Cyber Threats Are Recognized, but Are Companies Prepared?

Although cyber threats are universally regarded as pervasive and even existential, Michael Daugherty believes that many businesses are not well organized to manage the risks. He has founded the Cyber Education Foundation to promote the “cultural shift in every organization” that he says is required.

“All executives need to be fully prepared, digital leaders,” says Daugherty. “Cybersecurity is not just a technical issue. It is a cultural, broad-ranging business problem that can impact almost every aspect of a business, from downtime to loss/theft of data to revenue and stock price fluctuations.”

Rather than being the job of any one person, such as the chief information security officer (CISO), “cybersecurity must be the corporate culture.”

These comments could be right out of a cyber risk management textbook, but for Daugherty they are hard-learned lessons that he wants to share widely. The foundation is holding a series of Cyber Culture Summits, the first on January 22 in Atlanta.

As president and CEO of Atlanta-based medical laboratory LabMD, Daugherty dealt with a hacking incident that exposed personally identifiable information. He subsequently fought a Federal Trade Commission allegation of deficient cybersecurity practices.

Top Trial Lawyer

Most such enforcement actions are settled with a consent decree - another flaw in the system, as Daugherty sees it. The LabMD incident and legal battle were chronicled in a 2016 Bloomberg Businessweek article and in a book by Daugherty, The Devil Inside the Beltway. The book is subtitled, “The Shocking Expose of the U.S. Government's Surveillance and Overreach into Cybersecurity, Medicine and Small Business.”

A Cyber Culture Summit speaker and Cyber Education Foundation board member is Doug Meal, partner of Ropes & Gray, billed as “the No. 1 cybersecurity lawyer in the world.” He represented LabMD in its FTC appeal, which concluded last June, and defended Heartland Payment Systems, Target and other corporations in cyber-attack cases.

Daugherty, quoted in a December press release, said, “You'd pay Doug $1,500 an hour for his legal advice. At Cyber Culture, executives can spend an entire day with Doug and other cybersecurity experts for less than $400.”

The summit program includes an incident-response workshop based on a real-life crisis scenario.

Damages Overestimated

Daugherty says that ignorance and fear lead to bad choices in assessing and responding to cyber threats. The reality is that even when data on millions of people are exposed, as in the Equifax and Target hacks, the actual number of victims is relatively small, whereas legal costs can be substantial.

There is often a rush to settle to make the problem go away, but, Daugherty says, “Very few people in cyber go to trial. This is disturbing because a lot of them would not be found guilty, and when they are, the damages would be much less than they think.”

It has been conventional wisdom that because cyber attacks are inevitable, more resources have to be devoted to remediation than to prevention, but Daugherty says that this can vary by industry.

When asked to name sectors that get more bang for the buck on prevention than on damage control, he cites medicine, defense contracting and finance. Conversely, media, small business and tourism are three that get better returns on remediation spending.

Daugherty contends that government enforcement actions, although an important tool, cannot by themselves keep the cybersecurity crisis from getting worse.

Reputation on the Line

Regarding LabMD, which had 40 employees at its peak, “the wrongful FTC enforcement action . . . made the company implode,” Daugherty asserts.

“They wanted us to sign a 20-year consent decree, but that would have ruined our reputation because in the cancer detection business, all that is needed is to put doubt in customers for them to leave you.”

The FTC investigated LabMD after a vendor, Tiversa, reported that personally identifiable information of nearly 9,000 LabMD patients was exposed on a peer-to-peer network. It turns out that Tiversa hacked LabMD to get the information.

Before the hack was discovered, Tiversa offered to help solve the problem for $475 an hour. Daugherty found out about the hack and accused Tiversa of extortion.

He describes the FTC enforcement process as a “torture chamber. They drag you through their own court and extort false confessions.”