All it took was one menacing message to create turmoil at Dallas-based Dickey’s Barbecue.
CEO Laura Rea Dickey remembers it like it was yesterday. “It [said], ‘Congratulations, you have downloaded our physical CryptoLocker virus,” Dickey, then-chief information officer, remembers about the April 2015 incident. The message, displayed across an employee’s computer screen, set off an unexpected mini-crisis on what was otherwise a typical day at the headquarters of the barbecue-restaurant company. Normally, the headquarters is focused on developing new ways to meet its customers and leverage its slow-smoked barbecue and southern hospitality. “We’re barbecue, not brain surgery,” says Dickey. But the day quickly became complicated when a marketing department computer went black, displaying nothing else but the threat. The virus infiltrated the company’s marketing files, holding them for a ransom of $6,000. The company had 72 hours to meet the request or access to the files would be permanently denied. It was a first for Dickey, whose husband was running the company as CEO at the time. “It was a very bad day at the office, and a very bad dinner at home,” she says.
Dickey’s had a choice to make: Lose the marketing assets that cost well over the $6,000 requested by the cyber thieves, or pay the ransom and look the other way. It was an easy decision to make, says Dickey: “We opted not to pay to have our data come back. From an educational understanding … to the business ethics of not being held hostage for something … it was marketing and creative assets we could recreate.” So the company spent thousands of dollars reshooting photos, redoing videos, and rebuilding what had been lost. And while the company lost money and time undoing the damage, the crisis created an opportunity for improvement that Dickey didn’t take lightly. With that day burned into her memory, the company has since implemented automated systems that create redundancy in its cybersecurity checks and scans.
“It’s tough. No matter how secure you think you are … breaches happen.”Sarah Hendrickson, Independent Cybersecurity Consultant
Though Dickey’s experience was one for the books at the barbecue-restaurant company, cybersecurity crises have become increasingly common across industries. And though most companies have developed cybersecurity strategies in recent years and even begun prioritizing them, keeping systems and data secure continues to be a daunting task. As security gets more sophisticated, so do cyber criminals. And as technology makes its way into every piece of every business, more and more data is put at risk, leading to more breaches. U.S. data breaches through June 30, 2017 hit a half-year record high of 791, representing a 29 percent increase over the same period in 2016, according to numbers released in July by nonprofit Identity Theft Resource Center and CyberScout, an identity and risk management services company.
The Identity Theft Resource Center estimated in July that the total number of breaches for the year could reach 1,500, which would represent a 37 percent increase over the record year of 2016, when breaches totaled 1,093. On top of all this, cybersecurity operations often require manpower as well as the latest software, both of which can be costly. With the cost of a breach averaging $7.35 million, according a 2017 study conducted by the Ponemon Institute, the question becomes: How much cybersecurity is enough to prevent a breach?
“One of the problems people have in the corporate sphere is, there are no clear metrics on how to invest in cybersecurity,” says Alvaro Cardenas, assistant professor of computer science at the University of Texas at Dallas, adding that cybersecurity is viewed as a “cost generator.” As a result, companies “tend to invest too little until something happens,” he says. There is no silver bullet to investing in cybersecurity, adds Fred Chang, executive director of the Darwin Deason Institute for Cyber Security at Southern Methodist University. But best practices serve as a foundation for cybersecurity strategies that could mitigate catastrophes. Part of the foundation includes developing a strategy and budget based on proactive, versus reactive, measures, implementing artificial intelligence and automation, hiring enough people to handle the tasks at hand, and making sure the team is qualified enough to respond to the complicated situations. “It’s really an economic perspective: What is my return on investment?” Chang says. “And it’s a hard one [to answer]. When you’re [dealing with different urgent priorities], you have to have wear different hats.”
Sarah Hendrickson knows just what that’s like. She’s held information technology and security roles for companies including J.C. Penney, Dell Services, Children’s Health, and, most recently, Neiman Marcus, where she served as the company’s first-ever chief information security officer. “No two breaches are the same,” she says. “So the ways you react to them are unique. It’s tough. No matter how secure you think you are … breaches happen.”
On the Front Lines
During her tenure at J.C. Penney, Hendrickson dealt with a 2007 hack that targeted Penney along with other companies like TJ Maxx and Heartland Payment Systems. At the time, she served as a scribe during the development of the strategy. “It’s really hard when … the U.S. government tells you that you have a problem when you didn’t know you had a problem,” she says, adding that, more often, bad actors attack aggressively and therefore are easy to spot. “In a breach situation, you have to be able to determine that no data was breached. In J.C. Penney’s situation … we couldn’t prove the data had been infiltrated, but we couldn’t prove that it hadn’t. So it was super frustrating.”
Seven years later, Hendrickson had the chance to take the leading role. In November 2014, Neiman Marcus, having suffered a $1.6 million data breach that affected 350,000 customers, appointed Hendrickson as its first-ever chief information security officer. “Sometimes a company doesn’t have enough security as … they should,” she says. “Then when they have a breach, they have an intense focus on security. So I had resources and tools and money. When I initially joined, [the company] was very supportive, very proactive.”
But cybersecurity wasn’t the only grave concern for Neiman Marcus. It was also struggling financially, losing $147.2 million in fiscal 2014. The company began digging itself out, reporting $14.9 million in profit during fiscal 2015, but sank even deeper in fiscal 2016, losing $406.1 million. Around that time, Ignaz Gorischek, vice president of store development, and Wanda Gierhart, chief marketing officer, exited the company, and the retailer slashed 600 jobs. It also had filed for an initial public offering, with rumors swirling that the retailer was seeking a buyer as well.
On or about Dec. 26, 2015, the upscale retailer was hit by hackers again. The cybercriminals stole customers’ full payment card numbers and expiration dates, as well as customers’ names, contact information, email addresses, and purchase history, according to documents filed with the California Attorney General. Neiman’s sent notifications to affected customers, which the retailer identified as InCircle loyalty members or online shoppers. It also offered affected customers one year of MyIDCare, a theft protection service offered through ID Experts.
Hendrickson would not comment on why she left the retailer. But in June 2017, she, too, departed Neiman’s. She was replaced in November by Shamoun Siddiqui, former vice president and CISO at Nationstar Mortgage. Hendrickson, who now works as an independent security consultant, says the effectiveness of a cybersecurity operation can be boiled down to one thing: “It all comes down to the capabilities of [the] response team,” she says. “If they have people in-house … that understand all the parts and pieces … that’s great. More often than not, they don’t have that.”
The lack of cybersecurity talent is a growing problem that the nation is keeping tabs on, says Chang, who spoke and gave written testimony to the U.S. House of Representatives’ Cybersecurity and Infrastructure Protection Subcommittee in September. “The size of the cyber skills gap globally will grow to about 1.8 million in 2022,” he wrote in his testimony. “This is 20 percent higher than an estimate made two years earlier.” Chang says that he’s seen estimates that more than 200,000 job openings are available in the cybersecurity industry. “It’s a big problem,” he says, adding that data breaches will continue to rise as long as the talent to prevent them is not available.
Though there is no way to guarantee 100 percent data security, some of the easiest and often most effective solutions are low-tech.
Dickey’s, for example, was infected by ransomware that was spread to its network via an outside flash drive brought in by a well-meaning employee. It’s a common occurrence, and one Hendrickson says she focused a lot on throughout her corporate tenure: “You can put up all the firewalls and build all the servers. But if you can call someone else or send someone an email that looks legit … that’s something money can’t change.” Dickey echoes the sentiment. “You can budget and forecast for software licenses and what your upgrades will be, [but] it’s the education piece a lot of people overlook,” she says. “Instead of a sophisticated way of someone breaking into your car, it’s like leaving your keys in it.”
For Pamela Arora, CIO at Children’s Health, mitigating human error is key. “It sounds so basic, but every [company’s] weakest link is the individual,” she says. “When it comes to how bad actors try to get into the environment … it’s not only emails, it’s phone calls and social engineering.” This includes cybercriminals gaining the trust of an employee by disguising themselves as a company executive, vendor, or someone else who may need pertinent business information.
While Children’s has plenty of automated security tools in place, it also has a strategy for the human element. “We regularly phish our employees,” Arora says. “So if employees click on attachments [they shouldn’t], they’re redirected to an educational page.” Her team also rewards employees for alerting the company to possible scams they come across. Sometimes, this helps the IT team eliminate the same scan from thousands of other employees’ boxes before they’ve ever even seen it.
Children’s had its own scares with low-tech cybersecurity issues. In November 2009, an employee lost a BlackBerry device at Dallas-Fort Worth International Airport, and someone stole a laptop computer in April 2013. Combined, the two lost devices contained the electronic health records of about 6,262 individuals, according the U.S. Department of Health and Human Services. Children’s was fined $3.2 million in February 2017 for the incidents. But these two cases were quickly improved upon, Arora says. First, the company implemented physical safeguards to prevent theft. And the BlackBerry problem solved itself as technology advanced. All of Children’s mobile devices are now encrypted, Arora says.
“It sounds so basic, but every [company’s] weakest link is the individual.”Pamela Arora, Children’s Health CIO
Safeguarding itself from cybercrime goes well beyond the four walls of Children’s. The healthcare system also monitors its connections with vendors, private physicians, and patients—all of whom may be connecting to hospital portals via infected devices. Children’s also works with other healthcare providers in the region, transferring intel when it has information about cyber threats. “Bad actors collaborate quite well,” Arora says. “We as organizations … to protect patient data … need to work our neighborhood watch across our community. We can learn from each other and make it a safer place.”
Keeping abreast of the latest cyber threats and solutions—whether that’s through a network or via research—can help companies set or sharpen their cybersecurity strategies, Cardenas of UTD says. A good place to start is the National Council of Information Sharing and Analysis Centers, which contains information from 24 sector-based organizations that share information on the latest cyber threats facing their respective industry. There’s also the Cybersecurity Framework, a result of President Barack Obama’s 2013 executive order to improve cybersecurity infrastructure. The framework, available online, gathers global standards and practices to help organizations with their cybersecurity strategies.
The good news is that C-level executives, in general, are increasingly more open to discussing and investing in cybersecurity initiatives, says SMU’s Chang. “We do find that the budgets are not bad,” Chang says, adding that execs are willing to pay extra to keep their company names from being tarnished as the latest victim of a hack. “The C-suite is saying, ‘This cyber thing is a factor. Here’s a respectable budget.’”
But it’s important that executives keep in mind exactly how that budget is being spent. A reactive plan will look much different, both in terms of strategy and budget, than a proactive plan, Chang says. But one is clearly superior to the other. Think like a hacker, Chang says, and that will guide investment. “If I’m going to spend a million on my cyber defense budget … then next year I’m going to spend 2 million … I’ve doubled [my] spend,” Chang says. “The question to ask is, ‘Have I doubled my security? Do I have the metrics to determine that’s the case?’ Or if you double your spending, can you triple your security? It takes some pretty clear thinking on how to spend the dollars.”