They happen every day, but they’re something businesses don’t like to talk about: cybersecurity breaches.
“Criminals are more sophisticated than ever, and they are not afraid to use technology in their crimes,” says Eric Burns, a special agent with the FBI in Milwaukee, where he specializes in white-collar crime investigations.
Whether it’s a phishing email trying to get you to click on a questionable link or a more complex scheme where a criminal is masquerading as someone else in order to divert funds, Burns says cybercrime has become an all-too-real problem businesses need to confront.
And it continues to grow. According to a survey by Sikich, a national professional services firm, 50 percent of companies reported a security breach in the past 12 months. Burns says cybercrime cost businesses and individuals $1.2 billion in 2018 — double the amount the year before.
But despite the attacks, few businesses are doing enough to protect themselves, says Mike Venaccio, vice president of integrated technology services at UFS LLC in Green Bay. Small- and mid-sized companies, along with nonprofits, are the most at risk since they don’t have the same technical or financial resources as larger companies.
“Fraud types continue to evolve as technology evolves and we’re seeing new attack vectors all the time,” says Venaccio, who works primarily with community-owned banks on their cybersecurity concerns.
So, what can organizations do to protect themselves? “You definitely need to educate yourself on what’s out there,” says Burns, who will be the keynote speaker at Insight’s Cybersecurity Symposium on Sept. 10 at the Red Lion Hotel Paper Valley in Appleton.
The first step is being aware of common threats. One of the most ubiquitous schemes out there now is what the FBI calls the “business email compromise.” In that case, Burns says a criminal hacks into an organization’s email system and poses as an executive or owner and asks someone from either within or outside the organization to transfer funds to a new bank account.
“The email can look all official and say to a customer or vendor, ‘We’ve changed our bank, so now send your payments here’ or if it’s in-house, it will be asking an employee to send money to an account claiming money is owed,” Burns says. “In the end, it turns out the criminal controls that account and the money is gone.”
Financial institutions take data breaches seriously and use multiple tools to keep customers’ information safe. Venaccio says UFS developed “the next generation of security tools” to help banks combat data breaches. One example is a program that scans all outgoing emails to make sure no bank accounts are listed. That makes it more difficult for hackers to glean personal information.
“Most attacks are not skilled. They are looking for anyone with a pulse to click on something they shouldn’t,” Venaccio says.
Financial institutions are well prepared and protected against cyberthreats, leaving criminals to go after individuals instead, Venaccio says. “They get you by having you do the request. You think you’re following a request from a boss or vendor, and it turns out it’s someone posing as them,” he says. “You can have the best systems in the world, but if someone clicks on something they shouldn’t, those tools won’t help a bit.”
While Venaccio works with commercial banks, he says the advice he provides can be used by any mid- or small-sized organization or non-profit. “The key is to be vigilant and make sure software is updated and employees understand the danger of cyberattacks and are educated about what to look for,” he says.
Protecting your business, yourself
Venaccio says workers sometimes tune out once you mention cybersecurity because “they see about data breaches in the headlines, but until it happens to them, they may not fully understand. You have to make sure they know how important it is to stay up-to-date.”
Here are some tips to share with employees throughout your organization on how to keep cybercriminals out:
• Keep your device and software updated. “When a company hears about a new attack, it designs patches to fix the issue, so when you’re asked to update an app or program, please do it. That alone can solve a lot of issues,” Venaccio says.
• Use antivirus programs and spam filters.
• When in doubt, ask. Burns says if you’re not sure an email is legit, ask the sender either through a new email message, a text, call or in-person. Employers would rather you ask first versus just sending the money.
• Watch what you post online. “Scammers can read your social media postings and use them in phishing attacks,” Venaccio says.
• Don’t click on what you shouldn’t. “This sounds odd, but it’s true. If something looks wrong, don’t click on it, hit delete. Proper cyber hygiene can go a long way in protecting your employees and company,” he says.
• Don’t reuse passwords. Create strong passwords that use at least 12 characters and include a mix of lower- and upper-case letters, numbers and special characters. Use a password manager to keep track of your different passwords.
• When a site asks you to enter personal information, make sure it has “https” in the address line. Do not use sites with invalid safety certificates and use a Virtual Private Network (VPN) that creates a secure connection whenever possible.
• Closely check all financial and credit card statements each month to make sure there is no suspicious activity. Regularly check your credit report to make sure it contains accurate information.
“These tips won’t keep you 100 percent safe, but they will greatly help reduce the likelihood that you’ll be a victim of cybercrime,” Venaccio says.
Educating future workers
When the Northeast Wisconsin Manufacturing Alliance conducted its recent Industry 4.0 study, it asked a question related to workforce and needed skills. Cybersecurity specialists came in as No. 2.
That’s no surprise to Ankur Chattopadhyay, assistant professor in Information and Computing Sciences at the University of Wisconsin-Green Bay and founder and director of the UW-Green Bay Center of Cybersecurity Education & Outreach. Demand is high for graduates with the skills to navigate the world of computer science and security.
“Wisconsin is one of the states that lags behind regarding cybersecurity professionals,” he says. “There’s obviously a big need out there for cybersecurity specialists. By 2021, it’s expected that there will be 3.5 million jobs in cybersecurity and we’re short of that goal.”
UW-Green Bay has seen the number of students in its computer science majors double in the past five years, but Chattopadhyay says “it’s very clear all schools need to include cybersecurity as part of their technology education. It should be done throughout the K-12 system. It’s like defensive driving: You need to know how to do that, but rather this is defensive browsing and it’s something everyone should know about.”
Doug Waterman, dean of Information Technologies and Learning Innovations at Fox Valley Technical College, also sees a rising demand for students graduating from the school’s information systems specialist program.
“Cybersecurity is the electronic aspects of security, but we wanted the program to be a bit broader,” he says. “We’ve gone from zero to 190 students in three years. It’s one of our fastest-growing programs.”
Students learn a variety of skills from how to ethically hack — “It’s important to know how these guys work” — to keeping data logs — “You need to know who has access to what material and when,” Waterman says. “Our classes have a lot of real-world experience. To think, we went from one single class in this area to a whole program in less than
Beyond his work with UW-Green Bay students, Chattopadhyay reaches out to younger students and teachers to make sure they understand the basics of cybersecurity. In 2017, UW-Green Bay hosted 100 middle school students at a camp dedicated to cybersecurity, and in 2018 and 2019, middle and high school teachers descended on campus to learn everything they could about cybersecurity.
“This is really the only general cyber camp in Wisconsin. We’re also working to sustain that general cyber outreach throughout the school year thanks to a grant from Microsoft,” he says. “The NSA (National Security Agency) wants to increase cybersecurity awareness among all citizens, and these programs are one way to do that.”
The threat is real when it comes to cyberattacks. According to Gallup’s annual crime survey, 23 percent of Americans reported they or someone they know was a victim of cybercrime in 2018. In addition, Juniper Research’s Cybercrime & Internet of Threats 2018 Report estimated that by 2023, cybercriminals will steal 33 billion records.
According to Verizon’s 2018 Data Breach Investigations Report, the tactics most used
in cyberattacks are:
- 48 percent: Hacking
- 30 percent: Malware
- 17 percent: Social attacks
- 11 percent: Privilege misuse
As far as who’s committing these attacks, the report says 50 percent are carried out by organized criminal syndicates and 12 percent are carried out by nation-state or state-affiliated groups.
Insight is hosting the Cybersecurity Symposium on Sept. 10 at the Red Lion Hotel Paper Valley in Appleton. FBI agent Eric Burns is the keynote speaker and will discuss the latest cyberthreats and trends and what businesses can do to protect themselves. The event includes breakfast and four breakout sessions. Click here to learn more.
Related story: Staying safe online