It’s a topic that has affected presidential candidates, big-box stores, universities and government agencies, and it’s even touched the VSCPA. October was Cyber Security Month, both in the United States — where it was recognized by President Barack Obama — and abroad. And that’s fitting, because it’s truly a global problem.
With the United States’ National Cyber Security Awareness Month having drawn to a close, here’s an overview of the biggest trends in cybersecurity (we’ll write it as one word the rest of the way) and some ways you can protect yourself.
Making a list
Technology outlet ZDNet analyzed and categorized cybersecurity predictions heading into 2015, and the top two results were telling in terms of the industry that hacking and prevention have become. The top two items in the analysis were “New attack vectors and platforms” and “Evolution of existing cybersecurity solutions — in other words, new ways to get past security systems and new ways to shore them up.
“It is an arms race. Unfortunately, the exploits of the hackers are one step ahead of the methods that we put in place to defeat them,” said VSCPA member Adam Chaikin, CPA, president and CEO of Thought2Execution, a Vienna-based project management and enterprise resource planning firm. “I think that the level of sophistication on these hacks has become so significant because the sponsorship of the hackers has moved from renegade clubs of individuals to nation-states that are using this as a form of cyber-warfare.”
The presence of sovereign nations as the “black hats” in the cybersecurity war is on the rise. Both sides of the Russia-Ukraine conflict were hit by cyberattacks in 2014, as were Hong Kong and Israel during other sensitive periods. The spread of technology and broadband Internet around the world has created a cottage industry of cyberattackers in countries like Russia, Brazil and India.
Cybercriminals in the Romanian town of Ramnicu Valcea have become so successful that the town is now known as “Scamville.” While the Romanian perpetrators tend to focus on individual victims rather than mass dumps of user data, the town’s prominence in the cybercrime world illustrates the problems that can take root in countries with large tech-savvy populations and lax law enforcement.
The human element
The issues in Ramnicu Valcea show that greatest threat to most cybersecurity systems remains individual users. Easily guessed, reused passwords and social engineering from bad actors all contribute to weaken safeguards in access to systems.
“To this day, even with the advice that’s published on a regular basis, the greatest weakness in the whole chain of security is easily guessable or easily hackable user IDs and passwords,” Chaikin said. “The poor compliance of employees is one of the biggest contributors to exposing an organization to an attack.”
Fortunately, there are tools available to help individuals keep their data secure. Chaikin currently uses a password tool called Roboform to enter his user ID and password into login screens without touching a keyboard, preventing keystroke logging tools from recording his password.
Other advances have come on the business side — notably “Chip-and-PIN” credit and debit cards that generate a unique code each time the card is used, preventing hackers from gaining access to crucial information. And biometric security has become affordable enough to enter the consumer space, debuting on Apple devices with the launch of the iPhone 6.
Another individual advance is the rise of two-factor identification, employed by Google through the use of randomly generated numbers generated by an individual’s smartphone. Your password is the first factor, and the second could be the aforementioned number, a device you have or unique biometric data. Even entering your ZIP code when using your credit card at a gas pump is an example of two-factor identification.
And what’s more than two-factor identification? Three-factor identification. That’s the next step that some companies have already put into place by requiring personal information for identity verification.
“The level of sophistication that can be achieved through the use of knowledge-based verification has vastly improved over the last few years,” Chaikin said. “For example, by accessing databases that have information about you, to ask questions that can only be determined by accessing multiple facts about you at one time can create a secure environment.
“Instead of being asked what school I attended, it asked me what the mascot was of the school I attended. It requires a higher level of thought to put that combination of those facts together, and by that consequence, is more secure.”
Of course, that’s just Chaikin’s way of securing his own data. But what happens when security is outside a person’s control?
The story of 2014 was the tale of breaches of consumer data. The major hits included:
Home Depot (56 million card records and 53 million email addresses in two separate breaches)
Community Health Systems (4.5 million patient records)
Michael’s craft stores (2.6 million card records)
Staples (1.2 million card records)
JP Morgan Chase (financial information for 1 million users)
Even the VSCPA has been touched by such issues, albeit indirectly. In December 2013, restaurants located inside the Downtown Richmond Marriott suffered a card data breach during a time period when it hosted a VSCPA event.
While protection and constantly updating technology are vital for businesses, how they handle a data breach can be just as important.
“The main factor for consideration when the system is breached is that time is of the essence,” Chaikin said. “Organizations should have a plan that should be rehearsed ahead of time to handle these types of situations. The importance of that is to make sure that the first few steps that are taken don’t corrupt any information that would be vital to authorities who are investigating the breach.
“Secondly, you want to try to evaluate if the hacker has left any alternative, but dormant, ways to access the system. If they came in originally with plans of coming back, you want to be able to validate that there are no fictitious user accounts where that individual also has the credentials of that fake individual.”
And sadly, a strong plan for a data breach isn’t just a useful safeguard. Chances are you’ll have to use it at some point.
“It’s somewhat of a defeatist attitude, but I think people’s security will be breached online,” Chaikin said. “It’s not a matter of if, but rather a matter of when.”