Tuesday, January 07 2020
By Michael D. White, author and freelance writer
Cyberattacks have become an almost daily occurrence affecting a broad spectrum of businesses and industries from healthcare and finance to aerospace and manufacturing with threats such as so-called phishing and malware attacks serving as the weapon-of-choice for cyber criminals seeking access to steal and misuse valuable and sensitive data. Merely having a presence online potentially puts a ‘welcome’ sign in your shop window for those who are up to no good.
In fact, according to the U.S. Cybersecurity and Infrastructure Security Agency, while it takes an average of $2.4 million and 50 days to repair a cyberattack for a large company, a small or medium-sized business could, quite literally, with costs of repair topping $200,000 and an equal amount of time, be wiped out.
Hackers currently attack every 39 seconds, on average 2,244 times a day, while security breaches have increased by 11 percent since 2018 and 67 percent since 2014, many businesses, both large and small, operate under a false sense of ‘cyber sanctuary.’
In short, the damage wrought by cybercrime is projected to hit $6 trillion annually by 2021.
A Global Threat
Including turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill, the cost of lost business globally was highest for U.S. companies at $4.13 million per company, the study found.
The United States and the Middle East spend the most on post-data breach response. Costs in the U.S. were $1.56 million and $1.43 million in the Middle East.
This rapid market growth is fueled by an array of new technology initiatives, such as cloud-based applications and workloads that require security beyond the traditional data center, connected internet of things (IoT) devices, and stringent data protection mandates such as the European Union’s General Data Protection Regulation and the private-sector U.S. National Cybersecurity Alliance.
The French government has also taken a proactive approach. In late November 2019, it finalized a three-year cyber security pact with eight of the country’s leading companies—Airbus, Dassault Aviation, Thales, Safran, the Ariane group, MBDA, the Naval Group and Nexter—as major world nations step up security arrangements in the wake of recent high-profile hacking incidents. Still, instances of damaging cyber hacks remain rife. November 2019, alone saw several examples that made international headlines.
Britain’s Labour and Britain’s governing Conservative Party were both hit by back-to-back cyberattacks, just days into an election campaign security officials had warned could be disrupted by foreign hackers.
According Reuters, the opposition Labour Party was relying on a $20-a-month “basic security” service to protect its website when hackers attempted to force it offline and temporarily slowed down online campaigning. Still, after the attacks the party considered upgrading to the increased security measures used by large organizations to help ensure their websites stay online. It decided, rather, that the $60,000 annual cost was unjustifiable.
A few days later, PEMEX, Mexico’s national petroleum producer, was hit by a ransomware attack that temporarily paralyzed the firm’s computer servers and halted all administrative work. An analysis of the attack showed it was conducted by hackers using Ryuk, a ‘strain’ of ransomware that experts say typically targets companies with annual revenue between $500 million and $1 billion.
In late November, Canada’s Desjardins Group—the country’s largest federation of credit unions—released the details of a June data breach that affected all of the financial cooperative’s 4.2 million members and prompted a slate of government reforms to protect personal information in the Province of Quebec.
Montreal-based Desjardins said that unauthorized use of internal data by an employee led to breach of personal information, namely the social insurance numbers, addresses and details of banking habits of 2.9 million members.
Size Doesn’t Matter
Medical insurance provider Anthem found itself near the top of the list of cybercrime victims and made history in February 2015 when a destructive data hack in history compromised the personal records of some 78.8 million patients, or more than the entire population of Germany.
In the previous month’s issue of Fortune magazine, it was reported that a nationwide investigation concluded that a foreign government likely recruited the hackers who conducted what was said to be the largest data breach in healthcare history. It reportedly began a year before it was announced, when a single user at an Anthem subsidiary clicked on a link in a phishing email.
Using stolen credentials, the hackers compromised data that included patient contact information, names, social security numbers, emails, home addresses, and even income data, and, ultimately cost Anthem $115 million in fines and penalties.
In October 2016, Yahoo, founded in 1994 and a once dominant presence on the Internet, announced that, two years previously, Yahoo customer accounts had been hacked in one of the biggest breaches of all time. The announcement came as a bombshell as the company was in negotiations to sell itself to Verizon.
Over several years, multiple hacks had compromised the real names, email addresses, dates of birth and telephone numbers of 500 million users, a figure later revised upward to one billion, and still later, to a staggering three billion.
In November 2018, Marriott International announced that cyber thieves had stolen data on approximately 500 million customers. The breach actually occurred on systems supporting Starwood hotel brands starting in 2014. The attackers remained in the system after Marriott acquired Starwood in 2016 and were not discovered until September 2018.
For some of the victims, only name and contact information were compromised. The attackers were able to take some combination of contact info, passport number, Starwood Preferred Guest numbers, travel information, and other personal information.
Marriott believes that credit card numbers and expiration dates of more than 100 million customers were stolen, although the company is uncertain whether the attackers were able to decrypt the credit card numbers.
The breach was eventually attributed to a Chinese intelligence group seeking to gather data on U.S. citizens, according to the New York Times. If true, this would be the largest known breach of personal data conducted by a nation-state.
In November 2017, a pair of cyber hackers blackmailed bounties from Uber Technologies Inc., LinkedIn and other corporations in exchange for promises to delete information stolen from Amazon Web Services.
The two, one from Canada, the other from Florida, had downloaded 57 million Uber user records, including customer and driver data, from Amazon.com Inc’s cloud platform, a year earlier. Uber had agreed to their initial demand to pay $100,000 in bitcoin through a third party. Instead of reporting the cyber attack, Uber hid evidence of the theft and paid the ransom to ensure the data wouldn’t be misused.
In December 2016, the hackers demanded money from LinkedIn’s Lynda.com for a promise to delete more than 90,000 records, but stopped communicating in January as the company sought to identify them.
Later apprehended, the pair faced charges in federal court and were convicted, while Uber was fined $148 million in real dollars for failing to report the initial attack.
Small Businesses Are Hot Targets
According to data gathered by the Michigan-based Ponemon Institute, only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective. A sobering 60 percent of small companies go out of business within six months of a cyber attack, while nearly five out of ten data security breaches are caused by acts of malicious intent with human error or system failure accounting for the rest.
As the most recent data shows that many small businesses don’t have the wherewithal to implement sophisticated systems to protect themselves from hackers, viruses, malware and ransomware—a reality that comes with a cost at a time when the threat of cyber piracy is on the rise.
According to a Ponemon survey conducted by in late 2018, 67 percent of 1,145 small company respondents suffered a cyberattack in 2018, compared to 61 percent the previous year with a significant majority experiencing an exploit or malware that successfully evaded their company's intrusion detection or antivirus software.
In late 2011, Abilene, Kansas-based Green Ford Sales lost $23,000 when cyber pirates broke into its network and swiped bank account info.
Monitoring the computer keystrokes of the dealership's controller, the thieves used Zeus software to remotely log onto the controller's computer, tap Green Ford's bank account with the controller's user name and password, and create accounts for nine fake employees on the company payroll in less than 24 hours.
Automotive News later reported that more than $63,000 disappeared before the company caught on. Only some of the transfers could be canceled in time.
A real estate investment and development firm, Wright Hotels had $1 million drained from its bank account after thieves gained access to a company e-mail account.
The hackers utilized a classic phishing attack in which an otherwise innocent email is used to convey a ‘worm’ to invade a target computer system.
The bookkeeper at the Memphis, Tennessee-based company responded to a phishing email purportedly sent by the company’s CEO appealing to other members of the staff to wire money to an account in China.
The phisher netted more than $1 million from the company before the attack was detected.
Efficient Escrow of California paid the ultimate price when cybercriminals nabbed $1.5 million from its bank account. The thieves gained access to the escrow company’s bank data using a form of “Trojan horse” malware. Once the hackers broke in, they wired $432,215 from the firm’s bank to an account in Russia.
That was followed by two more transfers totaling $1.1 million, this time to several banks in China. The Huntington Beach-headquartered company was able to recover the first transfer, but not the next two. They soon learned that, unlike with consumer accounts, banks are under no obligation to recoup losses in a cyber-theft against a commercial account. That meant a loss of $1.1 million.
Under California law, escrow and title companies are required to immediately report any lost funds. When Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds.
When the company was unable to meet the deadline, it was forced to close its doors and lay off its entire staff.
PATCO Construction, a Maine-based firm specializing in residential construction, lost about $588,000 to a May 2009 cyberattack that utilized the Trojan method to access the company’s computer system.
The Trojan often looks and acts like a program the user is familiar with. Thus, they think nothing about clicking on the infected program and installing it. Once the Trojan is downloaded and installed, cyber thieves can use it to steal information.
The Trojan opened the door for the hackers to capture online banking credentials and make a series of Automated Clearing House (ACH) bank-to-bank transfers from the company’s accounts that, over a period of seven days, amounted to $345,445.
That wasn’t the only damage. PATCO also had to pay out more than $242,000 in interest on over-draft loans from its bank, according to press reports. The company eventually sued the bank for failing to provide a “commercially reasonable” security process for the ACH transfers. The firm lost, but later won on appeal.
A company providing humanitarian volunteer opportunities to travelers, Volunteer Voyages of Wilsonville, Oregon, lost $14k because a cyber crook was able to make off with its owner’s credit card number.
The owner had notified their bank that they would be traveling for work in an effort to help the bank better catch any mysterious purchases that could show up on the account should the card be compromised. Despite having notified the bank, Volunteer Voyages was not reimbursed for the loss.
A hard lesson learned—like in the case of Efficient Escrow, Volunteer Voyages found itself facing the reality that banks are not legally required to reimburse small business owners for cyberattacks that result in stolen funds.
On the other hand, a readily available and comprehensive cyber liability insurance policy can provide that protection to network security and the results of attacks on sensitive data and personal information about business strategies, employees, and clients.
Proactively Assess and Invest
Historically, most companies have taken a reactive approach to fighting cyber threats, cobbling together individual security technologies to protect their networks and data. However, this method is expensive as well as complex, and stories of devastating breaches continue to dominate headlines, indicating this approach is wholly ineffective.
With shared threat intelligence, anything one user sees, identifies or prevents benefits all other members of the shared community. More comprehensive prevention, attainable more quickly, reduces overall cybersecurity risk to something easier to manage.
In the long run, the most effective approach internal IT and security teams can take is to monitor operations in a continuous fashion, regularly conducting unscheduled system checks that can, as best practice, readily identify system vulnerabilities and implement corrective measures.
Organizations can then consider implementing a natively integrated, automated security platform specifically designed to provide consistent, prevention-based protection for endpoints, data centers, networks, public and private clouds, and software-as-a-service environments.
A proactive approach to cybersecurity is imperative. Failure to take that approach can, as in so many cases, have way too high a price and can, quite literally, result in corporate disaster.
Bio: Michael D. White is a published author with four non-fiction books and well more than 1,700 by-lined articles on international transportation and trade to his credit.
During his 35 year career as a journalist, White has served in positions from contributor and reporter to managing editor for a number of publications including Global Trade Magazine, the Los Angeles Daily Commercial News, Pacific Shipper, the Los Angeles Business Journal, International Business Magazine, the Long Beach Press-Telegram, Los Angeles Daily News, Pacific Traffic Magazine, and World Trade Magazine.
He has also served as editor of the CalTrade Report and Pacific Coast Trade websites, North America Public and Media Relations Manager for Mitsui O.S.K. Lines, and as a consultant to Pace University’s World Trade Institute and the Austrian Trade Commission.
A veteran of the United States Coast Guard, White has traveled in both Japan and China, and earned a degree in journalism from California State University and a Certificate in International Business from the Japanese Ministry of Trade & Industry’s International Institute for Studies & Training in Tokyo.