By Tom Still
WAUKESHA – To listen to cybersecurity experts talk shop can be akin to watching
a horror film: It’s scary but you can’t seem to turn away.
They use terms such as “the dark web,” “takers,” “buyers,” “key
strokers” and “memory dumpers” to describe a world where hackers, who range
from criminals to terrorists, engage in a global search for valuable data that
can be stolen, sold or otherwise used against its owners.
These hackers may live in Ukraine, Iran, China, Serbia or a handful of
other nations if they are sophisticated “takers” who steal data – or perhaps South
Florida if they are “buyers” scheming to turn that data into cash by siphoning
financial accounts, misusing credit cards and more.
Read this commentary in the Wisconsin State Journal here.
“For less than a $200 investment and no scruples,” hackers can go into
the business of stealing and marketing personal and corporate data, said Mark
Shelhart, senior manager of forensics and incident response for Sikich LLP, a professional
services firm with offices in Wisconsin.
Shelhart was among the experts who spoke June 29 at the first Data
Privacy and Security Summit in Waukesha, where more than 100 people heard about
the risks of data breaches – and how to better protect themselves and their
The unsettling picture that emerged during the day-long conference was
that cyber-attacks are on the rise for many reasons, some of which can be
solved by greater technical vigilance and others that are difficult to control
in a data-driven age.
“I assume that none of my information is private anymore,” said Derek
Laczniak, who specializes in cyber liability for M3 Insurance Solutions in
Madison. Just as forensic experts are hired to track and manage a data breach once
it happens, cyber liability insurance is an option for companies seeking to
better protect themselves and their customers if data breaches occur.
About 4,400 corporate data breaches were reported worldwide in 2014,
double the number logged in the previous year. Criminals not only target
payment card information, but internal data such as payroll accounts, trade
secrets, designs and supply-chain information.
Personal health data files fetch big money on the underground market,
conference speakers noted, because they contain information needed to obtain credit
and receive services in victims’ names. Health records are most valuable for
the non-medical data they contain.
Guarding against data breaches is partly a technical problem. Solutions
include locking down systems used for outbound data, securing remote access
portals, storing as little customer data as possible and segmenting data
systems. In one major case, a system used to monitor a company’s buildings for
energy use became a back door to access customer credit card data.
Protecting against data breaches is also a human problem. Employees
fail to safeguard or update passwords. Sales personnel can be separated from
their mobile devices while traveling, sometimes just long enough for a criminal
to download valuable information. Companies that use “cloud” computer storage
systems are often victims of password stealing attacks and scams. Although cloud
services may have tighter security than in-house data storage, the legal responsibility
for lost data usually lies with the user, not the provider.
Many companies deny they’re vulnerable, to the point of not fully
vetting vendors or failing to put data security management plans in place.
“Leading from the top on these issues is very important” for managers and
boards of directors with fiduciary responsibilities, said Gina Carter, an
attorney with Whyte Hirschboeck Dudek who specializes in intellectual property
and technology issues.
Finally, it’s a legal and public policy problem. Congress has been
unable to pass comprehensive cybersecurity legislation for a decade, a vacuum
filled by 47 state laws with varying reporting requirements, regulatory mechanisms
and criminal or civil penalties. Courts have stepped into the breach to provide
some remedies, but case law is often built slowly. Meanwhile, the Federal Trade
Commission is helping companies learn from best practices – but there is
disagreement over which federal agency should take the regulatory lead.
Glenn Schoen, a corporate security expert based in the Netherlands,
summed up the dilemma by noting companies worldwide will use seven times more
data in 2020 than they do today. Protecting that volume of data is not a
problem to be wished away, Schoen said, but addressed with stronger systems,
people, policies and plans.
“In other words, we need to be smarter than the hackers,” he said. So
far, unfortunately, the hackers are winning.