Q&A with Ruth Kinzey: The Reputation Impact of a Cyber Breach – What Are the Potential Risks and How Can Organizations Mitigate Them?

Written by Ruth Kinzey

As current events clearly illustrate (Adobe, Target and eBay breaches), there is more to cyber breach than lost data – a massive cyber incident has also the potential to deeply harm the victim /company’s reputation. Today we would like to explore the issue of reputation management with regard to cyber threats.

For this we have invited Ruth Kinzey, who kindly agreed to share herviews on the topic.

Ruth Kinzey, MA, is a reputation strategist with more than 35 years of communications experience. Ruth is a professional speaker, consultant, author, trainer, and adjunct faculty member of Rutgers University. She is founder and president of The Kinzey Company, an organization dedicated to helping clients proactively and strategically enhance and protect their reputations.

Ruth Kinzey

Q: How does strategic reputation management differ from PR or online reputation management?

Both public relations and online reputation are part of the strategic reputation management equation. Being strategic about an organization’s reputation means taking a holistic view by analyzing multiple audiences and communication channels; determining how well aligned the company is within itself; and examining the context in which the business operates. The organizational context takes into account the potential impact local, national and even international events can have on an organization’s reputation in addition to what is happening in the institution’s industry or sector as well as the culture of the firm.

The goals of strategic reputation management are to proactively enhance an organization’s reputation and to help protect it in times of crisis. Consequently, it’s also necessary to understand the organization’s current reputation as well as its reputational goals.

Q: What are the challenges of reputation management in today’s world of cybercrime and cyber warfare?

The cyber world is a bit like the “Wild West.” Laws are not consistent from country to country. Judicial rulings are challenged to keep pace with cyber crime. And while breaches, which impact the privacy of individuals and organizations, can be significant – even catastrophic, the perpetrators must be caught before they can be dealt with aggressively. So, the problem with “cyber lawlessness” is that it financially victimizes the institution and its many stakeholders and can tarnish reputations. This is why every organization should assess and manage its cyber risk.

System vulnerabilities must be identified, prioritized, and mitigated as much as possible. Because hackers are enterprising and highly likely to find weak links in the operating system that an organization may not even realize are present, a crisis plan should be created, too. That way, when a company – or even a nonprofit – is in the midst of dealing with some type of “cyber atrocity,” the organization isn’t trying to make important decisions such as when to notify government agencies, law enforcement, and customers. The institution also isn’t scrambling to determine the best way to contact customers or shareholders or what they should do to help clients or employees best manage the breach.

Without developing cyber risk mitigation measures and carefully constructing a crisis plan, an organization is going to lose more than data. The breach will lead to a reputational disaster, too, because the company will not be prepared on either front. Depending upon the degree of damage that occurs, the business may or may not be able to recover.

Q: Do you think today’s C-suite and upper management understand the impact a cyber incident could have on the organization’s reputation? And, do you believe they are doing anything to mitigate it?

One cannot listen to the news without recognizing the likelihood of a cyber attack. And, there are many businesses – even departments within the government – that have experienced data breaches. Consequently, there are case studies explaining what happened, how the organization managed the crisis, and the resulting reputational impact. So, senior leadership understands cyber crime is a very real threat to an organization’s operation and reputation.

However, is upper management doing anything to mitigate it? That is a very different question. And, the response varies from company to company.

Dealing with cyber crime requires vigilance and money, particularly as hackers become more and more sophisticated in their techniques. Senior leadership and the government are recognizing the importance of collaboration and information sharing. Industry and professional organizations are realizing they have a role in bringing together members to focus on the cyber crime issue and to help tackle this worldwide problem as well.

Q: Which is more harmful: insufficient security of corporate information or customers’ information? What could lead to greater reputational damage?

Both are harmful and both have the potential of damaging reputations. Depending upon the amount and type of data compromised, an individual could experience financial devastation and significant reputational damage. The actions of a business – before, during and after a cyber attack – could result in catastrophic financial implications as well as a severely damaged reputation.

People want to know the company has taken appropriate measures to protect data and that the business is doing all it can to keep personal information safe. In addition, the public wants a trustworthy business partner that keeps them informed about security issues and is willing to help them during the aftermath. A company not perceived as behaving in a proactive and trustworthy manner will experience even greater reputational damage.

Q: How can reputational damage be contained?

It is impossible to entirely contain reputational damage because an organization’s reputation is ultimately in “the eye of its beholder.” Having said this, there are steps a business can take to help reduce the severity of reputational damage.

First, it is important for the company to proactively enhance its reputation through actions such as exemplary customer service, ethical and transparent conduct, and environmentally and socially responsible behaviors. Model performance builds trust and goodwill. This positive reputation helps the public believe in the good intentions of the organization, which causes a more favorable opinion and generates support during times of trouble.

Having a crisis management plan, which includes communication, will help an organization better protect its reputation when in the midst of a cyber attack. Minutes count in any crisis, so having protocols and procedures established improves an organization’s responsiveness to the situation and enables the firm to respond to its many stakeholders in a more thoughtful, strategic manner – both during and after the cyber crime.

Q: Can reputational data be measured?

Yes. But the methodology can vary, depending upon what is being measured.

Insurance companies are paying closer attention to the impact a negative reputation has on a company’s success. Some insurers even offer public relations or media relations assistance when they become aware of potential crises being faced by clients. Other agencies offer reputation insurance because they are keenly aware of the financial impact involved when reputational loss occurs.

If publicly owned, the investor relations department may judge the degree of reputational capital the organization has by factors such as the stock price or number of investors; whereas, the marketing department may measure the number of lost customers, customer feedback, and overall lagging sales. On the other hand, the media relations department may judge the status of the company’s reputation by the types of media inquiries, the tone of articles, the frequency of references to the company in relation to a security breach, or other even more sophisticated parameters. And, there are many online agencies that examine the social profile of a business and offer reputational insights in conjunction with this.

So, reputation – both positive and negative – can be measured. But, it is important to know exactly what you are trying to measure and to have objectives clearly in mind before selecting the best form of measurement to capture this information.

Q: Can an organization’s reputation recover after a cyber attack?

It is possible for an organization to recover after a cyber attack. However, this is primarily dependent upon the company’s actions before, during and after the occurrence of this crime.

The public wants to know the firm took appropriate precautionary steps. Were systems in place to help mitigate such attacks? Was management vigilant and issues escalated upon detection?

Also, were victims – and potential victims – notified quickly about the compromise in security and kept abreast as to how their data was affected? Even if a firm doesn’t know the full implications of the breach, it’s a good idea to offer general information and to provide suggestions for protecting personal data.

Not only is a company’s conduct important prior to and during the unfolding of a cyber attack, but people judge a business on its behavior after such an incident. Does the firm demonstrate its understanding of the gravity of the situation? What actions will it implement to try to protect against the same type of situation from occurring again? Are people within the institution being held accountable, particularly if the event was preventable or could have been better contained? Is the organization trying to help victims by taking steps such as offering free credit monitoring?

Overall, the public can be amazingly forgiving, if a business has a good reputation and demonstrates exemplary conduct in how it manages a cyber attack. If this is the case, even if there is a dip in stock performance or lower sales in the short term, people will return. However, if the business has not been proactive in trying to protect its data, lacked transparency in its reporting, or failed to demonstrate its genuine regret for what happened, it will be much more difficult to regain customer, investor, government and public trust.

Cyber Threats to the Healthcare Industry

Written by Gal Landesman

Introduction

The healthcare industry is advancing rapidly, linking systems and medical devices to the Internet, adopting electronic health records and implementing regulatory reforms. Tremendous technological advancements in the medical industry bring with them a greater reliance on software-controlled devices and wireless technologies. These technologies are used in any visit to the doctor and in hospital wards. Many of them connect or have the capability to connect to the Internet. Alongside the opportunities presented, the industry is also a major target for cyberattack, mostly for financial motivationIn the following post, we will present some of the cyber threats currently faced by the healthcare industry.

In today’s environment, organizations are required to take responsibility for securing their networks and computers. Alarming vulnerabilities in medical devices have caused the FDA to issue guidelines for cyber security of the medical device industry. The U.S. Health Information Technology for Economic and Clinical Health Act, for example, permits the fining of hospitals and other organizations up to $1.5 million a year for serious security incidents. Unfortunately, the industry is falling short of complying with said security standards. Last year, for example, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) performed a random audit of 20 healthcare organizations, 19 of which failed.

(Note –  this blog post is an excerpt from our report: ”Cyber Threats to the Healthcare Industry”. If you are interested in receiving the full report, please write to: info@sensecy.com).

Threats to the Healthcare Industry

According to security experts, cyber criminals are shifting their focus from the financial industry to the healthcare industry, today an easier and more profitable target. Healthcare records contain valuable information for cyber criminals, such as social security numbers and personal information. Credit card records sell for an average of $2, while medical records can fetch about $20 on the black market. According to the Experian 2014 Data Breach Industry Forecast, the healthcare industry is likely to make the most breach headlines in 2014, despite the fact that 2013 was a year of mega-breaches in the healthcare industry.

Hackers' ransom note, after breaking into a Virginia government website
Hackers’ ransom note, after breaking into a Virginia government website

Identity and Information Theft

Medical identity theft occurs when someone uses an individual’s name and personal identity to fraudulently receive medical services, prescription drugs and goods, or attempts to commit fraudulent billing. Information theft can include the theft of personal information for malicious use, such as selling it on the DarkNet. According to a Ponemon Institute 2013 survey, medical identity theft claimed more than 1.84 million U.S. victims in 2013. Medical identity theft is on the rise in the U.S., where the number of victims in 2013 increased by 19%.

Medical Device Breaching

Over the last 15 years, a growing number of medical devices have become interconnected through hospital networks, the Internet, smartphones and other devices, increasing their vulnerability. This has not escaped the attention of the FDA who recently issued new guidelines to biomedical engineers, healthcare IT and procurement staff, medical device user facilities, hospitals and medical device manufacturers.

The new FDA guidelines came in response to the 2012 findings of a governmental panel that revealed that computerized hospital equipment is increasingly vulnerable to malware infection that can potentially render these devices temporarily inoperable. Many of the devices run on Windows variants. They are interconnected through internal networks to the Internet and are also exposed to laptops in the hospitals, making them vulnerable to malware.

An example of the implications that could be caused by such systems was demonstrated by the medical-device panel from the NIST Information Security & Privacy Advisory Board, who described fetal monitors in intensive-care wards that were slowed down due to malware infection. This problem can affect a wide range of devices, such as compounders, diagnostic equipment, etc.

A report issued by the Government Accountability Office (GAO) warned mostly about vulnerabilities found in wireless implanted defibrillators and insulin pumps, but thousands of other network-connected life-saving devices are also vulnerable. Malware in medical devices is probably much more prevalent than we know, since most of it is not reported to the regulators and there are no records. The OS updating process for medical devices is an onerous regulatory process.

Cyber threats to medical devices (from the GAO report)
Cyber threats to medical devices (from the GAO report)

Conclusion

We believe that the healthcare industry is facing major threats from cyberspace. These threats encompass large areas of the industry and may become a greater burden for it, compromising patient safety, and causing financial and commercial damage to the associated bodies.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.

Cyber Threats to the Shipping Industry

Introduction

Several cyber threats pertaining to the shipping industry have been reported of late, illustrating the vulnerability of this industry – a fact that cyber criminals, terrorists and even hacktivists are already exploiting.

(Please note –  this blog post is an excerpt from our report: “Cyber Threats to the Shipping Industry”. If you are interested in receiving the full report please write to: info@sensecy.com).

Vulnerabilities of Automatic Identification System Exposed

Researchers at the Trend Micro security firm reported they had identified major security breaches in the Automatic Identification System (AIS). The AIS is a global system that identifies and tracks vessels in real time. The system periodically transmits the position, speed and heading of a vessel, among other information. It was mandated by the International Maritime Organization (IMO) in all passenger and commercial vessels over 300 metric tons. During an experiment, the researchers managed to break into the system and alter data in real time.

The researchers were able to spoof the route of a vessel to spell "PWNED", meaning "hacked"
The researchers were able to spoof the route of a vessel to spell “PWNED”, meaning “hacked”

The breach was carried out in two phases:  first they identified the main AIS Internet providers that collect and distribute AIS information, and exploited their vulnerability to manipulated data:

  • Modification of all ship details such as position, course, cargo, flag, speed, name, MMSI (Mobile Maritime Service Identity) status, etc.
  • Creation of fake vessels with the same details, e.g. having an Iranian vessel with nuclear cargo show up off the coast of the U.S.

In the second phase, they exploited flaws in the AIS communication protocol mandatory in hardware transceivers in all vessels. Using a US$200 transceiver (using Marine VHF channels 161.975 MHz and 162.025 MHz) they were able to:

  • Permanently disable the AIS system on a vessel, forcing the ship to stop communicating its position, and also stop receiving AIS notifications from all vessels in the vicinity.
  • Issue a fake CPA alert (Closest Point of Approach) and trigger a collision warning alert.
  • Fake a “man-in-the-water” distress beacon at any location that would also trigger alarms on all nearby vessels.
  • Send false weather information to a vessel, e.g. storm approaching, to route around.
  • Cause all ships to transmit AIS traffic much more frequently than normal, flooding the channel and blocking communications from marine authorities and other vessels in range.

This security breach allows hostile entities to alter the real-time data of vessels sailing the seas, with the potential to cause economic damage, in addition to the serious safety risks to vessels or sabotaging the activities of marine enforcement agencies (police, coastguard etc.). The security gap is particularly worrisome because it does not require expensive equipment or impressive hacking capabilities to utilize it. The threat is that terrorist organizations could exploit this vulnerability, which could lead to serious physical consequences and even the paralysis of maritime traffic in a particular area.

Cyber Attack Breaches Port Security; Container Hijacked

On October 16, 2013, Europol announced it had exposed a network of drug traffickers who recruited hackers to breach IT systems in the port of Antwerp, Belgium. The purpose of the breach was to allow hackers to access secure data giving them the location and security details of containers (that contained smuggled drugs worth billions of dollars), allowing the traffickers to send in truck drivers to steal the cargo before the legitimate owner arrived.

The operation (which took place over a two-year period) went undetected by the port authorities and shipping companies involved. It was apparently uncovered with the recent arrests of members of the “Silk Road” website who sold drugs on the DarkNet in the U.S. The investigation was carried out by a team from Europol that in a related series of raids managed to confiscate containers holding cocaine and heroin worth hundreds of millions of dollars.

KVM devices used in the Antwerp attack
KVM devices used in the Antwerp attack

The breach of the port and shipping companies’ computer systems began with a spear-phishing attack, i.e. sending innocent-looking emails with malicious contents to employees of transportation companies working in the port of Antwerp. When the ring members saw that this channel had become blocked by enhanced IT security, they physically broke into the companies’ offices and installed KVM (keyboard, video and mouse) switches to enable remote access to the computer systems. The KVM switches were assembled and prepared in a professional manner and included miniature PCs concealed inside electrical power strips, external hard drives, as well as keyloggers disguised as USB keyboard port converters. Although some of this equipment was designed simply to steal login credentials, the hackers appear to have used wireless cards to study and possibly control the logistics systems in real time. The group then sent its drivers to the port and provided them with all the necessary certificates and release codes to retrieve the containers.

Cyber Threats to the Aviation Industry

The aviation industry faces major risks on all of its fronts: from the air traffic control systems, to the aircraft themselves, to the airline companies and airports and border crossings. The identified threats stem from the current nature of aviation industry systems, which are interconnected and interdependent.

(Please note –  this blog post is an excerpt from our report: “Cyber Threats to the Aviation Industry”. If you are interested in receiving the full report please write to: info@sensecy.com)

On August 13, 2013, the AIAA officially released a Decision Paper entitled “A Framework for Aviation Cyber security”, outlining existing and evolving cyber threats to the commercial aviation enterprise and noting the lack of international agreement on cyber security in aviation. There is no common overall coordination of efforts seeking a global solution.

According to the report, the global aviation system is a potential target for a large-scale cyber attack with attackers focusing on malicious intent, information theft, profit, “hacktivism”, nation states, etc.

Aviation

The risks are not only theoretical. As portrayed below, some of the aforementioned security concerns have already been realized by hackers in real-life.

  • A presentation at the ‘Hack in The Box’ security summit in Amsterdam in April 2013 has demonstrated that it is possible to take control of an aircraft’s flight systems and communications using an Android smartphone.
  • Sykipot is a tool that serves as a backdoor that an attacker can use to execute commands on the affected system. It is being used to gather intelligence about the civil aviation sector in the U.S. Like most targeted attacks, Sykipot infects using spear-phishing techniques by sending emails with malicious attachments. Lately, as identified by Trend Micro, Sykipot has been observed gathering intelligence on the U.S. civil aviation sector. The intentions of this campaign are unclear as yet. Sykipot has a history of targeting U.S. Defense Initial Base (DIB) and key industries over the past six years.
  • Conficker, a worm that has infected millions of computers worldwide, infected the French Navy network on 2009, forcing it to cut connectivity to stop it from spreading, and to ground its Rafale fighter jets. It was probably introduced through an infected USB drive.
  • In 2008, Spanair flight 5022 crashed just after take-off, killing 154 people. According to the Spanish government’s Civil Aviation Accident and Incident Investigation Commission (CIAIAC), the disaster occurred because the central computer system used for monitoring technical problems in the aircraft was infected with a Trojan horse.
  • In 2008, the FAA reported that the computer network in the Boeing 787 Dreamliner’s passenger compartment was connected to the aircraft’s control, navigation and communication systems – a cause for grave security concern. This connection renders the plane control system vulnerable to cyber attack. Boeing advised that they would address the issue
Aviation sector under threat of cyber attacks

We believe that the aviation industry is facing major threats from cyberspace and these threats encompass large areas of the industry and may become a greater burden for it, compromising the safety of the passengers, and causing financial and commercial damage to the associated companies.