Cybersecurity is top of mind for Orange County companies, with some of the region’s top firms experiencing internet breaches since last year.
Among more headline-generating events, Disneyland Resort’s Facebook and Instagram accounts were hacked briefly last month, with the attacker posting offensive content.
“We worked quickly to remove the reprehensible content, secure our accounts, and our security teams are conducting an investigation,” the company said.
Data analytics software maker Alteryx Inc. (NYSE: AYX) in Irvine told the SEC in its annual report in February it has “experienced, and may in the future experience, security breaches.”
“If unauthorized parties obtain access to our customers’ data, our data, or our platform, networks, or other systems, our platform may be perceived as not being secure, our reputation may be harmed, demand for our platform may be reduced, our operations may be disrupted, we may incur significant legal liabilities, and our business could be materially adversely affected.”
Those cautionary words are echoed by many of the area’s top publicly traded tech firms in regulatory filings.
Irvine electric vehicle maker Rivian Automotive Inc. (Nasdaq: RIVN), for example, notes that its “vehicles contain complex technology systems. For example, our vehicles are outfitted with built-in data connectivity to install periodic remote updates to improve or update the functionality of our vehicles.
“We have implemented cryptographic technologies to deliver updates securely from Rivian including a hardware security module to verify the integrity of vehicle software by using cryptographic hashes,” the company said in its latest quarterly report from earlier this month.
“We have designed, implemented, and tested security measures intended to prevent cybersecurity breaches or unauthorized access to our information technology networks, our vehicles and their systems, and intend to implement additional security measures as necessary,” Rivian said. “However, hackers and other malicious actors may attempt in the future to gain unauthorized access to modify, alter, and use networks, vehicle software and our systems.”
Smile Brands Inc., a dental support services provider in Irvine, said almost 2.6 million people may have been affected by a data security incident involving ransomware last year, according to a filing with the Maine Attorney General’s Office.
Data compromised in the attack included files that contained individuals’ protected health information such as names, addresses, Social Security numbers and health information.
At the end of last year, dental laser company Biolase “experienced a cybersecurity attack that caused a brief network disruption and impacted certain systems,” the Foothill Ranch-based firm (Nasdaq: BIOL) told the SEC. “We have taken actions to strengthen our existing systems and implement additional prevention measures, but there is no assurance that such actions will be effective.
The Business Journal asked two of OC’s top experts to discuss how local companies are faring in the battle against cyberattacks and ransomware money demands, and what firms can do to better secure their data and operations. Their responses follow.
“To me, the special risks in Orange County are associated with critical infrastructure (grid, water, nuclear, transportation,) the population density in a small area, and most importantly the fact that if we had a major event that caused us to have to evacuate quickly, it would be difficult to get everyone out in an organized way. Imagine the 5 or 405 if we all had to get out at once….and where do we go.”
“The attacks have not abated but the threats and motives have changed into two big buckets. For the simple business attacks, the root causes are still the same simple ‘boring’ things: People click on bad emails that lead to bad things. If they have air gapped back-ups and cyber insurance, then the cost and impact of the breach is much less then if they don’t. This story will change a little as cyber insurance becomes harder to get, but while a breach to a small business owner is the most important story of their life, these stories are just not newsworthy to everyone else.”
COO, Chief Information Security Officer
“Orange County is at risk mainly because it has so many successful businesses that can afford to pay either with cash or insurance. It may well be at slightly higher risk on some levels due to biotech, and of course famous entertainment venues. Threat actors may target a vertical by looking for a vulnerability associated with a particular business type and or software used by that vertical.
“We, however, most often see attackers are opportunistic not targeted. They use automated systems to seek out vulnerable targets and when they find one, pounce on the opportunity. It is also at times staged in approach. One threat actor will break in, plant remote access, then sell that access to another, and so on. These organizations are getting more and more businesslike and showing major signs of very sophisticated business management and technologists in their ranks.”
Follow the Money
“Cyber criminals are making billions more money than drug cartels with little to no investment, or real risk of jail time. In some cases, it is clear that they are either directly supported or simply ignored by their governments because they are doing damage to adversaries and bringing massive income to their host countries. In my view, there is nothing that is going to stop them in the long run, other than intense focus on cyber hygiene and defense. Cybercrime and in particular, cyber extortion is too lucrative to pass up with such low risk.”