- Robert Stines
Cybersecurity and the Law – by the numbers
The Tampa Bay Chapter of the Federal Bar Association hosted a seminar luncheon titled "Cybersecurity and the Law." Mr. Sri Sridharan, the Managing Director of the Florida Center for Cybersecurity (otherwise known as Cyber Florida) presented on the nation's cybersecurity threat.
Cyber Florida is a state-funded organization dedicated to positioning Florida as a national leader in cybersecurity through education and workforce development. It is hosted at the University of South Florida and works with all 12 State University System of Florida (SUS) institutions as well as industry, government and defense to build partnerships and develop programs that grow and strengthen Florida’s cybersecurity industry.
Sri is very impressive and has achieved some wonderful results at Cyber Florida in a short period. If anyone is interested in a career in cybersecurity, they should investigate what Cyber Florida has to offer.
The Federal Bar event was organized by Ryan McGee and Bryan Hull. On a side note, Ryan is representing affected individuals in cyber breach class actions such as Facebook and Exactis. He is becoming a not-so-young attorney blazing a trail in this area of the law.
At the seminar luncheon, Sri discussed the statistical information that emphasizes why cybersecurity is a major concern for everyone in the cyber age.
By the Numbers
Thus far in 2018, over 3,353,172,708 records have been compromised in data breaches. That amounts to 18,525,816 records lost or stolen every day in 2018, which means that 214 records are compromised per second . . . WOW!
Where are these cyber events occurring? According to Sri, the top five most attacked industries are:
Why Is Healthcare the Prime Target?
I have always wondered what is to be gained by hackers taking personal health information (PHI). Sri explained that PHI is used to commit healthcare and Medicare fraud.
Hackers use stolen healthcare information such as birth dates, policy numbers, diagnosis codes and billing information, to create fake IDs to buy medical equipment or drugs that can be resold.
Hackers can also combine a patient number with a false provider number and then file made-up claims with insurers.
Interestingly, patients or their providers often do not immediately identify medical identity theft. In some situations, criminals have years to exploit such credentials.
It now makes sense to me why medical data is more valuable than credit card information. People notice credit card fraud almost immediately and banks act quickly to remedy the situation.
We Just Aren’t Prepared
Another dismal statistic was that in 2017, 86% of organizations experienced a cyberattack or information theft/loss. 60% of those breaches took minutes to accomplish but months to detect. 27% of those breaches were discovered by third-parties.
Yet, only 23% of organizations have a cyber incident response plan.
Florida is ranked #2 by the number of cyber victims. This may have a correlation with the elderly population who are more gullible to cyber fraud. In Florida alone, $62,671,502 was lost due to fraudulent emails.
Small and Medium Size Businesses
There is much news surrounding large companies that have been breached resulting in thousands of individuals being affected. What we rarely hear about are the cyber events that affect small and medium size businesses (SMBs). Leaders at SMBs should appreciate that they might have the biggest exposure (more to lose) relative to the size of the company.
Within the last year, 54% of small businesses experienced a data breach. 61% experienced some sort of cyber attack. Shockingly, 81% reported that exploits and malware evaded their antivirus solutions. In other words, an antivirus software is simply not enough.
What should get every SMBs attention is that the average cost of remediation and disruption from a data breach is $2.2 million (for a large company the amount increases).
Despite the numbers, SMBs are not prepared for a cyber breach and usually profess that they cannot afford to implement a cyber incident response plan.
According to industry professionals, there will be an increase in social engineering attacks. This prediction is tied to the growth of social media and our reliance on the internet.
As I discussed in a previous blog, Attorneys will impact the Internet of Things, many believe that IoT devices will become major targets. As the number of IoT devices increase at an exponential rate, more devices will have internet connections, which increases the number of potential targets.
The healthcare and financial sectors will remain major targets, but we may see an increase in cyber breaches related to traveler profile and booking data information. Already this year, Orbitz, British Airways, Booking.com, and FastBooking.com reported breaches.
What to do?
While Sri painted a dismal picture, all is not lost. His advice was that we need to become cyber literate and resilient. Some of his advice included:
Train everyone in an organization on cyber threats.
All areas of a company should integrate cybersecurity planning.
Every company should have a designated information security specialist.
Invest in cyber insurance, but be aware of what is covered and the exclusions.
Become cyber resilient – meaning plan for the breach. Unfortunately, it’s not about if your company will suffer a cyber breach, it’s about when.
This is the future people, get used to it.
~ Florida Cyber Lawyer - Robert Stines, Esq., CIPP.