The risk of cyber attacks is growing — here’s how to protect your business

Click the image for an infographic on this topic

Click the image for an infographic on this topic

By Michael Zimmerman

Editor’s note: Between the first date of publication and the time of this posting, the number of federal employees whose identity may have been compromised in the OPM hack had grown to 18 million. In response, the American Federation of Government Employees filed a class-action lawsuit against the agency, director Katherine Archuleta and CIO Donna Seymour in federal district court.

In May of 2015, Target Corporation released a statement to customers affected by the now famous 2013 security breach, in which the personal records of as many as 70 million customers[1] had been exposed. Lost data included credit and debit card numbers, names, mailing addresses, phone numbers and email addresses. The statement offered customers who could document their losses a reimbursement up to $10,000. Those without documentation could apply for an equal share of the remaining settlement fund.

On June 2, 2015, the Internal Revenue Service announced that approximately 100,000 taxpayer accounts had been compromised by criminals who gained access through the “Get Transcript” application,[2] which used KBA (Knowledge-Based Authentication) to protect user data. According to magazine FCW, the compromised data included Social Security information, dates of birth, street addresses. prior-year tax filings, marital status and adjusted gross income. [3] The IRS announcement explained that the over 200,000 hack attempts that had been made during the tax filing season comprised less than one percent of the 23 million transcripts legitimately downloaded. This 99-percent success record, however, was hardly acceptable to the taxpayers whose financial records had been stolen.

On June 4, 2015, the Associated Press broke the news that Chinese hackers had infiltrated the computer networks of the Office of Personnel Management and the Interior Department, obtaining the personnel files of more than 4 million federal workers.[4] Security expert John Schindler of intelligence blog The XX Committee portrays the lost data as the Holy Grail of counterintelligence. “They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side (perhaps with someone of a different gender than your normal partner) — since all that is recorded in security clearance paperwork.”[5]

Cybersecurity affects everyone, digitally active or not. Tax records, employment records, financial records and more are all stored digitally by federal and state governments, employers, banks, creditors and even social media. If you are alive, you are vulnerable; if you are dead, you may still be vulnerable.

Simply put, cybersecurity involves protecting information stored or communicated digitally against damage, unauthorized use, modification or exploitation.[6] According to the National Initiative for Cybersecurity Careers and Studies, “sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy or threaten the delivery of essential services.” [7]

Hackers are focused on two primary goals: identity theft and intellectual property theft (patents, trademarks, trade secrets and copyrights)[6]. Some cyber attacks involve sophisticated spy networks with teams of highly skilled programmers penetrating defense systems of governments and major corporations by exploiting vulnerabilities or breaking complex codes. Others — far more common — are directed at individuals and small businesses. These include:

  • Phishing: A digital form of social engineering to deceive individuals into providing sensitive information.
  • Spoofing: Faking the sending address of a transmission to gain illegal [unauthorized] entry into a secure system.
  • Denial of Service: An attack that prevents or impairs the authorized use of information system resources or services.
  • Trojan Horse: A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
  • Malware: Software that compromises the operation of a system by performing an unauthorized function or process. [6]

How widespread is the cyber threat? The Association of Financial Professionals reports that more than 60 percent of companies have been the victim of an attempted cyber-attack.[8] CNN reports that 47 percent of American adults had their personal information exposed by hackers in 2014 alone.[9] On a global basis, Intel Security (McAfee) estimates the loss to businesses somewhere between $375 and $575 billion each year, resulting in a net loss of 200,000 American jobs.[10]

Combating cybercrime has become a very big business. Gartner calculated 2014 information security spending at more than $71 billion,[11] and it may reach $155 billion by 2019.[12] That spending may take many forms, from software subscriptions to full-time employees, and from IT consultants to “white hat” hackers. And whether the cybersecurity customer is big government, a religious institution, a school or a business, the focus of the spend is the same: protecting your data.

Small businesses are at particular risk. According to the Department of Homeland Security, “Small businesses may not consider themselves targets for cyber attacks due to their small size or the perception that they don’t have anything worth stealing. However, small businesses have valuable information cyber criminals seek, such as employee and customer records, bank account information and access to the business’s finances, and access to larger networks.”[13]

Research performed by the National Cyber Security Alliance and Symantec has shown that 66 percent of small businesses are dependent on the internet for their day-to-day operations; and that “69 percent handle sensitive information, including customer data; 49 percent have financial records and reports; 23 percent have their own intellectual property and 18 percent handle intellectual property belonging to others outside of the company.”[14] Yet despite their vulnerability, 77 percent do not have a written employee internet security policy, 67 percent allow USB devices in the workplace, 59 percent to not require multi-factor authentication for network access, and only half wipe their hard drives before disposing of them.[14]

Experts provide many steps you can take to protect yourself, your business and your customers. Here are just a few:

  1. Educate yourself and your employees on the threats that cybercrime presents to your business, including: financial risks from lost data and resulting legal liabilities, unplanned downtime and loss of productivity, erosion of your brand, decline in customer loyalty, and loss of jobs.
  2. Avoid unsecured internet connections on all workplace-connected devices, including mobile.
  3. Never open unexpected email attachments or files from unknown senders.
  4. Don’t respond to email requests for company or customer information without confirming the sender by phone.
  5. Use strong passwords and change them regularly.
  6. Never share your usernames or passwords.
  7. Monitor your banking and credit accounts, as well as online information about your company.
  8. Encrypt all hard drives, especially on laptops.
  9. Place tracking software on all portable devices that contain or have access to company data.
  10. Never store files on your desktop. (Store them on a secured server.)
  11. Do not allow employees to install personal software on or download files to their computers.
  12. Report any unusual computer activity or service interruptions to your IT department immediately.
  13. Beware of suspicious questioners or unauthorized attempts to access your systems.
  14. Block and report senders of suspicious emails.
  15. Restrict network storage to company data only (no personal storage).
  16. Use social media cautiously. Don’t post unnecessary personal information (e.g., your address), information about your company or customers, or your schedule. And activate your privacy settings.
  17. Capture network traffic around the clock for forensic analysis.
  18. Empower network administrators to comb through archived data and network traffic, looking for anything out of the ordinary.
  19. Establish a baseline for network activity and set thresholds for suspicious activity levels.
  20. Update your policies regularly as the cybersecurity challenge evolves.

As with all risks, the objective is mitigation. The steps you take — and the risks you assume — are yours to choose.

Michael Zimmerman is senior marketing strategist at MarketPoint LLC, a strategic consulting firm specializing in market research, market segmentation, brand development, messaging, channel and employee communications, and interim/outsourced CMO. www.marketpointllc.com. Contact him at michael@yourmarketpoint.com.


 

[1] Paul Ziobro and Danny Yardon, “Target Now Says 70 Million People Hit in Data Breach.” Wall Street Journal. January 10, 2014. Accessed on June 13, 2015 from http://www.wsj.com/articles/SB10001424052702303754404579312232546392464

[2] Internal Revenue Service, United States Government. “IRS Statement on the “Get Transcript” Application.” June 2, 2015. Accessed June 13, 2015 from http://www.irs.gov/uac/Newsroom/IRS-Statement-on-the-Get-Transcript-Application

[3] Zack Noble, FCW: The Business of Federal Technology. “IRS breach highlights weakness of ‘knowledge-based’ security.” May 27, 2015. Accessed June 13, 2015 from http://fcw.com/articles/2015/05/27/irs-breach-authentication.aspx

[4] Ken Dilanian and Ricardo Alonso-Zaldivar, Associated Press. “China suspected in massive breach of federal personnel data.” Jun. 4, 2015. Accessed June 13, 2015 from http://bigstory.ap.org/article/245283cacee84b14a95880ef9593172a/us-officials-massive-breach-federal-personnel-data

[5] John Schindler, “Hacking as Offensive Counterintelligence,” Blog:XXX Committee.com. June 8, 2015. Accessed June 13, 2015 from http://20committee.com/2015/06/08/hacking-as-offensive-counterintelligence/

[6] (previously 4) The National Initiative for Cybersecurity Careers and Studies, “Cybersecurity 101”. United States Department of Homeland Security. Retrieved June 13, 2015 from http://niccs.us-cert.gov/awareness/cybersecurity-101

[7] (previously 16) “Cybersecurity Overview.” United States Department of Homeland Security. April 27, 2015. Retrieved June 13, 2015 from http://www.dhs.gov/cybersecurity-overview

[8] (previously 3) D. Nicholls, “Cybersecurity: Tackling the Insider Threat.” Technology Spectator. March 23, 2015. Retrieved http://www.businessspectator.com.au/article/2015/3/23/technology/cybersecurity-tackling-insider-threat

[9] Jose Pagliery, “Half of American adults hacked this year.” CNN Money. May 28, 2014. Retreived from http://money.cnn.com/2014/05/28/technology/security/hack-data-breach/

[10] Intel Security (McAfee), “Net Losses: Estimating the Global Cost of Cybercrime.” ©2014. Accessed June 13, 2015 from http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf

[11] Gartner, “Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware.” August 22, 2014. Retrieved July 13, 2015 from http://www.gartner.com/newsroom/id/2828722

[12] Markets and Markets. “Cyber Security Market by Solution (IAM, Encryption, DLP, Risk and Compliance Management, IDS/IPS, UTM, Firewall, Antivirus/Antimalware, SIEM, Disaster Recovery, DDOS Mitigation, Web Filtering, and Security Services) – Global Forecast to 2020.” June 2015. Retrieved June 13, 2015 from http://www.marketsandmarkets.com/Market-Reports/cyber-security-market-505.html

[13] “Stop.Think.Connect. Small Business Resources.” Department of Homeland Security. Retrieved on June 13, 2015 from http://www.dhs.gov/publication/stopthinkconnect-small-business-resources

[14] National Cyber Security Alliance. “Assess Your Risk.” Retrieved on June 13, 2015 from https://www.staysafeonline.org/business-safe-online/assess-your-risk