Thanks to a recent landmark ruling, the Federal Trade Commission (FTC) now has authority to regulate corporate cyber security. This has created shockwaves in the security industry — for end-users, who will now be legally required to secure customer information; and for security integrators, who may be liable for their installations.
In late August, the Third U.S. Federal Circuit Court in Philadelphia ruled against the Wyndham Worldwide hotel chain and for the FTC, finding that the FTC can take action against enterprises and organizations that employ poor IT security practices.
“This is a major deal,” says Bill Bozeman, president and CEO of PSA Security Network, who has spearheaded a recent push for cyber security awareness among its integrators. “I’m not being critical, but a majority of integrators — not just PSA members — and vendor/manufacturers are ill-prepared for what is coming.”
This ruling is fair warning to the industry. Bozeman compares the impact of the coming tidal wave of security concerns to the turmoil caused when industry switched from analog to digital security systems. He says those who have adopted cyber security processes today have a competitive advantage. “We have some of those (integrators), but not many,” Bozeman says.
He adds that soon, just to be eligible to bid a job, integrators will need to show in-depth cyber security understanding, adding that those who refuse to adapt will end up out of the business. “The analog-to-digital change was a 10-year process,” he says. “(For cyber security), I’m talking 18 months, maximum, before integrators who do not conform are out of business.”
“This (ruling) means integrators are left in a significantly exposed position,” concurs Darnell Washington, president and CEO of SD&I Fast50 cyber security integrator SecureXperts. “This raises the bar on cyber security.”
Washington notes that most contract language says integrators are liable for their product, installation and deployment. While manufacturers have almost no liability in this area, a systems integrator who has not followed industry best management practices (BMPs) may be just as exposed as the customer whose site is hacked.
“Cyber security is a must-do,” Washington adds.
Inside the FTC Ruling
The FTC case dates back to 2008-09, when Wyndham’s network was hacked several times. It lost credit card information for 600,000 of its customers to a Russian domain, with the fallout resulting in $10 million in card fraud.
The FTC said Wyndham came up short on protecting its customers’ data, and it sued Wyndham and three of its subsidiaries in June 2012 for failure to protect its customers from hackers. Wyndham countered that it was a victim of a crime and should be blameless, adding that the FTC has no Congressional mandate to regulate data breaches.
In a 3-0 decision, the Third Circuit sided with the FTC, and agreed that the FTC has the authority to penalize companies for poor IT security practices. In his decision, Circuit Judge Thomas Ambro cited the FTC’s broad authority under a 1914 law to protect consumers from unfair and deceptive trade practices, and wrote that Wyndham, “Offers no reasoning or authority (that it has no mandate to regulate data breaches), and we can think of none ourselves.”
The Court’s ruling was part of a drawn-out lawsuit between the FTC and Wyndham. The case dragged on for seven years. The FTC was almost gleeful when the decision was handed down. “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” FTC Chairwoman Edith Ramirez said in a statement. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
FTC said Wyndham was at fault because it used easy-to-guess passwords, did not protect the corporate network with secure firewalls, and did not restrict third-party vendors from its network — all things a good security integrator should audit.
“The FTC is obviously trying to make a point,” explains data security expert Stu Sjouwerman, founder and CEO of KnowBe4, a provider of security awareness training for organizations in a variety of industries. “They now are a watchdog with live teeth. Integrators need to make all of their partners aware of this fact.”
Although Wyndham’s attorneys have promised to fight further, both Sjouwerman and other legal observers do not expect Wyndham to appeal to the U.S. Supreme Court. Wyndham is one of only two companies to fight the FTC’s fines — the other one is bankrupt. The other 50-plus firms hit with FTC fines have paid up. Most likely, Wyndham will go back to the courts to negotiate a settlement on the bill.
The Impact of the Decision
“This decision is definitely a heads-up. It means your organization is required by law to secure customer information. If you don’t protect it to the maximum extent you can, you will be in a world of hurt,” Sjouwerman says.
Sjouwerman says the FTC decided to make an example of Wyndham — to “put a head on a pike” he says. In short, the Court supported the FTC’s claim that “inadequate data security can be an unfair trade practice.” Thus, the FTC can penalize companies that have lax security.
“This court decision has a major impact on how organizations will handle cyber security issues,” Sjouwerman says. “It gives a golden opportunity for integrators. With the FTC on board, every integrator should have a chat with all their clients’ corporate counsels.”
Security clients should be afraid. Data breaches are the number-one growth market for lawyers, Sjouwerman says. In a state like California, which requires public disclosure of any data breach of more than 500 records, the old ambulance chaser has turned into class-action lawyer to make firms pay for data breaches. Security integrators need to do audits and offer programs and technology to keep their customers as secure as possible.
“It makes total sense for an integrator to look at the low-hanging fruit and plug that hole,” Sjouwerman says.
Cyber Vulnerabilities Continue to Grow
According to the FTC’s complaint, Wyndham’s repeated security failures exposed consumers’ personal data to unauthorized access. Those failures included the lack of use of security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network.
In addition, the FTC said Wyndham allowed improper software configurations, which resulted in the storage of sensitive payment card information in clear text.
Each Wyndham-branded hotel has its own property management computer system that handles payment card transactions and stores information on such things as payment card account numbers, expiration dates and security codes. According to the FTC, in the first breach in April 2008, intruders gained access to a Phoenix Wyndham-branded hotel’s local computer network that was connected to the Internet and the corporate network of Wyndham Hotels and Resorts. The breach spread from there.
“With the average cost of a data breach skyrocketing and costs of ransomware infections running over $18,000 per victim, relegating security awareness training to an annual lunchtime ‘death by PowerPoint’ is no longer a viable option,” says Sjouwerman. “Furthermore, many companies were caught by surprise when they found their backups failed after a ransomware infection, underlining a need for more proactive action.” His company offers a crypto-ransom guarantee — covering the ransom in Bitcoin if a customer gets hit with ransomware after training their users.
Washington notes that today the potential losses go well beyond financial hits to more serious liabilities, including individuals’ health and welfare. Sjouwerman points out that it is far cheaper to train users than to pay the fines and heavy costs associated with a data breach — Juniper Networks pegs that figure, industry-wide, jumping to $2.1 trillion by 2019.
Every data-centric integrator is familiar with the seven-layer OSI stack. Sjouwerman suggests an eigth layer be added — the human factor in the network. Workers naively open supposed voice mail attachments, click links and unzip files, and soon the hacker owns the system.
Osterman Research studies show five of the six most serious concerns of security-focused decision makers are directly related to phishing or its aftermath. The study said, “It is important to invest sufficiently in employee training so that the ‘human firewall’ can provide the best possible initial line of defense against increasingly sophisticated phishing and other social engineering attacks.”
Plan of Attack for Integrators
PSA offers its 200 members a program of products and services to meet cyber security needs. “Eventually, all integrators will be forced to do it,” Bozeman says. “It’s best to do it now so you are prepared and up to speed.”
“There is a gap of knowledge from those who know about security to those who deploy it, and that gap that needs to be closed,” Washington adds. “We have to get the customer from having no cyber security to having some.” He compares it to applying a Band-Aid until the patient can get to a doctor.
SecureXperts has two basic internal forums for that. The first is a cyber lab where they test gear, and the second is addition of their own cryptographic security integrated into products. “Then we provide the customer with as much self-help as we can.”
They offer their customers a series of internal risk-assessment worksheets. “We review those and target areas that are more important,” Washington says. “We want our customers to be cyber-aware.”
Dealers or integrators looking for support material to show customers just how aggressively the FTC pursued Wyndham and the impact lax security can have on their company can reference the following FTC domument: http://bit.ly/FTCvsWyndham.
Sjouwerman says his business has seen “explosive, triple-digit growth for the past four years” — with Q2 2015 up more than 350 percent over Q2 2014. The largest growth has been in the financial sector, an area targeted four times as often as other industries. The financial sector has taken the initiative to move away from compliance-focused annual “breakroom” approach to a more effective behavioral-based approach.
KnowB4 also works with integrators to help sensitize employees to the dangers of malware. Although the financial sector is hard-hit, every other industry is under the gun.
The message to every customer of any security dealer or integrator remains: If you do not deploy and use security BMPs, you will be in big trouble. Prevention should be an easy sale at any customer site.
Washington says it is vital to reduce clients’ exposure to cyber attacks. “Desperate times call for desperate measures,” he says. “There are some straightforward steps that must be taken, but too many have not taken the first step. Our job is to get them to start down the path,” Washington concludes, noting that it is no longer a departmental issue but a board issue.
Cyber Security Awareness
“Awareness has to start at the top,” Washington says.
Bozeman says it is already happening. “Boards of Directors will realize they have liability and they will push the need to be cyber-savvy down the corporation.” He expects such dictums to be the norm within 12-18 months.
Washington says cyber security also needs political support as the Federal agencies responsible for protecting the public’s privacy begin to get aggressive. “As consumers, we need to demand better and more secure policy standards and legislation,” he says. “If the general public does not support better security legislation we will be in a very bad position.”
Bozeman acknowledges that no solution will be perfect — there will always be incidents. But the law now requires integrators to be proactive. Some, he says, will see it as a hassle. They should re-think their position, Bozeman warns. “This truly is a game-changer. This is bigger than the switch from analog to digital.”
Curt Harler is a technology writer and a regular contributor to SD&I magazine. Email him at [email protected].