Cyber Attacks On Your Business
Cyber attacks, including espionage, on business websites and computer systems are increasingly common. If security is breached and confidential business and personal data compromised, a business can suffer extreme damage. Cyber attacks and the resulting security breaches are part of a rapidly expanding international cyber threat that costs companies and taxpayers billions of dollars each year in lost information and response costs. Company executives are under increasing pressure to prevent these attacks and must act immediately to contain any damage once an attack occurs.
Cyber attacks take many forms, including: gaining, or attempting to gain, unauthorized access to a computer system or its confidential data such as pricing information and customer lists; unwanted disruption or denial of service attacks, including the take down of entire web sites; installation of viruses or malicious code (malware) on a computer system; the diversion of funds from business accounts; and the inappropriate use of computer systems by employees or former employees.
There are a number of actions that company executives should take to prevent or reduce cyber attack risks. Initially, the company’s computer system should be evaluated for weak links in its security chain and then an internal document should be drafted that sets company objectives to address the weaknesses. Common proactive measures include the following:
- Having the company’s database on a different web server than the application server.
- Applying the latest security patches and protecting all passwords.
- Using read-only views of documents and materials when possible.
- Maintaining strict input validation.
- Developing network security architecture.
- Monitoring activities and procedures of third-party contractors with access to the computer system (whether direct or remote).
- Performing network scans to assess activity on the network.
- Comparing outbound network traffic to baseline operations.
Moreover, companies should pay particular attention to the access granted to employees and independent contractors. The company should implement and maintain an enterprise-wide risk data management program to assure security of company and customer data. As part of this program, the company executives should work with the IT, human resources and other appropriate departments to restrict employee access to information. Employees should only have access to information related to their job functions.
If a cyber attack occurs or espionage is discovered the company should respond by eliminating the threat and restoring the system, gathering evidence concerning the attack, and pursuing civil remedies against those responsible. The Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030) is the primary federal statute regulating cyber attacks. The CFAA generally prohibits: (i) accessing computers without authorization, or in excess of authorization; and (ii) using such unlawfully accessed computers to obtain information that causes loss, damage or defrauds another or the US government. In particular, the CFAA authorizes a civil action against a person who knowingly and with intent to defraud traffics in any password or similar information through which a computer may be accessed without authorization. The plaintiff generally must allege losses of $5,000 or more. Violators may also face civil liability under the Wiretap Act (18 U.S.C. §§ 2510-2522), as amended by the Electronic Communications Privacy Act, for the interception, use or disclosure of wire and electronic communications, and under the Stored Communications Act (18 U.S.C. § 2701) for intentionally accessing, without or in excess of authorization, a facility through which an electronic communication service is provided, to obtain or prevent authorized access to a wire or electronic communication while it is in storage in the facility. State law may also provide remedies under the Uniform Trade Secrets Act.
When the company believes a crime has been committed, it should be reported to local law enforcement and also to the Internet Crime Complaint Center (www.ic3.gov). The IC3 is a partnership between the FBI and the National White Collar Crime Center which receives, develops and refers criminal complaints regarding cyber crime. It gives the victims of cyber crime a reporting mechanism that alerts and coordinates the efforts of federal, state, and local authorities to suspected criminal violations.
Of course, proactive preventive measures are the most cost effective means of dealing with cyber attacks and avoiding significant damage to your business. Accordingly, you should not delay in evaluating and enhancing your company’s information system security.