BOSTON — Cybersecurity is “one of the scarier topics for people doing business today,” Bethany Coleman-Fire, associate with law firm Davis Wright Tremaine LLP, told attendees of this week's 2015 SIGMA Annual Meeting.
Cybersecurity is so scary because it is constantly changing and difficult for companies to figure out how to thwart attacks, Coleman-Fire explained during an educational session Tuesday entitled “Cybersecurity: Practical Considerations for Petroleum Marketers.”
“A lot of terms are bouncing around,” she said, “and most people don’t know what most of them mean.”
Only one thing is for certain: Nobody is immune from cyberattacks. In fact, 71 percent of attacks are waged against smaller businesses.
At convenience stores, skimming at the point-of-sale (POS) is most commonly making news headlines. “There were seven times more POS intrusions in the first quarter of 2014 than all of 2013,” the Portland, Ore.-based attorney relayed.
Still, Coleman-Fire stressed that skimming incidents at the pump are certainly not the only potential cyberattacks c-stores face. Ransomware and denial of service attacks are growing exponentially.
Ransomware occurs when hackers breach a computer system, with the attacker demanding money in order to regain control of the operating system. Many retailers have decided to pay off the criminals because it is so difficult for law enforcement officials to bring the offending party to justice, Coleman-Fire acknowledged.
Denial of service attacks happen when a network of computers overwhelm a retailer’s operating system. Hackers can either request money, similar to ransomware, or use as a smokescreen whereby a retailer’s information technology department solely focuses on stopping the attack while a cybercriminal is actually infecting a system with other malware.
Also occurring on a less frequent but growing basis are attacks on mobile devices — mostly on Android devices — as well as attacks on Linux and Mac OS operating systems, she pointed out.
Cyberattacks are definitely scary, but there is good news, revealed Coleman-Fire. There are effective measures c-store retailers can take in an effort to prevent or lessen the impact of cyberattacks.
“Cybersecurity is a family affair,” she said. “The biggest cause of a breach is human error.”
She presented a five-phase approach to fight back against cyberattacks. Included in the game plan:
- Create an effective internal response team with clear responsibilities;
- Select outside counsel;
- Implement fast, low-cost changes;
- Select an incident response team;
- Consider cyber insurance;
- Review current hiring and termination practices, such as pre-employment background checks;
- Update/implement written information security policies and procedure;
- Develop a response plan;
- Implement security awareness training;
- Establish technical controls; and
- Test and maintain the system.
On the topic of cyber insurance, a relatively new industry offering, the attorney advised that c-store retailers should get multiple insurance quotes as the price for some could be “outlandish.” Retailers must review the terms of the insurance plan regarding what happens post-attack, such as if a c-store operator can pick their own vendors and attorney.
“It can be a scary experience if you don’t know the people who are coming in and trying to fix the problem,” said Coleman-Fire, adding that retailers should also check if the policy covers pre-breach services.
As for how much coverage c-store retailers should seek, Coleman-Fire flatly stated it is too costly to seek coverage for a full breach, which on average costs retailers $5.3 million per incident. The amount of insurance needed varies widely, but $2 million in insurance coverage should be sufficient for single-store operators, she concluded.
The 2015 SIGMA Annual Meeting concludes Wednesday at Boston’s Westin Copley Place.