Target Corp. and its millions of customers are not the only victims of cyber-crooks, we learned this week.
They even target for extortion the emergency crisis lines of nonprofit businesses and emergency service providers.
“We had to shut down our crisis number of 35 years last Tuesday,” said Dan Pfarr, executive director of the Bridge for Youth, which provides counseling, housing, medical referrals and more for hundreds of kids under age 17 and their families every year. “The guys who took over our crisis line wanted money. We told them we work with distressed families and kids at the low point of their lives. That we deal with lives. We can’t have abused kids or parents … calling in and getting a busy signal.”
The Bridge (www. bridgeforyouth.org) got “phone spammed,” perhaps by a criminal call center that uses software to capture and ransom critical phone lines or Internet systems.
Told by police not to negotiate with the criminals, Bridge management put the line into an answering machine and activated another line as they scrambled to inform their clients and stakeholders, the United Way, law enforcement and other nonprofits and agencies with which the Bridge collaborates, of the new number and situation.
Within 24 hours, the hackers had given up and the old crisis line is working again.
“We see these types of events almost every day across all industries … businesses small and large,” said Tomas Castrejon, leader of the cybersecurity practice at the Minneapolis office of PricewaterhouseCoopers, the auditing and consulting business. “What can a small business do? The perpetrators are after something they can turn into money, a profit. For small businesses, we suggest, first and foremost, conduct regular security assessments, both technical and people, to try and determine your vulnerabilities. Because that’s what the adversaries are trying to exploit.
“And have a plan, an incident response plan that enumerates what to do in a ‘break-the-glass’ situation.”
The irony is that the Bridge has spent a lot of time and money on digital equipment and systems to protect client privacy, medical and other records.
The long-term solution may be a new system that will accept text messages that would also link to phone and digital systems at The Bridge. The price tag of about $100,000 is not inexpensive for a nonprofit with a $3 million total budget and which had to pare services and get leaner during the Great Recession. Pfarr is huddling with key staff, board members and vendors.
“We’re definitely seeing an uptick in ‘intrusion matters,’ individuals and entities that try to find a way to compromise the information located in some of our companies,” said Kyle Loven, division general counsel of the Minneapolis FBI.
“There’s a wide range of methodologies and motivations. There are definitely some fairly sophisticated overseas elements involved. It takes some technical know-how. If we’re able to determine a location of the perpetrators, whether in or outside the U.S., we have options at our disposal to also work with foreign governments.”
Brian Isle, founder of the Minneapolis-based cybersecurity firm Adventium Labs, said Verizon has estimated that three out of four cyber-breaches are of small companies because they may not have safeguards and are easier to blackmail.
CyberSecurity is a Growth Business
PwC has acquired Minnesota Privacy Consultants, founded in 2006 by Jay Cline, a former chief privacy officer at Carlson Cos. and IT management veteran, who has worked with a variety of business, government and nonprofit agencies.
Shawn Panson, New York-based leader of PwC’s U.S. Risk Assurance Emerging Services practice, which focuses on mitigating risks, said: “What drives this acquisition is what you’re seeing in the news. Jay has a tremendous reputation in the industry … [and] has been on the ground floor of privacy issues and laws for 20-plus years. The majority of the MPC folks will be in Minneapolis. Jay will have a presence in our national data privacy practice. All of our clients are dealing with cybersecurity.”
These businesses help companies, agencies, schools and nonprofits determine their sensitive data, classify it, control it and, eventually, retire it safely.
“At a time when well-publicized cybersecurity threats and data privacy breaches have underscored the critical nature of these issues to both businesses and consumers, the addition of MPC will further strengthen and expand PwC’s data protection and privacy resources,” Dean Simone, leader of PwC’s U.S. risk assurance practice, said in a statement.