“Hey, let’s be careful out there” is the adage a police sergeant would utter after ticking off the day’s assignments to a full squad room in the 1980s hit TV show Hill Street Blues.
The dangers are different these days, and much more complex. But businesses would be wise to heed the sergeant’s advice, particularly when it comes to protecting their data. Cyber ne’er-do-wells prey upon employees’ gullibility, good nature and inattention to worm their way into companies’ computers, whether to steal data or stage a cyber-stickup.
“In general, it’s safe to say that the internet has become quite a bad neighborhood in the past few years,” says Jason Witty, chief information security officer for U.S. Bank in Minneapolis.
Businesses of all types and sizes are coming to realize that internet fraud can and very well might happen to them. Or as Minneapolis cybersecurity attorney Eran Kahana put it, to paraphrase the FBI, “Everybody has been breached. It’s just a question of whether you know it or you don’t.”
In 2016, serious, paralyzing cyber-attacks, such as spear-phishing and ransomware, proliferated and affected companies around the world. The business email compromise, or BEC, is a sophisticated scam that targets businesses that work with foreign suppliers and/or regularly perform wire transfer payments, according to the FBI. A company may be asked via email to pay an invoice by wiring funds to an alternate fraudulent account. Or sophisticated hackers will use social engineering to hack or spoof a high-level executive’s email to ask an employee who normally handles such wire transfers to urgently wire money directly to a bank.
Sometimes employees’ personal emails are hacked, then used to send requests to vendors culled from their contacts list for invoice payments to fraudster-controlled bank accounts. Or the scammer may call or email a business, claiming to be a lawyer or law firm representative handling confidential or time-sensitive matters that require the business to quickly or secretly transfer funds.
Spear-phishing attacks were frequently used to inject ransomware or trick unwary senior executives into improperly releasing confidential information, or disclose their network access credentials.
Since January 2015, there has been a 1,300-percent increase in actual and attempted losses from business email compromise scams, according to the FBI’s Internet Crime Complaint Center. More than 22,000 domestic and international victims reported losses exceeding $3 billion, with most of the money going to Asian banks in China and Hong Kong. Large corporations carry insurance to protect them from such losses, but small companies usually don’t, says Mary Frantz, managing partner of Bloomington-based consulting firm EKP, LLC. “If a fraudulent wire goes through a title company for $1 million, that would put that company out of business tomorrow,” adds Mike Johnson, director of graduate studies for the security technology master’s program at the University of Minnesota. “People don’t realize the ramifications of making a mistake.”
Scammers who use crypto-ransomware get into companies’ IT systems, lock up the data, and demand to be paid a ransom in Bitcoin. The ransom amount usually isn’t exorbitant, making it more likely that the compromised companies will pay it.
Many hospitality, medical and construction customers have been frequent targets of this scam. A year ago, Hollywood Presbyterian Medical Center in California paid $17,000 in Bitcoin to data-kidnappers to have its information unlocked. Criminals also targeted several manufacturers with ransomware in 2016, Witty says.
“Because it’s been so successful, there’s been quite a bit of copycat activity,” he says, adding that dozens or even hundreds of attackers have come up with variations on the scheme.
However, the trend among U.S. ransomware victims is against paying up, according to a June 2016 study sponsored by security vendor Malwarebytes.
In the survey of 540 organizations in the United States, Canada, Germany and the United Kingdom, nearly 80 percent that reported breaches had “high-value data” held for ransom, with 68 percent of the U.S. companies reporting that ransomware targeted middle management or executives. Globally, 40 percent of the victims paid the ransom, according to the study, conducted by Osterman Research.
Older cyber-scams such as spear-phishing continue to thrive, Johnson says. A German study conducted last summer found that half of the people who received email or Facebook messages from strangers clicked on the links, despite knowing the risks.
Using defenses correctly
That “It can’t happen to me” attitude isn’t quite as prevalent among businesses as it used to be, but smaller companies still have a hard time justifying the expense of hiring an IT expert to protect their data, experts say. Frantz believes that businesses that throw lots of money at cybersecurity tools and software are wasting it if they don’t use them correctly or hire the right people to do the work.
The same goes for companies that train employees how to avoid a cyber-scam, but fail to set their tools and configure their systems to block breaches, or don’t test their security posture.
“These are really basic things that small, medium and large companies are missing,” Frantz says. “Training is a big piece, but people are just not doing the basics. The vast majority of them never follow through with the basics.”
Yet companies that take a small number of security measures can protect themselves very well from many breaches, according to these experts. It comes down to what they call computer hygiene—frequently backing up data and changing passwords.
Frantz and others also recommend that businesses have a private security assessment.
Some companies with more sophisticated cybersecurity systems have been engaging consulting firms to conduct “red team” operations, according to Jeff Olejnik, director of cyber-security for business consulting firm Wipfli. Acting as the red team, the consultants launch an attack on the company, telling its IT professionals (the blue team) how they got in to see if the blue team detects the breach. Together they form the purple team, working to improve the company’s security.
Businesses considering hiring such an outside firm can protect themselves further by demanding the vendors have policies and procedures that are documentable and executable, according to Kahana, counsel at the Maslon law firm in Minneapolis. For example, they might insist that the vendors comply with best practices according to standards of ISO (International Organization for Standardization) or those issued to federal vendors by the National Institute of Standards and Technology.
A company can also limit its liability for security breaches by beefing up its information security policy, making it a management tool and a training tool.
“It’s still very much relegated to a section in an employee manual,” Kahana says. “The trend is to make it its own policy, and something that is visited annually with employees versus once when they’re hired and that’s it.”
“You’re reducing liability because people are more knowledgeable about what not to do,” Kahana says. “You’re also reducing your liability because your insurer has less of an opportunity to say that you’re not complying with what your information security policy says that you’re doing.”
New detection tools
Companies also have some new detection tools at their disposal, including security analytics, endpoint detection and automation, according to Deron Grzetich, a managing director for cyber services at KPMG. Based in Chicago, Grzetich works with clients throughout the country on preventing security breaches.
Security analytics is the application of math to a security problem that helps solve a specific problem by finding patterns and meaning in large amounts of data. For example, if an employee named Bob tries to log in 10 times and fails, a security analysis of Bob’s login history can show if he often forgets his password or if someone is impersonating Bob to breach the company’s system, Grzetich explains.
“I think now the innovation is the movement of applying that math, the correct math, to a particular security problem, and I think over time we’ll get better at this,” he says. “We started down this path years ago; we’re just now getting some tracking to say here’s what works and here’s what doesn’t work.”
Endpoint detection prevention and response technologies can tell an IT department whether a problem at a particular endpoint—a location where the network connection terminates, such as a server, mobile device or laptop—is really serious, according to Grzetich. “We’re moving our ability to detect these things out to the particular devices,” he says. “It’s helping my team become more effective.”
Companies such as FireEye, RSA and Carbon Black Inc. have introduced endpoint threat detection and response tools, according to Olejnik, who is based in Minneapolis. These tools look for anomalies, viruses or inappropriate behavior at these endpoints, can do computer forensics to capture and investigate the information, and determine whether data has been compromised, he says.
Detection is also becoming automated, allowing companies to respond more quickly to threats by relieving analysts of having to gauge the seriousness of every suspected breach.
Organizations with mature detection and prevention systems, such as banks and insurance companies, and those in the middle tier, including transportation and tech companies, will have to figure out how to deploy cyber-security automation, Grzetich says. Companies that are newer to network security, such as health care and manufacturing, will have the advantage of deploying automation from the start.
For health care organizations, it’s not a moment too soon, according to a report by health information security tracking company Protenus. That company noted 57 breaches of patient data reported in November 2016. Employees were responsible for more than half of them, a notable increase from previous months.
Most data security breaches result from human error, Olejnik says. On the back end, Wipfli has begun to see companies adding data breach responses to their business continuity plans, he says.
All the whiz-bang technology in the world, however, won’t offer blanket protection from data breaches, according to these experts. “You’ll never be able to take the human analyst out of the loop,” Grzetich says.
“Given enough time, 100 percent of the advantage goes to the attacker,” adds Olejnik. “IT and operations have to make sure that every single device on the network is patched and updated, and they also have to make sure that people are doing the right thing all the time, and not opening things they shouldn’t be opening up. Companies need to come to grips with the fact that 100 percent protection is not possible.”
One answer to the people factor is training, and lots of it, according to Kahana.
“If you’re doing it once a year, you are not paying sufficient attention to your cybersecurity discipline,” he says. “People should always be talking about it. The more it’s in front of employees, the more they can become sensitive to how important it is."
Nancy Crotti is a St. Paul-based freelance writer and editor.