Cybersecurity expert Jeff Olejnik calls it “a sprawl,” and he’d argue that it’s one of the biggest IT challenges businesses face.
Sprawl is his characterization of the way businesses have been “extending their networks.” Company information now spreads across employee tablets and smartphones, cloud services, and online software-as-a-service applications such as Salesforce.com. All of these vehicles provide entry points into corporate networks.
Olejnik is the Minneapolis-based director of the risk advisory and forensics practice for Wipfli, an accounting and consulting firm, and he’s attuned to the multiple openings that data burglars are constantly attempting to slip through.
Data breaches should be familiar to all businesses. The Target breach of the 2013 holiday season, in which hackers made off with credit and debit card data of nearly 70 million customers, is perhaps the most high-profile cybercrime. More recently, Eden Prairie-based Supervalu reported over the summer that hackers attacked the grocery supplier’s computer systems containing customer information from more than 1,000 company-owned stores, including 60 in Minnesota.
But even smaller businesses are at risk. In fact, due largely to the changing nature of technology, they’re more at risk than ever. Digital thieves worldwide are growing in number and sophistication. They’re looking for credit card numbers, email addresses, trade secrets and more.
Operations of all sizes have long put up firewalls and other controls. But IT security experts say that traditional approaches are no longer enough. Cybersecurity requires more vigilance, and a hands-on approach to protecting data. This is what IT consultants call creating a culture of security.
With each high-visibility data breach, U.S. business leaders see that most companies are vulnerable to sophisticated cyber-attacks.
In a 2014 “economic crime” survey conducted by PricewaterhouseCoopers, 71 percent of U.S. respondents perceived an increased risk of cybercrime over the past 24 months.
“Once-novel threats like cyber-attacks are no longer confined to obscure hacker groups operating in the shadows of our economy; but have become a key weapon in the arsenal of common criminals, organized crime rings and foreign nation-states,” according to the PricewaterhouseCoopers survey report.
“Billions of dollars in investment and R&D can be lost in a matter of minutes. With many U.S. companies at the forefront of innovation, we can expect cyber-attacks and related schemes to increase in frequency and magnitude, resulting in substantial intellectual property, trademark and patent violations in the coming years.”
Even as data becomes more abundant, it has become more valuable. In December, the New York Times reported that a shadowy entity called FIN4 gained access to the email accounts of executives, legal counsel, consultants and others associated with more than 100 large companies, primarily in health care and pharmaceuticals. The group’s alleged goal: Get confidential merger-and-acquisition information, among other valuable data, that could be used by rogue investors looking for inside stock edges.
“The value of information in our information economy has been elevated,” says Jay Cline, Minneapolis-based principal for data protection and privacy risk assurance at audit, assurance and consulting firm PwC US, a unit of PricewaterhouseCoopers. “So the gains for criminals gaining access to corporate information have gone up,” he adds. “That’s the core cost-benefit analysis of why we’re seeing a 48 percent increase in detected incidents from this year compared to last year.”
That 48 percent figure comes from PricewaterhouseCoopers’ Global State of Information Survey 2015, published last year. Among other findings, the survey noted that the number of detected “security incidents” has risen for both large and midsized businesses. (Midsized is considered annual revenue of $100 million to $1 billion.) One reason for that increase, according to the survey: Hackers have found that many large companies have beefed up their cybersecurity, which makes less-protected midsized firms a more tempting target.
“The adversaries are growing and are well-funded,” notes Joe Greene, a Minneapolis-based PwC advisory principal focused on cybersecurity and privacy. “You’ve got nation-states involved, organized crime, hacktivists.” The existence of so much business data online opens gateways to access proprietary information from multiple businesses. “Companies’ systems are increasingly interconnected, to the point that boundaries are blurred. Breaking into one organization may lead to another organization,” Greene says.
What causes this blurring? Licensing intellectual property, sharing health care and other data, and the interconnectivity between service providers, such as IT consultants and their customers. “Things that used to be done offline are now being done online,” Greene says.
This wide broadcasting of data is one of the key reasons businesses are so vulnerable. This isn’t to say that the use of mobile devices or the cloud shouldn’t occur. The ability to easily share information among employees and companies has enormous benefits. Companies say that the information they gather about their customers allows them to do a better job of serving them, says Robert Cattanach, a partner at Minneapolis law firm Dorsey & Whitney. His practice areas address cybersecurity, privacy and telecommunications issues.
But Cattanach and others note that the growing use of tools like software as a service (SaaS) and the cloud can leave businesses at risk. “We’re still at an inflection point where [cybersecurity threats] are going to continue to get worse, at least a little bit,” Cattanach says. “The threats out there are increasingly sophisticated. They get around a basic level of security. I think we’re going to see increasingly aggressive attempts at intrusion.”
Government officials in the United States and Europe are looking at ways to crack down on cybercrime.
The new Congress is expected to consider data protection legislation. How strict new laws would be, particularly for retailers, is difficult to predict.
But former Minnesota Gov. Tim Pawlenty, now CEO and president of the Financial Services Roundtable, an industry advocacy organization, has been making the case for new laws through various media organizations.
In a November issue of The Hill, a national politics magazine, Pawlenty contended that new cybersecurity laws “must include equalizing data security standards that would require all businesses handling consumer payment information to meet the type of customer data protection standards the financial services sector must already meet.”
Shortly before the November election, Pawlenty argued in a Wall Street Journal opinion piece that cybersecurity laws should be reformed “so companies and the government can better work together to bolster our nation’s cyberdefenses.”
In urging federal action, Pawlenty wrote that a variety of industries could benefit from legislation that allows “companies to share cyberthreat information with one another and the government without fear of being unduly penalized.”
Personal privacy concerns have surfaced regarding this type of legislation. In response, Pawlenty wrote, “We’re not talking about sharing personal or consumer data. The shared information would include information such as threat indicators that describe the type of malicious code sent towards companies, the route such malware traveled and suggestions to combat cyberthreats.”
In 2015, the European Union will begin enforcement of new data security under the EU’s General Data Protection Regulation. U.S. companies operating in Europe that violate the regulation’s data protection and privacy requirements—including gaining explicit consent of Europeans whose data a company wishes to collect—could be subject to penalties. “Those would include fines on privacy violations on up to 5 percent of global revenues,” says Jay Cline, Minneapolis-based principal for data protection and privacy risk assurance at audit, assurance and consulting firm PwC US, a unit of PricewaterhouseCoopers.
Leaders at many small and midsized businesses might be thinking: “Why should we worry? We’re not Target or Supervalu. What valuable data do we have?”
Cattanach acknowledges that breaches at Target, Home Depot and elsewhere were orchestrated by highly skilled people. For smaller businesses, the danger is often the more casual hacker: “They’ll go in, steal a bunch of stuff, then get out, because there are no barriers to entry,” he explains. What might they take? “If you have a guy building a machine fabrication business and he’s going to bid on projects, it’s not going to be out of the realm [of possibility] that his system could be hacked by somebody getting in and looking at his trade secrets,” Cattanach says. “And this has happened: Hackers have gotten in and seen what the bids are going to be. You can sell that information.”
One technique for creating mischief in a company’s network is called “spear phishing.” For instance, hackers who have obtained company email addresses could take them and send each employee an email with a fake but credible-looking bank logo—“something that would entice the person to open the email,” Cattanach says. Then the malware gets into the recipient’s IT system, and the hacker can obtain access to more troves of information, including recipients’ financial data.
Professional services firms, even smaller ones, can offer rich lodes of information. “Law firms have information about businesspeople,” Olejnik says. “They have financial records. If they’re doing litigation, they can have health care records.” In short, professional services firms of all kinds have lots of important and classified information that they need to protect.
Cybersecurity experts note that the banking industry has the strongest record for protecting its golden data. “They’re protecting money and credentials and account information,” Olejnik says. “Probably a bigger reason why banks are so far ahead is that they’ve been proactively audited—by the FDIC and the regulatory bodies—more aggressively than any other industry.” (That said, JPMorgan Chase was the victim of a massive breach this past summer, when hackers stole millions of the bank’s customers’ contact information. That’s evidence that even big companies’ security is vulnerable.)
Health care, Olejnik adds, is not as far along, in general, as financial services in fortifying protection of its data. What will push them ahead is the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which mandates that health care organizations share medical records electronically. That in turn will require them to create secure online environments.
Businesses in less sensitive industries often use what Todd Carpenter, co-owner and chief engineer at Minneapolis-based IT consultancy Adventium Labs, calls the “compliance approach” to cybersecurity. This strategy is relatively easy to execute because it’s systematic. “They do checklists; they try to replace smart people with processes,” Carpenter says. “The nice thing about this approach is that it’s measurable and predictable.” But “if you don’t think about what you’re measuring or observing, while you might see short-term gains, it is insufficient in the long term.”
Compliance and checklists are useful, but they’re limited by multiple factors, Carpenter notes. Perhaps the most significant is that attackers are dynamic, continually thinking and adapting, and they aren’t limited to the scope and assumptions of standardized procedures.
“Some people think they do security once and it’s done,” he says. “That doesn’t work, because the attackers evolve and your systems evolve.” There are no one-size-fits-all approaches for a business. “You can’t fix everything,” Carpenter adds. “No usable system is perfectly secure.”
But, Carpenter notes, companies can improve their cybersecurity on an ongoing basis. IT security experts point to a number of current best practices that allow businesses to increase their protection.
One of those crucial practices is a regular risk assessment. This involves thoroughly examining the company’s IT setup, identifying possible risks and fixing them; examples include unencrypted backups and email, use of cloud storage and lax mobile-device policies. Slightly less obvious examples, Carpenter says, include reliance on untrained software developers, whether in-house or outsourced.
Cloud storage and other cloud services can save a company big money, but using those services means that its customer information and intellectual property are now under the care of someone else. There is no single best practice for working out security of company data via cloud services, since those services vary widely in the way they operate. Carpenter says that the best overall approach is to use a private cloud that is under the company’s control. If that’s not affordable, he recommends getting a service-level agreement that obligates the cloud provider to offer certain safeguards. One example is that no other customer can use the same storage hardware.
Then there are challenges posed by mobile devices. Even when they’re firmly in employees’ control, people can “click on the wrong thing on an email attachment, and you can start to leak information that way,” Carpenter says. A company needs to protect data “when it’s in motion—in an email, for instance, or when you’re downloading something—and when it’s at rest.” Companies should use their operating system’s built-in encryption, for instance, and make sure that company emails also are encrypted.
Indeed, Carpenter recommends that employees be instructed to treat their smartphones and tablets as “mobile browsers,” not as storage devices for their employer’s proprietary information. And if it’s unavoidable that such data is on employee mobile devices, there are applications that allow a company to wipe a device clean of sensitive data should an employee report the phone or tablet lost or stolen.
A company might even wish to follow the example of Jim Wolford, co-owner and CEO of Minneapolis-based IT hosting and consulting firm Atomic Data. He doesn’t allow his staff to use their personal devices for work purposes—ever, at all. Having those devices on his company’s network “causes lots of problems,” he says, adding that “convenience doesn’t outweigh security.”
The business’s data and network, after all, are “company assets, and they must be protected.”
Overall, Wolford says, companies need to have “an attention to detail around policies and procedures,” and communicate them clearly to employees. “That’s the No. 1 best practice.”
That requires managing vendors and watching who’s coming and going from the network. “It takes more time than it does money,” Wolford says.
“Yes, you need to create firewalls. Yes, you should have someone coming in to perform penetration tests. But building [cybersecurity] into the company’s culture is what’s needed. And we’re not seeing it.”
Doing business online has been a boon to businesses of all sizes, and no one’s arguing about a return to an off-line world of IBM Selectric typewriters and carbon paper.
But with the wealth of all that data flying across the world, it’s critical that businesses block cyberthieves from stealing their valuable information.
Gene Rebeck is a Duluth-based freelance journalist who writes monthly for Twin Cities Business.