O'Keefe in the News

Down but not out of options: How to keep IT security together in a company that’s gone bankrupt

Down but not out of options: How to keep IT security together in a company that’s gone bankrupt

October 12, 2016

As published by Josh Fruhlinger, CSO Online

Corporate chaos
The supply chain upon which modern multinational commerce depends was thrown into chaos earlier this year when South Korea’s Hanjin Shipping filed for bankruptcy. Dozens of container ships with hundreds of crew and thousands of pounds of cargo onboard were essentially stranded at sea, as ports barred the ships’ entry for fear that they wouldn’t be able to pay for docking services.

If you’re working for a company that’s filed for bankruptcy, the consequences probably won’t be as dramatic—you’ll be able to stay on dry land, for one thing. But you’re definitely going to encounter choppy waters when it comes to maintaining tech security. We talked to IT pros who have been through it to find out the best ways to cope.

Not all bankruptcies are created equal
Legally, there are different types of bankruptcy and receivership; the form your company’s bankruptcy takes will determine what resources you’ll have available to secure corporate assets. “Chapter 11 enables a company to restructure its debts—the company intends to continue operating in some form,” says Gary Alterson, senior manager, Strategy, Risk and Compliance for Cisco’s Security Advisory Services. “As such, management may be more open to arguments concerning security risk and future potential liability. Chapter 7 bankruptcy, where a company intends to liquidate, is even more challenging. In these cases, consideration for future risk or new threats is likely to be non-existent. Management is looking to wind down business as fast as possible.”

Tremendous pressure to save
Even in a best-case scenario, in a bankruptcy “there’s going to be oversight by a trustee of the court if not a judge. The bar for justifying current spend during bankruptcy will be set high, and new spend is also going to be difficult,” says Cisco’s Alterson.

Ron Schlecht, Jr., managing partner of BTB Security, recalls a case where he helped a company in what he called “selloff mode.” “They realized they needed some control over what IT assets and what information was leaving, so they retained us to baseline where their information was, and document and implement procedures for decommissioning equipment,” he said. “While there wasn’t any pushback from creditors, the company made it very clear that they had to be cost-conscious with spending when we proposed work.”

You need to act fast
Things can move very quickly as bankruptcy begins, with different factions within the company acting in opposition to creditors or court-appointed managers. David Sun, founder and CEO of SunBlock Systems, was once brought in by the courts to oversee a company that had gone into receivership after it had lost a devastating lawsuit. He described the scene the day he arrived: “The doors are locked, and we see people walking with purpose up and down the hallways. I bang on the door, saying, ‘Let us in. We have an order from a federal judge.’ They let me in, and I can see packed up boxes. You can just tell they’re clearing out the place, taking the physical as well as intellectual property.” Only quick action by his team prevented a total meltdown.

First thing’s first: Lock it down
Whether you’re coming in as an outsider or trying a longtime employee trying to turn over a new leaf at a bankrupt company, Linda McConkey, managing director at O’Keefe, has advice for you: “You’ve just got to deal with footprint at hand and lock it down. You’ve got to do the basic block-and-tackle security things. Check the firewall, check the white list, the black list. Who’s got remote access. Who has access to core applications, key data, secure data? You have to do triage, because you’ll find that people have access to things they shouldn’t have”—and that can be troubling in corporate situation in flux.

IT security’s problems didn’t start with the bankruptcy
It’s not as if bankrupt companies are usually starting from a good IT security baseline either. “Financial troubles start well before the bankruptcy finally happens,” says McConkey. “Generally speaking, they’ve already stopped an appropriate level of spending focus in IT before the bad things happened. They’ll say, ‘That server farm is already paid for,’ even though it’s 4 years old and you can’t load current security protocols. They’re taking a risk that all is going to stay right with the world until things are better financially in the company.”

Inability to pay can cut you off from vital services and data
Pay-as-you-go cloud services can save you money—but when your cash flow is restricted, you learn the serious implications of renting rather than owning IT infrastructure, especially when it comes to data security. “Vendors that are hosting corporate applications and data can cut off access for non-payment,” says Doug Lane, vice president of product marketing at Vaultive. “So when planning for a bankruptcy filing, it’s important to establish a plan for reviewing these contractual arrangements, investigating data backup and export options that can be exercised, and also ensuring that control over cloud data encryption rests with the data owner, not the SaaS provider. This way, if there is any resulting litigation, the organization remains in control of their data.”

Lay it all out for the people in charge
O’Keefe’s McConkey says that, in a bankruptcy, “you’ll always have pushback” when it comes to spending any money at all, let alone spending money on new IT equipment or software. But she says it’s a matter of going to whoever’s in charge of things and “articulating the consequences of not doing it. Tell them you’re trying to negotiate the best possible pricing structure with accounts. They’ll argue on the support and maintenance contracts. But you need to buy the patches and the fixes and the updates. You’re playing Russian Roulette when you don’t.”

A bankrupt company needs all the IT security help it can get
Because when it comes down to it, a bankrupt company is uniquely vulnerable, says Anthony Di Bello, senior director and security strategist at Guidance Software. “There could be competitors looking to take advantage of the situation,” he says. “There could be auditors demanding access to privileged information such as protected customer data. There could be insiders looking to take advantage of the situation before they’re let go, as well as cybercriminals looking to exploit what they may perceive as a prime opportunity when a company attention is focused elsewhere.”

Pursue goals in a cost-effective way
All this said, you must be a strict steward of what little IT funding you have left to achieve the tasks you must achieve. Cisco’s Alterson suggests “taking an inventory of what’s on the shelf that they haven’t implemented, and reviewing to see if there are less expensive or open source alternatives.”

Discreet tasks should be tackled in as low-frills a manner as possible. Jonathan Gossels, president of SystemExperts, described a scenario at a company he helped through bankruptcy: “The company took the critical (and valuable) intellectual property and consolidated it onto a single system and a backup. These systems were not connected to the internet. They retained a skeleton IT staff during the shutdown process to make sure this was done properly; the intent was to preserve the intellectual property and sell it off.”

Regulations and standards can be your friends
There is one ace in the hole you have when trying to increase IT security spending: bankruptcy is process overseen by the legal system, and thus you must be meticulous in adhering to the laws, including cyber regulations. “The best leverage a company in the bankruptcy process has to maintain cybersecurity operations is whatever regulations they’re beholden to,” says Di Bello, “such as HIPAA HITECH for healthcare or PCI DSS for companies that deal with credit card information.”

While industry standards aren’t binding, they can help reassure managers and creditors that security tasks are important and in line with industry norms. For instance, Shawn Burke, Global CSO at Sungard Availability Services, says that “utilizing the NIST 800-88 guidelines for media sanitization ensures that companies properly erase sensitive data off equipment that might be confiscated.” (And in a bankruptcy situation, confiscation is a real possibility.)

If the company is going away, the data needs to go away too
Erasing sensitive data should be a top priority for any company entering liquidation or selling off equipment. “There are a range of data that can lead to serious financial and legal ramifications if compromised,” says Richard Stiennon, chief strategy officer of Blancco Technology Group. “There’s intellectual property in the form of confidential business proposals, media files on new-to-launch products, and even financial earnings statements and customer data in the form of login credentials, demographic profiles, purchase preferences, engagement with content and ads and buying behaviors. Cybercriminals can maliciously use IP and customer data for social engineering schemes and phishing attacks, jeopardizing employees and customers alike.”

Watch your back
Staffers may worry about being laid off or be bitter when they actually are, or stay loyal to ousted management. Thus, current and former employees may be your biggest security risk, as SunBlock’s Sun found in his dramatic role at a company in receivership. “We changed all the passwords,” he said, “and we hardened some of the systems as best we could. We hired guards to physically be there 24/7, because people were trying to get back into the building.”

“Some people walked away and wouldn’t give us passwords,” he added. “The previous owner started a new company and he was hiring all the old people. Some systems I was able to get in to. Some systems we were able to bypass. And in some cases, we legally deposed people to get access.”

Protect what value you can, as long as you can
In the end, despite the chaos of bankruptcy, you’re on a team with a goal of protecting as much of the company’s value as you can, so that everyone who’s owed money doesn’t get too badly stiffed. “The goal was to keep the system up and running,” says Sun, “keep it working as best as possible, maintain customer satisfaction, retain the customer base. Because at the end of the day, the liquidation price was predicated on the number of live customers the company still had. So, if we lost 10% of users, then, the sales price was off by 10%.” Maybe it’s not the most powerful motivation in the world—but in the chaotic world of bankruptcy, it’s something to hold onto.