Mitnick In The News
Hacking stats are frightening
Jul 3, 2016 - Fosters, by MJ Shoer
I write a lot about information technology security and I do so to try to educate the public, especially business executives and their teams, about the threats we face every day. My hope is that something I write will help a business avoid being victimized by a hack or worse, a breach of confidential data.
Last week I attended an annual technology conference that focuses on the tools that companies like mine use to help companies efficient manage their information technology infrastructure. This event has a more technical focus than most, and to no surprise, security was front and center.
The event was keynoted by Kevin Mitnick, the man widely regarded to be the world’s first convicted hacker. After a public pursuit by the FBI, he was arrested in February 1995 and ultimately sentenced to prison time. He served five years, including time in solitary confinement because the judge was convinced he had the capability to start a nuclear war over the telephone by whistling into it. Sound familiar, sort of the like the movie War Games? That was a bit over the top, but back in 1995 there was a lot of unknown about hacking.
Today is different and we know hacking takes place every day. One of the most telling comments during Kevin’s keynote address was his statement that his firm has been 100 percent successful in hacking into companies using social engineering techniques. Social engineering utilizes influence, deception and manipulation to get someone inside your company to take action that gives the hacker access to your computer network. Interesting, he said that human resources and sales departments are the most often hacked because they are the least computer security aware.
A few weeks ago, I wrote about the need for companies to educate their teams about computer security and test them for their awareness of threats, including social engineering. This keynote speech validated many of my thoughts and recommendations in this arena, both in my articles and my daily work with organizations of all sizes. In fact, Kevin Mitnick is chief hacking officer of a company called KnowBe4, which specializes in computer security education and testing. It’s also a reason why my company spends a lot of time and resources educating our clients and the public about information security issues.
Another statistic, which raised many eyebrows, was one that stated 80 percent of U.S. businesses have been hacked and most don’t even know it. Hacks that in the 1990s were considered misdemeanors and carried relatively light penalties today are often felonies, so the judicial system has certainly kept abreast of the nature of computer crime. The key question is have you?
Most people think hackers are after credit card numbers or other similar information for financial gain. The reality is that most hacks are not motivated by instant financial gain. The vast majority are done simply because they can and often to cause embarrassment to the hacked entity.
The most common reasons breaches happen are by mistake, stupidity, intentional targeting, unintentional targeting, employee mischief and simple theft. Stupidity is often considered the number one reason. While it seems harsh to say that, one of the best analogies I have heard is that label on the door of a dishwasher that is visible when the door is open and states not to stand on the door when open. Who would do that? Apparently enough people that this label was mandated to be on all dishwashers.
In the same vein, people click on things they shouldn’t and visit websites they shouldn’t all the time and then try to say they didn’t after they have been infected. In the technology world, there is a rather lame joke that goes, there’s no patch for stupid. It’s sad, but true.
The good news is that we can all take steps to address this and help our teams be more educated about what it takes to keep our companies and our companies’ data safe. In order to carry appropriate cyber insurance coverage against these risks, more and more carriers are requiring that you have education and testing programs in place. Simply stated, firewalls and anti-virus are no longer enough. There is not an anti-virus program on the market that cannot be defeated. Don’t lose sight of that.
All but three states have data breach laws and none of them are in New England. South Dakota, Alabama and New Mexico are the states without robust data breach laws on their books. Be sure you know what your state law requires of you and be sure you are taking steps to address those requirements. The last thing you want to be accused of is gross negligence in protecting your computer systems and data.
Information technology security today is about layers. It’s not enough to just protect your perimeter. You want to be thinking about your software applications, your data, how many places that data may be found, whether the data is encrypted, your users, the physical network, your policies, processes and culture and your response posture in the event you are hacked. It’s daunting, but it’s also manageable. They key is not to panic, especially if you think you have been hacked. There are plenty of qualified business partners that can help you address your information technology security needs. Seek them out and engage with them. You’ll be glad you did.