
Experts believe the latest attacks were inspired by a National Security Agency (NSA) tool kit that was leaked last year. The malicious software, called the Wanna Decryptor or WannCry, essential locks users out of a system and the files it contains until money is paid to the hackers. As NBC News reported, the malware spread through email phishing programs and specifically exploited a known bug in Windows operating systems:
It was the size of the attack that shocked experts. “The scale of it — that’s pretty unprecedented,” Ben Rapp, the CEO of IT support company Managed Networks, told NBC News' British partner ITV News. “There’s been a lot of ransomware in hospitals, but to see 16 hospitals, last time I looked, and reports of other people — this is probably the biggest ransomware attack we've seen.”
Yet the events of April 12, 2017, are not the headlines of the year in terms of data theft. Russia’s interference in the U.S. elections became a chilling example of how far-reaching, sophisticated and consequential cyberattacks have become. Regardless of who orchestrated Friday’s electronic ransom campaign, Michael Sulmeyer’s piece in the Harvard Business Review illustrates the growing risks business around the world must confront as hackers develop more aggressive and penetrating attacks.
Sulmeyer’s expose directly examines what the rise of Russian hackers means for our businesses – and the sensitive data we entrust to systems that may be more vulnerable than we suspect.
“On the geopolitical stage,” he explains, “Russian hackers have been busy: Their targets have included Estonia (using overwhelming denial-of-service attacks), Georgia (supporting ground operations with cyber operations), Germany (achieving unauthorized access to servers in the legislature), and the United States (stealing data from the Democratic National Committee and emails from John Podesta). But with the U.S. Department of Justice’s (DOJ) indictment of four Russian hackers for breaching Yahoo, the U.S. government is now on record that Russia’s targets are not just geopolitical — businesses are very much at risk as well.”
To emphasize the latter point, look at the ramifications of the breaches that shook Yahoo. Not only were datasets compromised, the fallout led to severe indirect costs for the company. Sulmeyer noted that “Verizon reached new terms for its acquisition of Yahoo and exacted a $350 million discount toward its purchase price because of the Russian hacks.”
The staffing industry isn’t exempt from or immune to these problems. In her recent article for SIA’s Staffing Stream, Diane Poljak recounted two tragic tales that underscore the importance of cybersecurity for contingent workforce firms:
Take, for example, an in-house staffing employee who mistakenly distributed copies of hundreds of staffing employee W2s to an email address that auto-populated into their email. It was an honest mistake, but cost the staffing company more than $75,000 in credit monitoring for those individuals, should their identities be stolen in the future.
Another industry example is when a hacker released a computer worm that launched a service attack against an IT placement firm’s entire system. The infection caused a 48-hour shutdown of its computer systems. The IT staffing firm incurred extensive costs to repair and restore their system as well as business interruption expenses that totaled more than $750,000.
As we wrote this past November, “When data violations occur, the problems are almost always human in nature. They can be unwitting mistakes such as substandard, poorly implemented or outdated security protocols.” Of course, they can also be intentional. Yet, at their root, attacks succeed because of people, not machines. The good news is that because it’s a human problem, there’s a human solution.
Kaiser Fung, a renowned expert in business analytics and data visualization, observed that other business needs often take precedence over data ethics in the decision-making process: “Managers debate topics such as product innovation, user experience, resource requirements, competitive strategies, and return on investment.” Educating tech teams on the ethical standards of processing that data is an excellent starting point.
As Sulmeyer observes in his article, there exists no foolproof way to defend all our data, systems and networks from every form of cyberattack. The best approach for a strong defense is to identify the assets that must be defended above all else. Sulmeyer recommends that data security professionals determine answers for these questions before creating their strategies:
“If your answer is ‘all of it,’ you’re doing security wrong,” Sulmeyer cautions.
Dire as it may sound, Sulmeyer suggests that we always presume our systems will be breached: “Assume that compliance is imperfect and that an adversary is already exploiting this imperfection.”
This is sound, practical advice. Now that every organization is becoming a technology company, so to speak, business leaders should adopt the same recovery, business continuity and emergency response plans that IT folks have been relying on for years.
“Investing in your company’s resilience in the face of cyberattacks that target your top priorities will be critical,” Sulmeyer writes. “What resilience looks like depends on the type of work you do and on your priorities. For example, if there is a particular system whose availability is required 24/7/365, have you tested fallback mechanisms and backups?”
Here is a sample outline we have used, which may help form the foundation of your own efforts.
MSPs who provide onsite coverage at client sites may encounter other complexities. For onsite engagements where a third-party VMS tool or technology is used, MSPs should obtain copies of the provider’s disaster recovery plan, distribute those documents to supplier partners and train their professionals in any scenarios that involve disaster preparedness.
Diane Poljak, in her post for Staffing Industry Analysts, also offered some excellent tips for mitigating and controlling risks associated with cyber liability.
To deliver the superior service users expect, it falls on us to make sure that our data standards and security reflect the values and promises we champion in our products – and that those standards apply to every individual who relies on our platforms: hiring managers, contingent workforce program leaders, staffing providers, recruiters, executives and workers. To echo the sentiments of Michael Sulmeyer, progress begins with us. We can’t build impenetrable walls or forge a magic bullet, yet we can develop diverse approaches that will evolve over time to lend greater levels of protection.
“The cyber threat has arrived as a clear and present risk to businesses today,” Sulmeyer concludes, “and addressing it will become a growing cost of doing business.”