Cybersecurity and the Cleaning Industry
As our lives and careers become ever more dependent on digital technology, cybersecurity is an issue that affects everyone. Cybercrime can be costly and damaging to a company’s reputation. This is as true for the cleaning industry as it is for any other sector of the economy.
Cybersecurity expert Larry Dietz should know. Dietz has decades of experience in cybersecurity and has seen firsthand how the field has changed as technology develops. “You could say I have been in the cybersecurity industry before it was fashionable,” said Dietz. “I have been on the vendor, user, analyst, military, and legal sides of the cybersecurity world.” Dietz started his career as a communications security officer and crypto facility inspector in Vietnam.
Currently, Dietz works for TAL Global, where he started out as managing director of Information Security in 2007, and then became general counsel in 2010. As an attorney, Dietz is admitted to the bars of the U.S. Supreme Court, the State of California, and the District of Columbia. He serves as an adjunct faculty member at Monterey College of Law, as well as the American Military University, where he teaches subjects like cyberwar and threat analysis.
I sat down with Dietz to find out what cleaning professionals should know about protecting their companies and their clients from potential cyberthreats.
Cleanfax: How important is this topic of cybersecurity for the cleaning industry?
Dietz: I don’t have to tell you that we all run on our electronics—our iPhones, our laptops, our tablets, not to mention the thousands of chips and servers that permeate our operational landscape.
Cybercriminals are out for one thing: Money. They don’t really care who their target is. The softer the target, the easier it is for them to penetrate a system and steal information that can be resold or gain an entry point for other malicious acts on other targets.
Cleanfax: Do you see an attitude of, “We are safe” or “It won’t happen to us because we are not that important” in the cleaning industry?
Dietz: Candidly, I have seen that type of attitude from a number of industries, not just yours. Many people and organizations feel they are so low-profile that cybercrooks aren’t paying attention to them.
While experts may disagree on which industries are the most popular targets, education and research, health care, finance, and government are often high on the list. But that should not lull you into a false sense of security.
Industry targets can vary, but CEOs and CFOs and their assistants are very popular targets in all industries because they have access to a great deal of potentially valuable and lucrative information. These roles are targeted without regard to the type of organization.
Organizations can also be targeted because they are gateways to other, more lucrative targets. Cleaning professionals have important customers that they work with every day. These relationships mean access and good connections for a cybercriminal.
An interesting example might be Target stores. In November 2013, hackers stole information for about 40 million credit and debit accounts and personal information for about 70 million Target customers. They didn’t hack in through the electronic front door—they used the credentials of an HVAC company to gain access.
Don’t assume you and your company are too low-profile to be a target.
Cleanfax: What are the top security risks facing the cleaning industry?
Dietz: The most prominent risks to be aware of are:
- Ransomware and business email compromise.
- Reused and weak passwords.
- Poor visitor security.
- Lack of a holistic approach to security that meshes cybersecurity with overall facility security operations, plans, and policies.
- Social engineering (deceiving people into divulging confidential information).
Cleanfax: What is the link between security and leaks resulting from social engineering?
Dietz: We often say that the building blocks of cybersecurity are people, processes, and technology. Experience has shown that people are generally the weakest link, and awareness is key to securing that link.
Many successful cybercrimes start with phishing. This is where a targeted company is bombarded with fake emails. When an employee clicks on the email, it triggers malicious software that can launch a whole range of attacks, including ransomware, which is the most popular form of attack.
Awareness of phishing scams is key, but you should also back up awareness with technology, policies, and procedures. For example, multi-factor authentication—where users must use a password as well as input a code sent to their phone—is one effective way to ensure only proper access to company emails and information.
Cleanfax: What are the steps that facility managers can take to support tenants’ security of IT systems?
Dietz: Audits and exercises are good places to start. The purpose of an audit or inspection is to determine the level of security of your IT environment and compare that to the level your executive management and audit committee feels is appropriate. These audits should be part of a systematic program designed to identify vulnerabilities and strengthen the security of the building.
There are also well-respected standards, such as ISO 27001 Data Security Certification and the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) that offer guidance and accepted methodologies.
Cleanfax: Is cyber insurance the silver bullet of protection?
Dietz: Not necessarily. It could be the reason you would be attacked in the first place. In July of this year, a ransomware gang demanded £500,000 (about US$571 000) from two schools in England. The crooks targeted the schools partly because they thought it would be easy to collect since the schools were insured.
The Hive, a hacker group, claims that they breached the system and then obtained details of the cyber insurance policy to use in negotiations. “We are very well informed and precise in our operations, so we know that Wootton have cyber insurance that reaches £500k,” the group wrote in the message to students and parents.
Having insurance also doesn’t mean the insurance company will always pay off. There are limits and exclusions as with any other policy. Typically, insurers don’t cover losses from hacks by nation-states, such as if China steals trade secrets. Insurance also doesn’t pay if the loss was due to social engineering, where an employee, contractor, or another person with access is duped into helping the cybercriminal.
A recent case in Minnesota demonstrates this lack of coverage. The insurance company in the case filed a motion to dismiss, claiming the policy clearly delineated between computer fraud and social engineering fraud. If the fraud were due to hacking the system rather than the people, the insurance company would pay. The Minnesota court dismissed the case, calling it a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of the $600,000 total losses.
Cleanfax: Who is liable for a cybersecurity breach? Can directors be held personally liable for cybersecurity breaches?
Dietz: This is actually a more difficult question than it would seem. Normally, as an attorney, I would jump to the possibility of a negligence suit where company executives or a board of directors might be liable for a data security breach.
A director can also be personally liable for cybersecurity breaches in some instances. While no individual director has been held liable for a cybersecurity breach to date, lawsuits making these kinds of allegations have been filed, and it may be only a matter of time before one is successful. The primary risk of personal liability for a director is through derivative actions commenced by damaged shareholders. While the Business Judgment Rule generally insulates directors from personal liability, that protection is not absolute and can be rebutted.
Recently we are seeing a new twist: Potential criminal liability. Uber’s former chief security officer was convicted in criminal court of obstructing a government investigation and concealing the theft of personal data involving a 2016 breach.
Cleanfax: How can a cyber breach impact a company’s reputation and stock price?
Dietz: Cyber breaches can result in immediate stock price drops. The more sensitive the information stolen (credit card information, social security numbers, etc.), the more immediate the effect.
The long-term effects and significance of these stock price drops can vary. Sometimes the share price will hit a low point 110 market days after a breach. Share prices fall -3.5% on average and underperform the Nasdaq by -3.5%, according to Comparitech, a pro-consumer website providing information.
Cleanfax: Do you have any final words of advice for our audience?
Dietz: Don’t assume that you won’t be a target. Appoint a single point person for your cybersecurity efforts with the authority, budget, and staff to carry out a comprehensive cybersecurity program that addresses the building blocks: People, processes, and technology.
Determine if it makes sense to outsource your cybersecurity needs to specialists or whether you need to do it yourself. Don’t be overwhelmed by technical details; always ask for an explanation that your management can understand.
Hold anyone who has access to your facilities and systems to the same security standards as your employees and other stakeholders. This includes validating the security of contractors, visitors, etc.
Finally, test your security with periodic audits and exercises that involve multiple functions within the organization. This will help you identify and address any vulnerabilities.
These methods will go a long way in helping you to protect yourself, your company, and your clients from cyberattacks.
For more from Dietz on hacking, ransomware, and cybersecurity, tune into this recent Straight Talk! interview.