Future shock: As cyberattacks proliferate, companies have to be aware of not just security responsibilities, but reporting ones

For highly scrutinized industries such as fintech and health care, there’s a group that inspires innovation as much as their own clients, patients, investors or any of their stakeholders. …

And that’s the cybercriminals perpetually prodding for weaknesses in their systems.

For businesses in highly regulated sectors, there’s been a proliferation of digital attacks — fed by the pandemic and more recent geopolitical chaos — that demands innovative answers.

Harris S. Freier. (File photo)

Harris S. Freier, a Genova Burns partner and privacy and cybersecurity law specialist, added that we’re also going to start learning a lot more about those attacks, as regulated companies have new rules requiring more transparency after incidents have happened.

“So, as we saw with that recent (Caesars Entertainment) incident in Las Vegas, where a data breach brought them down for a few days, more and more regulated companies are going to have to start admitting when they’ve paid those ransoms,” he said.

Caesars Entertainment disclosed in a September stock exchange filing that it had suffered a hack, which also affected MGM properties in Las Vegas. Caesars reportedly had to pay some of the $30 million its attackers demanded to keep them for releasing stolen customer data, including Social Security numbers and driver’s license numbers.

While the attacks were further evidence of how prevalent these ransomware-style hacks are today, the public fallout was a sample of the way companies will have to fess up to them after the fact. Under U.S. Securities and Exchange Commission rules that officially take effect Dec. 18, publicly traded companies have to admit more (potentially uncomfortable) details about how hackers hit them and what they came away with.

The requirements were introduced by the SEC in July in an attempt to better elucidate for investors how well the companies they’re trusting their resources with are managing their cybersecurity risks.

“The trend is really toward governments wanting you to report more about these incidents,” Freier said. “At the same time, the number of cybersecurity incidents continues to rise. And I don’t expect that to change.”

The upshot? We’ll all be hearing of more attacks — and more about those attacks.

The advice? Businesses in New Jersey should get as acquainted with them as possible.

“Every business in New Jersey should be making themselves apprised of the threats as well as what they’re expected to do (after them),” Freier said. “While I do think it’s close to impossible to predict how and when these things will happen, you should still be training employees, adding cyberinsurance and doing all you can to prepare for these attacks.”

Mike Dlug. (Stratus ip)

Cybersecurity expert Mike Dlug said there are a couple of factors that go into the fact that ransomware attacks are striking seemingly everywhere, all the time. One is the much-discussed shift to remote work and the crossover of personal and business that has happened over the course of the pandemic, which led to more success with phishing-style attacks and password swiping.

Another is the profiteering of international ransomware for potentially nefarious ends. Dlug said that, in scanning his own company’s firewalls, they’re constantly seeing attempts to penetrate their safeguards originating from Europe, Russia and the Middle East.

“And we’re just a 40-person company in South Jersey,” he said. “If you’ve got that kind of activity from international actors going after us, what do you think a multithousand-employee hospital system is facing?”

Dlug is CEO of Moorestown-based Stratus ip. His company views the current landscape as an opportune one for introducing a new cybersecurity solution. They call it CIRRUS, and it, in short, assesses a company’s readiness for various attack scenarios. It’s designed for companies with “understaffed, overworked IT staff that are managing more than they should,” Dlug said.

Innovation in the area of cybersecurity involves identifying an ever-evolving list of potential vulnerabilities in networks. It also involves doing more “dark web” scanning, Dlug said.

“That’s a scary place that’s actually five times bigger than the internet itself,” he said. “That’s essentially where all the criminals go. You don’t want your data getting there, and if it is — you need to know about it.”

Dlug said his company, upon signing up a school district in New Jersey for its services, discovered hundreds of their credentials up for grabs on the dark web. That’s a liability issue, he said. And it means they have to notify affected parties.

There’s a number of ways an organization can find out they’ve got some explaining to do.

With more, by mandate, asked to do that explaining … are companies aware as they should be of the need to stave off cybersecurity attacks?

Without a hint of hesitation, Dlug answered, “No.”

“But it is growing,” he said. “And it’s hard not to, when you see hacks daily, such as this Caesars breach, costing companies tens of millions of dollars and forcing companies to notify everyone of it. But, regardless, companies unfortunately are just not as prepared as they need to be.”