Notwithstanding recent high-profile data breaches at some of the nation’s largest banks and credit reporting agencies, a top cybersecurity specialist told a group of business leaders and IT managers in Little Rock Wednesday (August 7) that small and mid-size businesses are more at risk of security snafus than their larger peers.
Chase Cunningham, principal analyst serving security and risk professionals at Cambridge, Mass.-based Forrester Research, offered this and other interesting observations during a presentation Wednesday at the annual Business Technology Summit sponsored by Mainstream Technologies of Little Rock.
Cunningham began his “Tales from the Trenches” presentation by highlighting last week’s headline-grabbing news that Equifax was settling a $700 million data breach case with the Federal Trade Commission and Capital One revealed that 100 million customers had their personal and financial information exposed in a hacking incident. However, Cunningham said most larger U.S. and multinational corporations have bolstered their game plans for potential cyber-attacks and large-scale security breaches.
“Those (Equifax and Capital One) incidents were more of a failure of management not a nuclear event. The largest enterprises and organizations have figured it out,” said Cunningham, retired U.S. Navy chief with more than 19 years of experience in cyberforensic and cyberanalytic operations. “(Hackers) are now most likely to target small and mid-sized companies.”
Citing industry data that there are more cybersecurity breaches than people on the planet, Cunningham said it is likely that most companies have already experienced an incident where hackers infiltrated an IT network or successfully gained access to sensitive data or personally identifiable information.
“You have probably already been exploited, so you don’t have to be afraid but you should be aware of it. Then you can do something about it,” said Cunningham, whose has done past work with the NSA, CIA, FBI and other government agencies. “Accept the reality … that the mathematics and statistics of this is that your company has probably already been compromised. The good news is that they are probably not after you.”
In today’s environment where cybercrime costs are projected to reach $2 trillion due to the rapid digitization of consumers’ lives and enterprise record, Cunningham said it is not even necessary to be a computer expert to hack into an IT or wireless network. He said anyone can buy a hacker’s kit on the dark web “for a few hundred dollars” to exploit most small and mid-sized networks.
“You don’t even have to be a mega-hacker to do hacking stuff. It’s not that hard,” he said.
Cunningham said Forrester has used drones, key fobs and other tools to test and gain access to “rapidly exploitable” networks through webcams, wireless printers, entry badges, email phishing, malware and Wi-Fi servers. A year ago, he said the publicly-traded technology research and advisory firm notified Augusta University in Georgia that email accounts had been exploited by an unauthorized user to gain access to personal and protected health information of nearly 417,000 individuals.
He said his consulting firm has also reached out to numerous other companies and organizations concerning possible hacking incidents or security breaches, but said many IT managers and executives often downplay or ignore such information.
“Some have actually told us they didn’t want to know about a (hacking) incident. Because if they know, then they are liable for the (breach),” he said.
Cunningham ended his hourlong presentation by telling attendees at the all-day cybersecurity and IT management forum that the biggest cybersecurity threat that small and mid-sized companies face today is teaching employees how to protect company data and information. He said strong firewalls and a secure perimeter to protect a company’s assets and keep intruders at bay are key, but not as important as constantly reminding and educating employees on new and more intrusive cyber threats.
The Forrester cybersecurity specialist added with the rise of phishing, malware, social engineering and other frontline employee cyber-attacks, the end user is often the weakest point of entry to a company’s network.
“We live in a mobile world, the perimeter lives with the user,” said Cunningham, adding that Forrester advises all its clients that every employee should use a two-step password and ID validation each time they enter a company’s network by internet, wirelessly, mobile phone or some other digital application.
Cunningham said the mindset that all companies need to have is that cybersecurity is like military combat, noting the U.S. Department of Defense in 2011 declared cyberspace as a new war domain. He said the U.S., Israel and other nation-states are responding to some cyberattacks in the same way as they would any other military threat.
“We have jumped the shark … to now where we are physically blowing up buildings because of cyber actions,” said the former Navy officer. “It is a live-fire battlefield environment, but we are not throwing lead, we are throwing electrons.”
As the digital workplace grows, Cunningham said managing network security will become increasingly harder for small and mid-sized companies because of costs and lack of education on the growing threat. Highlighting the crisis, the former military security specialist cited a study by the U.S. Cyber Security Alliance that 60% of small companies are unable to sustain their businesses over six months after a cyber attack.
At the same time, according to the Ponemon Institute, the average price for small businesses to clean up after their businesses have been hacked stands at $690,000. For middle market companies, it’s over $1 million, Cunningham said.
“If they think you are a hard target, then they will go somewhere else,” he said. “This is a zombie marathon. If you are running faster than the next zombie, then (hackers) will go on to the next company.”
Before Cunningham gave his presentation, Mainstream Technologies President and Chief Security Officer John Burgess provided an overview of his firm’s growing operations in Little Rock, Conway and Northwest Arkansas. Burgess said the local IT services and management firm is looking to gain a greater market share in Northwest Arkansas to complement its sales office in Bentonville. The local tech firm also recently formed a new standalone cybersecurity division, he said.
“Cyber security is increasingly a major concern,” said Burgess, who also serves as chairman of the Little Rock Technology Park Authority. “We made the decision to split that out in a separate business division.”
Founded in 1998, Mainstream Technologies serves business and government customers across the nation with managed IT services, custom software development services, cyber security services, and hosting.