We read it in the headlines with alarming frequency, how some hacker has stolen customer credit card numbers or other personal information from another retailer, insurance company, financial institution or the government.
Somehow, these faceless cyberthieves manage to breach the carefully constructed firewalls we individuals, business managers and IT professionals have put in place to seal our digital lives. As the business world evolves to embrace electronic medical records, growing e-commerce and other 21st century benchmarks, cybercriminals have advanced also in the sophistication and frequency of their schemes.
If the seemingly biggest, best and brightest can’t fully defend their data, what’s a medium-size company to do when contemplating the safety of its business and personal information?
“I’m not one of those people who think we should live in fear,” said Jason Falls, the Louisville-based senior vice president of digital strategy at Elasticity, a St. Louis digital marketing and advertising firm. “But there’s certainly a level of awareness and best practices we should tolerate because it keeps us safer.”
The issue appears to be growing rather than abating. Anecdotal evidence seems persuasive that not only is there a problem, but it’s potentially a very costly one. Reuters reported this year that retail giant Target Corp. agreed to a $10 million class-action settlement for its holiday season 2013 hacking scandal that exposed the credit card information of millions of customers.
Anthem Inc., the country’s second-largest insurer, responded to a data breach in February affecting 80 million of its customers and employees by offering free credit monitoring and identity protection services to those affected. With a typical identity theft protection services price tag ranging from $10 to $30 per month, covering 80 million customers would be sickeningly expensive.
“It used to be the case that cybercrime was more malicious sabotage or disruption of service,” said Cody Shakelford, a business systems architect with Boice.net. “Now it’s a billion-dollar industry.”
Today’s threats are something even the most prescient of experts were unlikely to have anticipated 35 years ago when the Bureau of Justice Statistics, an arm of the U.S. Justice Department that tracks crimes cyber and otherwise, was established in 1979. The agency’s website reports in 2005 (its most recently available data point) that 68 percent of businesses victimized by cybertheft lost $10,000 or more.
More recent data suggest attack rates and loss costs have skyrocketed the past decade. The Ponemon Institute, a cybersecurity consulting firm based in Travers City, Mich., says U.S. businesses are attacked 17,000 times a year at an average total cost per successful strike of $6.5 million.
Given the economic windfalls such attacks are likely to net, the growth trend makes sense.
“There’s a saying, ‘Why do banks get robbed? Because that’s where the money is,’” said Brent Cooper, president of C-Forward, a Covington-based IT firm. “We have all these computers, but we haven’t elevated security to the importance it should be.”
Who are hackers?
If cybersecurity is a war, then the same key strategy often mentioned in military circles recommends itself to the online battle: Know your enemy and understand their goal.
The term “hacker,” though technically correct, may carry the outdated connotation of a youthful prankster playing video games in a basement who might execute malicious code on government or business websites to further a political agenda.
Today’s cyberthieves, however, are more like villains from James Bond movies: determined, sophisticated and, if not armed, sometimes connected to foreign governments.
The psychological forces motivating hackers are complex.
“In terms of the hackers, you’re going to have people who do things for personal reasons,” explained Ian Ramsey, chief information security officer with the Louisville law firm of Stites and Harbison. “So you have people who steal information and then they post it online in order to get back at people. It’s just personal motivation – that actually goes on quite a bit.”
An example, Ramsey said, would be the hackers who released information earlier this year about the identity of thousands of account holders of the website Ashley Madison, whose ads said it enabled members to find sexual partners outside their marriage.
“They think it was an inside job,” Ramsey said. “They think it was employees who were disgruntled (because) they felt that Ashley Madison as a company was doing something that was dishonest to their clients, and they didn’t like it.”
Thus, the hackers’ motivation was personal satisfaction rather than financial gain.
But many who perpetrate cybercrimes are in it for the money.
“It’s run-of-the-mill criminals who have figured out the Internet,” Falls said. “They’re trying to figure out credit card information, bank numbers, things of that nature.”
And what they can do with information can be shocking.
Matt Smith, vice president of information security for Lexington-based Integrity IT, said that even if discrete bits of information are captured, they can add up to identity theft.
“Something might seem harmless, but when you put it with two to three other pieces of information, you start to put a puzzle together,” Smith said, “and you see things of value that could be used against you.”
Cooper recounted a case where a hacker was able to get into a CEO’s email and find out he was away on business in the Bahamas. After phoning the company’s chief financial officer, the hacker posed as the company’s bank and requested a wire transfer for a large sum of money.
“From reading the email, they had just enough details to make the request seem plausible,” he said.
Fighting the battle on three fronts
Ordinarily, waging a battle on
multiple fronts does not make for a winnable strategy, but when it comes to keeping one step ahead of the cybertheft set, sources advise keeping three things in mind: infrastructure, software and people.
“Making sure each ‘leg’ is able to handle the burden of a fast and public Internet is crucial for both individuals and organizations as the world speeds toward a digitally connected and Internet-dependent ecosystem,” said Patrick Goodman, chief product officer at Red-e-App, a Louisville-based tech startup that offers a secure mobile app to communicate with workers who lack access to company email.
The infrastructure realm, Goodman said, covers all hardware a company uses to access its software, whether it resides on a company’s servers or is based in the cloud, such as Google business apps.
Shakelford said a reliable routine for securing a company’s hardware should start with installing antivirus and antimalware protection software and keeping it and the computer’s operating system fresh with the latest patches and security updates.
Biometrics protection, such requiring a user’s fingerprint or retinal scan to unlock mobile devices, are two of the newest developments in hardware-based security. But they won’t prevent access by a user who compromises a company’s security via the most common method: a phishing email, where the hacker sends what appears to be email from a reputable source to trick the recipient into divulging log-in credentials.
Once a username and password is compromised, “ransomware” can be installed to encrypt an individual PC or a company’s entire network. The hacker then offers to unlock the system – for a price.
“There’s really no way to unencrypt the data once it’s been encrypted,” Cooper said. “There have been four police departments that have paid the ransom because they didn’t take the precautions to secure the network.”
In ransomware attacks, Cooper said, the only remedy is to wipe the computer and restore the data from a backup.
The key to good prevention is tailoring a security solution to each specific client, said Amy Justice, a senior security and compliance consultant with SDGblue in Lexington.
“We might recommend encryption for a laptop an employee is using or a data backup plan,” Justice said. “If we advised a dental practice, we would use the HIPAA security methodology, which would be different from those we would use if we were advising, say, a copy shop.”
The prevalence of such attacks means one of the most crucial components of online security is the variable that may be the hardest to control: people.
“Educating employees and your workforce generally so that they are aware of security issues” is crucial, said Sarah Cronan Spurlock, an attorney with Stites & Harbison who chairs the firm’s Privacy and Data Security Group. Both she and Ian Ramsey are certified information privacy professionals.
One of the specific things to teach your employees about security is likely the most basic: Change your passwords often, use complex passwords, and don’t use the same password for multiple sites.
Ramsey recounted an experience that underscores the importance of password security and how it can affect people at all levels of an organization. While presenting some 70 senior executives at a conference in Atlanta, Ramsey showed a slide called, “The 20 Worst Passwords Ever Used.”
“People got up out of their seats taking pictures of this slide and I think there’s a reason why,” he said. “Most of them saw the passwords they or their staffs were using up there.”