Cyber thieves targeting small, large businesses

Filed under: Focus,Print | Tags:,

If Al Capone were alive today, he wouldn’t need a gang of armed thugs, only a computer, an Internet connection and a couple of good hackers in order to sock away millions in stolen cash and credit cards.

He would also get away with a few patents, copyrights and inventions.

The international cyber mafia has traditionally targeted businesses that store digital intellectual property, but thieves are now hitting any business that stores financial records or transactions digitally.

The criminals are not always the other side of the world –sometimes, it’s as close as the next desk.

“The thing people need to realize is that the threat comes from inside as well as outside,” said Trevor Dierdorff, owner of Amnet, a local information technology company, “and they need to protect themselves from threats on all sides.”

The inside threats come from employees exiting the company and taking proprietary information with them — downloading it on flash drives or emailing it. Or, even more common, an unwary employee opens an email from a social networking site and clicks on it — unknowingly unleashing malware within the system.

The outside threats can be in basements and garages, or from far-flung places on the globe — organized crime in Eastern Europe, mafia in Russia and hackers sponsored by the Chinese government.

“The political hackers — like Anonymous — are getting the attention, but ironically they do much less damage to economics in America than do some of the nation-state actors or organized crime,” said Bill Wansley, executive vice president for Booz, Allen, Hamilton.

But thanks to high-profile groups like Anonymous, cyber economic espionage is finally getting attention from America’s boardrooms. Not that anyone is going to admit they’ve been hacked.

“It’s a reputation issue,” Wansley said. “A business, like a bank, doesn’t want its customers, its business leaders, to know it’s been hacked. There’d be a run on the bank. But finally, the issue is being addressed at upper leadership levels. But businesses are behind the hackers in trying to secure networks. “

So now banks are working to maintain security even as more people log on to bank over the Internet. The problem? Businesses are too far behind the hackers.

“So now banks are asking security questions — beyond your mother’s maiden name — before they give you access,” Wansley said. “But hackers already know how to spoof those, so they’re behind. There are other ways, however.”

For instance, the European Union agreed to issue credit cards with electronic readers that are more secure. Suddenly, there was a huge increase in credit card theft in the United States.

“Because it’s easier with the magnetic strips we use,” Wansley said. “There are places on the Internet where you can go buy people’s credit card numbers, and they’re not expensive. That’s because they’re so easy to get here.”

Businesses have to take action to protect their networks, as well as the intellectual and financial property stored on them.

“Be aware, there’s no silver bullet,” said Doug DePeepe, a local information technology specialist who’s working on creating a regional cyber protection network. “And there’s no completely securing a network. You can only protect them.”

Software companies regularly release updates on their anti-virus or anti-malware software, but hackers always seem to be a step ahead. That’s why it’s important for businesses to provide specific training for employees.

“Training means letting them know the threats out there, and how to keep them from getting in,” said DePeppe. “For instance, an employee could get an email from a social networking site, and it looks like someone they know is trying to reach them. They click on the link — and they’ve unleashed malware within the system.”

A little bit of training goes a long way in that circumstance, DePeppe said.

“These phishing schemes are so easy for hackers to do,” he said. “There’s so much information out there on the Internet about all of us. It’s not hard to create an email that people are tempted to open.”

And that kind of training goes on even at large companies. Wansley said Booz, Allen, Hamilton spends millions to try to protect its networks.

“But all it takes is one email, and all that protection isn’t worth anything,” he said.

That’s why businesses need to lock down their network, Dierdorff explained. And that just doesn’t mean anti-virus software and training.

“It also can mean locking down certain websites, so you can’t get to them at work,” he said, “or locking down USB ports so people can’t download sensitive materials and take them away. It means being careful who has access to networks from home; and making sure they aren’t logging into the network form unsecured places.”

For instance, if traveling salespeople are using unsecured wi-fi hookups at coffee shops — that’s an automatic “In” for hackers. It might cost a little more money to provide secure wi-fi cards to each salesperson; but it will keep networks safer, he said.

Companies can’t just train employees, lock down the network and buy an anti-virus package. That won’t work.

“They have to watch, they have to keep total watch over the networks to make sure nothing is getting in,” Wansley said. “The fact is, many companies in the United States could have lost intellectual property, lost their patents, their copyrighted work — and they won’t even know it for the most part.”

The vigilance is completely necessary, he said, because the federal government is limited in how it can respond.

“Certainly, they try to prosecute these criminals,” Wansley said. “But even with sophisticated forensics, tracking down the individual responsible is difficult. And there is no international law that can be applied. Add that to the reluctance of companies to admit they’ve been hacked — and it’s extremely difficult to prosecute.”

That’s why DePeppe has launched a regional solution to the problem. Headquartered in the Springs, but with cities in Utah and Wyoming signing on, the western Cyber Exchange creates a nonprofit, cooperative effort that allows small businesses to share information about the phishing and hacking attacks that they’re seeing.

“Hackers are very organized,” he said. “They’ll attack industry by industry. For instance, they might start with oil and gas companies. They’ll attack until they’re thwarted. Then, they’ll move onto banks using the same schemes. The collaboration allows businesses to share information across sectors; so once one company is attacked, all the other businesses can start to protect themselves from that attack.”

Regional security is the answer, DePeppe said, because the federal government’s hands are tied in many cases.

“This isn’t just a business issue,” he said. “It’s a national security issue, it’s about undermining American economic systems from overseas. But we need to be addressing it from a regional standpoint.”