Local companies brace for cyber-attacks

Tuesday was a very, very bad day for the logistics firm TLC.

Over the course of two hours, the mid-sized company was hit with so much manure that not even an army of latrine cleaners could dig out: seven coordinated attacks, including a physical assault, a malware-based data breach and an undetected hack of employees’ corporate devices.

Before it all began, the perpetrators — cyber-sneaks from the Technology Association of Georgia — huddled outside the scene of the crimes, a cavernous room in Building 447 of the Clay National Guard Center in Marietta.

The event, the second annual Cyber Security Simulation, was designed to give local business folks a bird’s eye view of how their colleagues might react in the face of a multi-pronged cyber-attack. (Rest easy: TLC, a.k.a. The Logistics Company, is a fictitious outfit.)

The scenario may be make-believe, but the threat is not.

“You do not have to be a worldwide company in order to be attacked,” said Pete Wellborn, who played TLC’s inside counsel during the simulation. (In reality, he is a principal at Wellborn, Wallace & Woodard, focusing on information security.)

Reporters were allowed at the pre-simulation briefing but asked to leave in advance of the actual exercise so as not to stifle the conversation it was meant to spur. The affair was so secretive that TAG officials refused to name the companies taking part in the drill.

(One speaker did let slip that an executive from the Atlanta Braves was in attendance.)

All the organizers would say was that the 40 or so participants included executives, chief information officers, human resources employees, lawyers and cyber security experts. Most work for companies with fewer than 10,000 employees; they’re not likely to get invited to similar simulations the federal government stages for the nation’s largest corporations.

“It allows mid-size companies to see how things play out,” said Roy Hadley, an Atlanta attorney and the chair of TAG’s information security group.

It also gives them a chance to swap war stories and share strategies on combating attackers, he said. They can say: ‘That happened to me. Help me.’”

The scene played out in front of about 100 observers — men and women in business suits, men with buzz cuts in military fatigues, a law enforcement officer sporting a holstered handgun, and assorted TV news crews.

The importance of the exercise lies in this fact: Roughly 90 percent of the country’s critical infrastructure is controlled by private companies. And cyber-crime against private companies is on the rise.

In 2012, the latest year for which widely accepted statistics are available, 621 confirmed data breaches compromised 44 million individual records, according to Verizon’s annual Data Breach Investigation Report. Many consider that the definitive overview of the burgeoning cyber-threat. (“I keep it within an arm’s length,” one of the presenters said.)

This month, the U.S. Commerce Department’s National Institute of Standards and Technology released a Framework for Improving Critical Infrastructure Cybersecurity.

The document, mandated by an executive order signed by President Obama last year, is meant to be used as a rule book for organizations, regulators and customers to better fight virtual crooks.

But rules and plans and standards only go so far, presenters told the participants Tuesday. Playing successful defense requires practice, practice, practice.