03 Jul Why stopping data breaches will become a bigger problem by the day
To listen to cybersecurity experts talk shop can be akin to watching a horror film: It’s scary but you can’t seem to turn away.
They use terms such as “the dark web,” “takers,” “buyers,” “key strokers” and “memory dumpers” to describe a world where hackers, who range from criminals to terrorists, engage in a global search for valuable data that can be stolen, sold or otherwise used against its owners.
These hackers may live in Ukraine, Iran, China, Serbia or a handful of other nations if they are sophisticated “takers” who steal data – or perhaps South Florida if they are “buyers” scheming to turn that data into cash by siphoning financial accounts, misusing credit cards and more.
“For less than a $200 investment and no scruples,” hackers can go into the business of stealing and marketing personal and corporate data, said Mark Shelhart, senior manager of forensics and incident response for Sikich LLP, a professional services firm with offices in Wisconsin.
Shelhart was among the experts who spoke June 29 at the first Data Privacy and Security Summit in Waukesha, where more than 100 people heard about the risks of data breaches – and how to better protect themselves and their organizations.
The unsettling picture that emerged during the day-long conference was that cyber-attacks are on the rise for many reasons, some of which can be solved by greater technical vigilance and others that are difficult to control in a data-driven age.
“I assume that none of my information is private anymore,” said Derek Laczniak, who specializes in cyber liability for M3 Insurance Solutions in Madison. Just as forensic experts are hired to track and manage a data breach once it happens, cyber liability insurance is an option for companies seeking to better protect themselves and their customers if data breaches occur.
About 4,400 corporate data breaches were reported worldwide in 2014, double the number logged in the previous year. Criminals not only target payment card information, but internal data such as payroll accounts, trade secrets, designs and supply-chain information.
Personal health data files fetch big money on the underground market, conference speakers noted, because they contain information needed to obtain credit and receive services in victims’ names. Health records are most valuable for the non-medical data they contain.
Guarding against data breaches is partly a technical problem. Solutions include locking down systems used for outbound data, securing remote access portals, storing as little customer data as possible and segmenting data systems. In one major case, a system used to monitor a company’s buildings for energy use became a back door to access customer credit card data.
Protecting against data breaches is also a human problem. Employees fail to safeguard or update passwords. Sales personnel can be separated from their mobile devices while traveling, sometimes just long enough for a criminal to download valuable information. Companies that use “cloud” computer storage systems are often victims of password stealing attacks and scams. Although cloud services may have tighter security than in-house data storage, the legal responsibility for lost data usually lies with the user, not the provider.
Many companies deny they’re vulnerable, to the point of not fully vetting vendors or failing to put data security management plans in place. “Leading from the top on these issues is very important” for managers and boards of directors with fiduciary responsibilities, said Gina Carter, an attorney with Whyte Hirschboeck Dudek who specializes in intellectual property and technology issues.
Finally, it’s a legal and public policy problem. Congress has been unable to pass comprehensive cybersecurity legislation for a decade, a vacuum filled by 47 state laws with varying reporting requirements, regulatory mechanisms and criminal or civil penalties. Courts have stepped into the breach to provide some remedies, but case law is often built slowly. Meanwhile, the Federal Trade Commission is helping companies learn from best practices – but there is disagreement over which federal agency should take the regulatory lead.
Glenn Schoen, a corporate security expert based in the Netherlands, summed up the dilemma by noting companies worldwide will use seven times more data in 2020 than they do today. Protecting that volume of data is not a problem to be wished away, Schoen said, but addressed with stronger systems, people, policies and plans.
“In other words, we need to be smarter than the hackers,” he said. So far, unfortunately, the hackers are winning.
Recent articles by Tom Still
- Revisiting some recent topics: Startups, innovation, trade, cybersecurity and more
- Stories from Jendusa, Berbee can help inspire next generation ‘treps
- Helping startups ‘scale up’ is a vital strategy for Wisconsin
- Economic development in rural Wisconsin: What’s working?
- How to harness the power of UW System for economic growth