Target attracted national attention in 2013 when a data breach allowed a hacker to access payment card and personal information of tens of millions of customers.
Six years later, Target was still dealing with the damage from that cybersecurity episode. In November, the Minneapolis-based retailer sued an insurance company to force reimbursements for the costs of replacing payment cards. Target says it has not been reimbursed for $74 million in settlements associated with the data breach.
The Target case is just one of the high-profile cautionary tales about the scope of damage that cyberthieves can inflict. Home Depot’s 2014 breach cost the company more than $27 million to settle. The Equifax incident in 2017 exposed the personal information of 147 million people in the credit monitoring company’s database.
Now attempted hacks are routine, with businesses of every size the potential victims. In the summer of 2019, Iowa-based supermarket chain Hy-Vee announced that there’d been a security breach on some of its point-of-sale systems, exposing customer credit card data to hackers.
Cybercrime remains a booming global industry, costing more than $45 billion in losses worldwide in 2018. Small companies are nearly as susceptible to attack as large ones; according to a 2019 report from Verizon Wireless, 43 percent of cyberattacks target small businesses. In a 2018 survey conducted for Chicago-based cybersecurity company Keeper Security, 67 percent of small and midsize companies that responded experienced a cyberattack in the previous 12 months.
The survey revealed some disturbing vulnerabilities. Just 40 percent of the companies surveyed reported that the technologies they were using could “detect and block most cyberattacks.”
While cybersecurity firms always are looking at ways to keep ahead of hackers, it’s also the case that some businesses and their employees fall for old hacker tricks.
No matter the company’s size, its leaders need to employ people with cybersecurity expertise or contract with a firm that can provide the service. “If you’re using technology or taking payments, you’re potentially a target,” says Christopher Emerson, founder and CEO of Plymouth-based White Oak Security. It provides cybersecurity testing to businesses and other organizations.
Cybersecurity experts say there’s currently no way to stop every attack. Hackers are always seeking, and often finding, ways to outwit defenses. “Prevention is an outdated approach,” says Joe Payne, president and CEO of Code42, a Minneapolis-based developer of data storage and security software. “On the external side, that idea is laughed at.”
But even as cyberattackers become more sophisticated, what’s remarkable is that “most of the attacks today are the same kind of attacks they were five years ago, like phishing and business email compromise,” says Evan Francen, CEO of FRSecure, an information security consultancy based in Minnetonka. In the vast majority of cases, hackers can access business IT systems because employees—typically inadvertently—let them in.
For businesses, cybersecurity threats haven’t changed all that much. Malware can steal employee, customer, and vendor information. Ransomware can shut down a company’s IT system until it pays the ransom, which can run into four or five figures. And while companies can’t stop every attack, they have weapons that can block a lot of them.
Of course, businesses increasingly rely on technology. “The complexity of the [technology] environment, the fact of cloud migration efforts, the speed of the business, the changes being driven by the business, make invisibility of the data in your network very important,” says Jill Allison, Twin Cities-based advisory chief information security officer (CISO) for Phoenix-based cybersecurity firm Kudelski Security. Meanwhile, she adds, “the sophistication of the threat of cyberattack techniques is increasing, and overall, business resources are constrained.”
The complexity of business IT is intertwined with an abundance of data that companies gather, generate, store, and share. That means that employees have become a crucial line of defense against attacks—and often, they fail in their duty. In October, Code42 released its 2019 Data Exposure Report. One of its key findings: Employees are one of the biggest threats to a company’s data security—even if they don’t mean to be.
“You have two things happening at the same time,” says Payne of Code42. “The first is this wave of collaboration technologies that have come into the workplace—Slack, Dropbox, Google Drive, and Microsoft OneDrive, as well as a lot of chat applications. They make it easy for employees to share information with each other and collaborate to be more effective.” While that’s a positive trend, he adds, company data is flowing through a lot of different places and hard to track.
Another factor that has made company data more vulnerable is the fact that “you have a lot more mobility in the workforce,” Payne says. That frequent job-switching is especially prevalent among those with coveted skill sets, like IT workers. “You have the potential for much more data leakage due in particular to employees moving to a new job,” he says.
But the employees who don’t leave are a bigger threat to a company’s data, thanks to what cybersecurity experts call “social engineering.” Very simply, this involves conning employees into giving access to a company’s IT system. “It’s a big confidence game,” White Oak Security’s Emerson says. “In general, people are helpful. They want to assume good intentions.”
The most common example is phishing, where hackers send what look like legitimate emails from vendors or banks. “All it takes is for one person to click on it and provide their bank information or login information,” Emerson says. A more targeted and typically more sophisticated variation is spear phishing. For example, “a hacker might target someone in the finance department of a specific organization in order to gain access to the financial system—get access to their account, which will likely have access to financial systems within the organization,” Emerson says.
Other variants include vishing, where attackers target users of voice-over IP services such as Skype. There’s also smishing, where cybercrooks make use of cellphone short message services (SMS), also simply known as texting.
For most companies, antivirus software and a firewall have been the main lines of technological defense against cybercrooks. But with attacks growing increasingly sophisticated, more businesses recognize that they’re insufficient in and of themselves.
“There is no one technology that can solve all of your problems, nor is there one vendor who can do so,” Payne says. His company, for instance, uses more than 25 technologies to protect its data, including Proofpoint for email filtering and CrowdStrike for identifying and responding to external threats.
Dave Hall, chief digital officer at Shoreview-based IT firm SharemarQ, calls this approach “layered protection.” In addition to technologies that identify and quarantine cyberthreats, Hall’s company also offers software that limits the visibility of secure environments, he says. For instance, “if someone in software engineering doesn’t need access to the financial and accounting area, then we’re going to make that invisible” to that engineer. If there’s a “bad actor” in the company, Hall adds, “he or she won’t know how to get there.”
Numerous other cybersecurity technologies are entering the market. In September, Philadelphia-based Comcast Business launched a cloud-based internet security product for small businesses. SecurityEdge is designed to block employee and guest access to compromised or malicious domains, while updating new domain threats every 10 minutes. According to the company, SecurityEdge covers all connected devices, from mobile phones to wireless printers, without requiring anything more than the Comcast Business modem.
“There are a lot of companies that are investing in expensive pieces of software and hardware,” Minnesota IT industry veteran Tyler Olson says. But “the vast majority of data breaches are caused by single individuals doing the basics wrong.”
That gave Olson the idea for a new business. Last February, he and his board hired a CEO to run Plymouth-based Modern Foundation, his digital marketing company, to focus on his new venture, Minneapolis-based SHYLD Academy. The mission of SHYLD (pronounced “shield”) is to teach its students the basics of cybersecurity, Olson says. Several small businesses have already signed up their employees.
These developments point to the cybersecurity weapon that may still be a secret to many businesses—employee awareness.
One of the important basics Olson cites remains one of the simplest: Don’t click on links you don’t recognize. According to Verizon’s 2019 Data Breach Investigations Report, more than 90 percent of malware enters a company’s IT via email. Verizon’s report for the previous year was even more specific, identifying email as the source of 92.4 percent of malware distribution and 96 percent of phishing attacks.
Cybersecurity awareness training, whether conducted within the company or by outside consultants such as SHYLD, teaches employees how to be more security-aware and understand what threats look like. “This can be inexpensive—it just takes someone’s time to put the material together and then actually communicate the training,” says Judy Hatchett, vice president of information security and CISO at Minneapolis-based Fairview Health Services. “If there are funds available, there are tools that can be purchased that allow you to do this electronically.”
Even top executives fall for social engineering-type attacks. Code42’s data exposure report found that 65 percent of CEOs and 78 percent of chief security officers clicked on links that they realized they shouldn’t have.
With the steady rise of the Internet of Things, HVAC systems, production machinery, and other essential digital equipment are increasingly interconnected, which provides new points of vulnerability for cyberattacks. In the health care sector, IT specialists have plenty to worry about, including attacks on connected medical and wearable devices such as insulin pumps.
“Cybersecurity now plays a critical role in patient safety,” Fairview’s Hatchett says. “With the release of the 5G cellular network, connected medical, nonmedical, and wearable devices are going to flood the networks. This is also true for the systems that control our buildings. The ability to want to automate, create ‘smart’ environments, have the data at our fingertips, and [have] the ease of doing more things from our mobile devices are only going to complicate our jobs.” She adds, “I am up for the challenge, but it is going to continue to get interesting.”
Regardless, businesses of all sizes need to be prepared for the unexpected. “Breaches are inevitable,” Francen says. “The sooner you face that reality, the better off you are. Then plan for it. What does it look like when an incident happens? How are you going to respond?”
And what will you do to stop a preventable breach?
Twin Cities-area cybersecurity experts share key advice, which can be especially helpful for small and midsize companies that don’t have the budget to invest in more extensive cyber defenses.
♦ Maintain patching and backups of company data.
♦ Don’t assume moving data to the cloud makes your data safe. “Make sure that sensitive data is properly secured and not leaking from badly configured storage.”
♦ Continuously monitor the threat landscape. A crucial part of that is a third-party supplier network. Understand the risks and exposure you have through your overall ecosystem and where third-party breaches are impacting companies today.
White Oak Security
♦ Perform regular backup. This can help businesses counteract the effects of ransomware.
♦ Encrypt your hardware. “Most operating systems now have built-in encryption,” Emerson says. “So turn it on. It helps small businesses when your staff or consultants are taking their laptops to and from work or to conferences. If it gets lost, you’ll have that peace of mind that the data on that laptop is secure.”
♦ Activate antivirus protection. “If you don’t use it, you’re lowering the barrier of entry for an attacker.”
Gene Rebeck is TCB’s northern Minnesota correspondent.