A good hacking story goes a long way in grabbing our attention. They are a modern spin on a classic genre, the heist. Our collective imaginations run wild with classic heist stories such as Ocean’s 11, The Insider, Heat, The Sting, and The Italian Job. The list of classic tales are extensive, and a bit misleading. Real world heists are becoming a thing of the past, replaced by their modern counterpart, the hack. And every year, there’s a few major breaches that are worthy of their well spun predecessors. For example last year, there was the $81M Bangladesh Bank Hack, and this year, the recent $40M was stolen from an ATM withdrawal scheme took former Soviet countries by storm. Both of these hacks required several operators executing a well thought out plan where timing and coordination were critical. But the vast majority of breaches in any given year require nothing more than an old computer and a mediocre coder with ill intention.
Hackers prefer the boring approach
The very newsworthy Equifax hack that we wrote about last month exposed the personal information of a majority of the country, yet the hack itself was extraordinarily mundane. A critical vulnerability in their servers was left unpatched, and for a hacker to gain access to those 143 million emails, all they had to do was run a program that scanned the internet for unpatched servers. It’s hard to count how many ways Equifax’s security protocols were lacking, but needless to say, something like what happened to them would never happen to one of our clients.
We provide a package of security services on top of our existing Intuition Managed Services platform to enhance the security products and services that adds the following new security features:
- Single Sign-on + Multi-factor Authentication
- DNS Internet & Web Application Monitoring, Filtering & Protection
- Security Awareness-Risk Management End User Training
- Enhanced Network, Services & Device Performance Monitoring & Management
- Corporate & User Policy Templates & Management
These additional security measures make businesses harder to breach and therefore much less appealing to hackers who rely on easy targets. We’d like to think that it takes an Ocean’s 11-type operation to pull off a major breach, but computers searching for vulnerabilities on autopilot do most of the heavy lifting. Businesses and individuals don’t need to be specifically targeted, they just need to be discovered. Hackers wait idly by until their program finds a vulnerability through the internet, and then victims are caught, lock, stock and smoking barrel (get it? Another great heist flick). When a vulnerability is discovered, hackers do a quick cost/benefit in their heads as to whether the infiltration is going to be worth it. Bad security practices in businesses lead hackers to picking the lowest hanging fruit so they can take it easy and get away without repercussion.
What you hear about versus what’s actually happening
The DNC hack last year was a perfect example of a simple click in a malicious email gone horribly awry. The DNC wasn’t particularly technically sophisticated, but even high tech institutions aren’t immune to bad security. Last year, the South Korean government was hacked and North Korea gained access to our joint military plans and operations. Standard security practices that most MSPs would deploy are often adequate, even for state actors, but the private sector isn’t looking very good at the moment either. A hacking group affiliated with Russia tapped into the key operational networks of US energy companies, so that they could potentially control parts of the power grids which provide electricity for millions of people.
When public entities get hacked, we all hear about it, but the big untold story is how prevalent hacking is among small and midsize businesses that would rather keep their disasters private. According to a yearly report published by Ponemon and sponsored by IBM, the top 10 industries breached are:
- Financial Services
- Life science
- Industrial Energy
Given the ease and high value in targeting healthcare, the U.S. Department of Health and Human Services Office for Civil Rights keeps a running hall of shame for health breaches, a public list of all reported breaches that affected over 500 individuals. There’s over 230 such cases listed so far this year. EdTech Strategies keeps a running tally of K-12 Cyber Incidents too, with around 221 cases so far this year. The Breach Level Index lists major/known breaches that already number over 1,000 this year. And this is just the tip of the iceberg since the rest aren’t publicly reported. According to Symantec’s Security Threat Report, 43 percent of cyber attacks target small business. In the aftermath of these incidents, Ponemon reports that these companies spent an average of $879,582 because of damage or theft of IT assets, and the disruption to normal operations cost an average of $955,429. Even small breaches easily cost millions for businesses to recover, many of them put businesses under. Cybercriminals target small businesses because they are an easy, soft target to penetrate.
We’ve noticed throughout 2017 that Small and Midsize businesses are more concerned with cybersecurity than we’ve seen in previous years, but given the scope of the threat, the concern isn’t even close to adequate. Despite all the news, a survey published by Manta shows that 87 percent of small-business owners don’t feel that they’re at risk of a cybersecurity attack, and a third of small businesses don’t have the tools in place – basics such as firewalls, antivirus software, spam filters or data-encryption tools – to protect themselves. Keep in mind that there’s no major cybercrime division at your local police department that’s setup to save everyday businesses from having their bottom line blotted out. For the most part, the incentive to hack anything that’s easily exploitable is high and the chance of repercussions are low. The scary part of these everyday run of the mill hacks is that they aren’t newsworthy, except maybe to the victims. Businesses leak their client lists, employees upload sensitive information to cloud storage accounts, and everyone clicks on something that looks legitimate but isn’t.
Technology continues to become more and more deeply integrated into all aspects of your business. In order to address cyber security concerns among the growing threat landscape and the continued threats to our customers’ infrastructures, users and assets; we have developed a platform of best-in-breed security products and services, Intuition Security + that keeps your business safe, so you can rest easy at night-.