Shortly after Thanksgiving, news broke that cyberthieves had made off with data of about 500 million customers of the Starwood hotel chain. That attack on a unit of Marriott International was just the latest massive data robbery to make it into public view. Data breaches have become so common that they barely last more than one or two news cycles.
Remember credit agency Equifax’s massive breach in 2017, which put 146 million people’s personal information at risk? Or the one that hit Minneapolis-based Target Corp. in 2013, which affected more than 41 million payment-card accounts? Those are just two more high-profile cyberthefts that have made consumers nervous in recent years.
If you run a small or midsize business, you might be thinking, “If companies that large are susceptible to data thievery, what chance does a smaller company have against the ever-increasing threat of cybercrime?”
In reality, the biggest threat to your data’s security might be the people working for you. This doesn’t necessarily mean that employees are engaging in malicious activities, though some might do so. It could well be carelessness or a lack of understanding of digital defense strategies that allows unwitting employees to fall into the traps of cyberthieves.
Another potential threat to a company’s data is top management, if it doesn’t take the threat seriously. Think you’re too small to be a target? That’s not what hackers are thinking. Or you might think firewalls, security patches, and anti-virus programs on employee computers provide sufficient protection.
But even with those necessary automated safeguards in place, businesses of all sizes need another key level of protection—human beings.
How big an enemy is the enemy from within? The numbers vary according to different studies, but they show that employees create significant risks.
In a September report, Insider Threat: The Human Element of Cyberrisk, consulting firm McKinsey & Co. reported that 50 percent of breaches between 2012 and 2017 involved insiders. Another 2018 cybersecurity report—from New Jersey-based telecom provider Verizon Wireless—stated that 93 percent of successful data breaches are initiated through phishing attacks. That means that “93 percent of the time, the attack starts when we just open the door” and let cybercrooks in, says Stefanie Horvath, executive IT director for Minnesota IT Services, a government agency providing IT services and security to more than 70 state entities.
Phishing remains the tool of choice to pry open the company’s virtual safe. This involves embedding a legitimate-looking attachment or a link in an email. Once an employee clicks the link, he or she is typically asked for a username or password, and the hacker is in. The link might also release a virus into a company’s system. In some cases, the hacker implants ransomware, which prevents the business from accessing its own data unless it is willing to pay the thief.
There are variations on the phishing theme. As more employees use mobile devices in their work, attackers are using “smishing.” That occurs when a cybercrook embeds a phishing link into an SMS or text message. There’s also “vishing,” which involves phishing via a phone message. “An attacker will call a business under the guise of some sort of important business event or the rollout of a product, then try to collect information over the phone,” Horvath says. “This is another example of just how aggressive these cyberattackers are.”
Many understand there are a myriad of tempting targets, including financial institutions, health care companies, and businesses with intellectual property that provide a competitive advantage. The same danger applies to retailers and companies such as hotels and credit agencies that process high volumes of credit card transactions. But what if you run a small manufacturing company or a local wholesaler?
“What we have to realize is that cyberattackers in the past couple of years have really started targeting small businesses,” Horvath says. Online data thieves “look at all businesses and all organizations as potential sources for harvesting at least some sort of value,” she adds. “Instead of attacking large companies, cyberattackers might just go after a lot of businesses because it’s easy to distribute malware.” Indeed, she emphasizes that the scale and volume of attacks has increased.
Many small to midsize organizations don’t understand what they have to protect, says Doug Underwood, an IT risk practice principal in the Minneapolis office of RSM US LLP, an audit, tax, and business consultancy. He notes they can be even more of a target than larger companies are because they don’t take adequate security precautions.
Underwood, who works with companies to help them develop and maintain cybersecurity programs, says that a lot of data is being monetized. Employees’ Social Security numbers have value, of course, as does company financial information. Businesses typically process or share data with others, which can help connect a cyberthief to vendors’ and customers’ information.
Underwood notes that while phishing and its variants remain the most common strategy, he’s seeing more instances of multiple attacks to piece together information. Hackers are finding that many employees are less likely to simply hand over their usernames and passwords by clicking on a malicious link, so they’re getting more patient, Underwood says. These so-called “advanced persistent threats” involve picking up useful information from a variety of sources—phone calls, social media, and the company website.
While the focus of cybersecurity is naturally on a computer’s IT system, that’s not the only “vector” that allows thieves to access data.
“When we think of cybersecurity, we think of having long and complex passwords you need to change every 90 days” and having anti-virus software on your computer, says Amos Aesoph, chief security officer for Plymouth-based Xigent Solutions. The company provides IT services, including cybersecurity, to Upper Midwest mid-market organizations.
But when Aesoph and his colleagues perform a risk assessment, it can include aspects that aren’t actually on the network, like security cameras. They may ask where backup data is stored so that it is safe from a fire or a flood.
And then there are windows. Aesoph recently toured a small bank using Xigent services and noticed that the windows had no shades or tinting. “On the ground floor, you could look through the windows and see information sitting on people’s desks,” he says. “Whether that information is account numbers or even passwords for getting into the IT system, that is a stepping stone into a cybersecurity problem.”
There have been situations in which a cyberthief walks into a bank with a laptop, finds an exposed network port in a public area, and plugs right into the bank network. Or perhaps there is information on a whiteboard used in a meeting that reveals proprietary information about the bank’s hardware and software platforms. “That information is very useful to a hacker, because now they have a target to go after,” Aesoph says. Cybersecurity, he adds, “is not a single item by itself. It needs to be part of the entire strategy that you put in place.”
With cybersecurity growing increasingly complex, more companies are hiring a chief information security officer (CISO). Rather than spreading IT security oversight across several employees, these companies are centralizing that function at the C-suite level.
That’s the case at Minneapolis-based Provation Medical Inc., a developer of clinical documentation and procedure software. This past summer, it hired Milinda Rambel Stone as its first CISO.
Provation isn’t a large company—it employs about 200. But the data it holds is one of the types that cyberthieves most covet: personal health information on thousands of patients.
“We are responsible for highly confidential information and we must protect it,” Rambel Stone says, adding that “automation, measurement, and regular risk assessment of our threat vectors are part of our natural discipline.”
As CISO, Rambel Stone is in charge of Provation’s cybersecurity. But that doesn’t mean that security is solely her responsibility. She conducts her oversight of Provation’s IT system using a DevSecOps model, which is a collaborative security model across the various teams in a company. As Rambel Stone characterizes it: “Every person in the organization can improve the safety and security of our products.”
That also means that everyone in the company is involved in keeping its IT system secure. Rambel Stone knows that “the largest threat vector” for data breaches is employee mistakes or failure to comply with a company’s information security system.
Another consideration: the overlap of work and home computing.
“How many of your passwords are the same? How many of them are easily detectable? And do you use the same passwords at work that you do at home? If you do, that could put the organization at risk,” Rambel Stone says. Provation uses an automated password test that determines whether employees are using words and phrases that might make it easy for hackers to decipher. Employees whose passwords aren’t sufficiently complex are asked to change them to something less decipherable.
Provation’s Rambel Stone notes that manual processes increase the potential for security failure. All aspects of security can be automated or semi-automated both to reduce security risk and boost operational efficiency. For instance, a security policy might require that passwords be changed every 90 days. Instead of relying on the employees to make the change, a company can use technology to automatically do the reset.
Another example of an automated solution is data loss-prevention software, which is designed to protect the company by preventing users from accidentally or maliciously sharing data that might open the door to cyberthieves. In October, Minneapolis-based Code42 Software Inc., best known for its CrashPlan online data backup suite, introduced its Next-Gen Data-Loss Protection (DLP) product.
Code42’s solution takes a different approach to DLP, according to Vijay Ramanathan, senior vice president of product management. The focus with traditional DLP, he says, is on “how do we stop bad things from happening?” Which is to set up rules and policies ahead of time to prevent those things, even if they’re unintended.
For instance, companies could block employees from sharing certain specially named files via email or a public cloud server like Dropbox. The problem here, Ramanathan notes, is that you have to have the skilled staff and wherewithal to constantly make and update your policies. Even then, your company’s IT staff might not see all the ways hackers can access data.
Even if you kept up with the policies, Ramanathan says, they have a side effect: “They always ended up blocking users from doing things that are actually productive.” For example, a salesperson wants to put a file onto a thumb drive to share the information with a customer in the field. If the company’s DLP prevents that copying, the salesperson is understandably frustrated.
And perhaps unnecessarily so. Code42’s Next-Gen DLP software uses a “CCTV camera” model, continuously collecting data so the security team can keep an eye on things, Ramanathan says. “If something’s amiss, then they can interfere.” The company’s security and IT team also doesn’t need to write preventive policies. “You just start collecting the file activity information—what’s created, what’s deleted, what’s getting copied, what’s getting uploaded.” Employees aren’t blocked, and all files are monitored, wherever they sit. Ramanathan calls this an “identify-detect-recover approach to security rather than a prevent-and-block mentality.” As a result, he says, the technology takes much of the load off the companies’ security teams.
Automated tools such as DLP software, firewalls, and others remain essential defense strategies. But cybersecurity experts emphasize the importance of the human factor—both in allowing attacks and preventing them.
A “robust security awareness is really that first line of defense,” RSM’s Underwood says. While a company might not have all of the best controls and defenses, even a small business can thwart many attempted attacks by keeping employees up to date on their role in cybersecurity.
“It doesn’t matter if you’re a small business or a large business, or if your business is in rural Minnesota or downtown Minneapolis,” says Andy Erickson, Xigent’s director of secure network solutions. “If you’re on the internet, you’re susceptible.”
Gene Rebeck is TCB’s northern Minnesota correspondent.