Hacking is costing businesses millions more as sophisticated criminal networks determined to steal information for financial gain have replaced the individuals who were commonplace in the early years of the internet, and Arkansas is not immune.
Local experts say data breaches in the state are on the rise, following a global trend, but companies can prevent them with preparation and limit damage by having a plan for when they fall victim to a breach.
Mandy Stanton and Anton Janik of the Mitchell Williams law firm in Little Rock have formed a team to help clients protect their data.
“What the folks that have been doing the meta-analysis of this data protection issue are saying is that we have switched between the lone hacker, out there for laughs, trying to make a name in the hacker universe by saying, ‘Oh, look, I got this number of credit cards,’ to real identifiable criminal networks that are going after this information because it has real monetary value,” Janik said.
That value is $7.7 million, which is the average cost of a cybercrime per company, according to the Ponemon Institute’s 2015 Cost of Cyber Crime Study, sponsored by Hewlett Packard Enterprise of California.
Companies experiencing a breach could also face a cash flow interruption because the payment card industry might withhold reimbursements until the victims pay a fine for not being in compliance with data protection standards, said Drake Mann of the Gill Ragon Owen law firm in Little Rock.
The Ponemon study also found that the number of successful attacks per year per company had grown by almost half in four years, from 68 in 2012 to 99 in 2015, and the average time needed to resolve incidents had tripled to 46 days.
But a number of measures could reduce the average cost of a cybercrime per company a quarter, the study concludes.
In Arkansas, Janik and Stanton said, one of the most common cybersecurity schemes has been hackers spoofing the email of a CEO or CFO and requesting sensitive information, like W-2 data, from other executives or instructing that a check be cut.
Hackers have used information obtained through these means to file tax returns and snag the victims’ refunds, Janik said.
Janik’s solution is simple: If asked by email to provide sensitive information or to do something like cut a check, executives should call the person who sent the email to verify his or her request.
Last year, information on 700,000 U.S. taxpayers was stolen when the IRS was hacked and information on 25.7 million people was stolen when the Office of Personnel Management was hacked.
Training Is Key
The best way to avoid such breaches, local cybersecurity experts said, is to prevent them by training personnel to follow best practices (like not clicking on links in phishing emails and not inserting random USB flash drives into a work computer), testing them on these practices and looking for and addressing network vulnerabilities.
People are the weakest link, all agreed, and companies like iProv LLC of Little Rock are helping with that aspect by providing lunch-and-learn sessions for clients’ employees.
R.J. Martino, president and CEO of iProv, said his company steps in when regulations require a technical audit of a company’s data and the housing of that data and when a company recognizes that not focusing on cybersecurity is a business risk.
Vulnerabilities iProv and others may find include out-of-date software, unsecured access to devices, weak passwords and open ports (access points to the network a company may not be aware of), he said.
On the people side of things, Scott Pitcock, iProv’s security and vulnerability assessor, said weak passwords are what he sees most often. He suggests checking password strength with an online tool called HowSecureIsMyPassword.net. The tool shows users how long it would take someone to attain access through brute force — entering random passwords until one works. The longer, the better, Pitcock said.
Martino said proper processes and procedures also prevent breaches. IProv partners with law firms to compile documents laying those out.
Stanton, a former compliance officer for U.S. Bank and former counsel for Acxiom, is certified by the International Association of Privacy Professionals. Her team works on policies for companies and on contracts that spell out data protection requirements for vendors that prevent hackers from gaining access through them.
In the 2013 Target data breach in which information on at least 40 million customers was stolen, hackers gained access to the company’s network through an HVAC vendor and Target said recovery from the breach cost the retailer $252 million, Stanton said.
In addition, she said, hacking is always evolving, and the trend has been to attack the health care and financial sectors.
Aaron Gamewell, president and COO of Secure Banking Solutions, said 90 percent of all data breaches are caused by phishing email attacks that are designed to catch any person, but that banks have been subjected to more focused “spear-phishing” attacks, in which emails target groups of people with something in common.
State and federal regulators require banks to have strong protocols, so banks must be concerned about the additional risk of being shut down after a breach, he said.
Large banks are being attacked more frequently than small ones because “maximum take-home” is the hackers’ goal, Gamewell said.
But Chris Bates, CEO and president of The Computer Hut, which has offices in Little Rock and Lowell, said he hasn’t seen many targeted attacks. “It’s, generally speaking, the scattered approach where they send something en masse and hope that a handful of people open it.”
Gamewell said hackers are after money or information, but it’s more often the latter.
Information can be sold via the darknet, a computer network with restricted access that is used mostly for illegal peer-to-peer file sharing. Hacking can also be used to commit corporate espionage.
And Janik said corporate espionage is the next wave — actions like a hacker gaining knowledge of a merger before it’s announced, buying stock and making a fortune.
Companies Held Hostage
In addition to the CEO/CFO scam, ransomware attacks are gaining traction in Arkansas and elsewhere. In this kind of attack hackers encrypt a company’s files and demand that the company pay them to unlock the data.
Gamewell said the average ransom demand in 2015 was $500, to be paid in the form of bitcoin, a hard-to-trace digital currency that allows for virtual anonymity. But if the hacker knows the victim is a business, the demand could be for over $10,000 and up to $60,000, he said. (For more on ransomware, see Gamewell’s Expert Advice commentary, Ransomware, and a Particular Set of Skills.)
Hospitals and other health care facilities are especially vulnerable because ransomware attacks can cut off the quick access to patient records that is needed to provide time-sensitive care. Often, they’ll pay what is demanded to avoid deaths and lawsuits.
Mann, of the Gill Ragon Owen law firm, said paying the hackers is sometimes the best choice anyway because the amounts requested are typically less than $1,000, it’s an automated attack and often there is no legal recourse for the victims to pursue.
But Gamewell noted that paying a ransom doesn’t guarantee recovery of data that was hijacked.
Janik said companies that back up their data beforehand can simply wipe their network, restore it and avoid paying a ransom.
Pitcock, of iProv, added that there are online blogs that offer decryption codes for ransomware victims.
Still, experts said, companies should take a proactive, rather than reactive, approach to protecting their data.
Janik’s technical advice is to encrypt, salt and hash.
Salting makes encryptions stronger by adding extra information to a set of data, while hashing makes sets of data a uniform length. For example, all passwords could be hashed to 200 characters with salted information.
Janik said other tech solutions include having firewalls, anti-virus programs, rotating passwords, stronger passwords (10 or more characters, numbers and letters, capital and lowercased letters and symbols), removing access once someone has left the company and restricting what can be put on the network, like flash drives that could have been dropped in the parking lot by hackers hoping to gain access that way.
And Keith Jetton, the founder and chief technical officer of Procyon Solutions Inc. of Little Rock, said cloud-based programs do a better job of keeping software up to date versus traditional programs that allow for scheduled anti-virus scans. He said the cloud is always pushing updates and scanning. It is the most secure solution, if the technology is used properly, Jetton said.
Janik also suggested that employees working from home use a virtual personal network, which is an encrypted tunnel between their computer and the firm’s computer, and that employees use a separate program that can encrypt their emails, properly dispose of old files and use two-factor verification, like passwords plus codes that are texted to users or a security question users have to answer after their passwords are entered.
Layers of Protection
Bates agreed that several measures should be taken. “The biggest thing that I tell people is prevention and security and protection is layers. No one single thing is the end-all be-all of that silver bullet. There’s a whole litany of things that you really need to do.”
Those include having screensaver timeouts, security patches, practicing preventive maintenance, monitoring the network for suspicious file activity or to see if traffic is going out unusual ports and having anti-spam software that can eliminate phishing emails before people click on the malicious links in them.
Something else many companies are doing, Pitcock said, is a penetration test — paying someone to hack into their networks to show them where they are vulnerable.
Stanton said companies need to know what data they have, where it is and how critical it is and have standards to protect them from a breach, a plan for how to contain a breach and a notification policy and know the regulations and laws, like Arkansas’ Personal Information Protection Act, that they must follow.
Mann added that a company must designate someone as responsible for its data protection strategy.
He, Janik and Stanton said purchasing cyber liability insurance is yet another option, but Mann wasn’t keen on it. He said there is a lack of information to determine payouts. For a policy to be useful, it must be tailored, Mann said.
Janik acknowledged that many companies may not want to invest in preparation, but doing so is an attractive alternative to suffering the “astronomical” costs of a breach.
“There will be plenty of companies that will have the Ford Pinto approach, that will say, ‘We’ll deal with it when it happens,’” Janik said. “But there will be other companies that will be able to weigh this out and say, ‘What is my real estimated damage if something happens? What, and not just in reputation and in dollars, but in people time and aggravation, and what is that worth?’
“And so, doesn’t it make good business sense to, on the forefront, establish a good strong plan for hardware and software and people training and to keep up with it?”