Ramifications of global cyber-attacks: A focus on small business
On May 12, tens of thousands of people from London to St. Petersburg logged on to their computers and saw messages stating that their computer files were now encrypted and that those files would be deleted unless they paid. The Wanna Cry malware attack since then has hit over 200,000 computers in more than 150 countries. The attack appears to have been thwarted by private cybersecurity researchers who identified and triggered the malware’s kill switch, which halted the attack before it spread throughout U.S. networks, but it is clear that a modified attack will be launched soon.
Microsoft had released patches in March, but those users who had not patched their systems were vulnerable. Microsoft released a statement on May 12 that stated "today our engineers added detection and protection against new malicious software known as Ransom: Win32.WannaCrypt." Microsoft said they were working with their customers to provide additional assistance. Cybersecurity experts believe that the attack was carried out by building upon tools that were first developed by the U.S. National Security Agency for targeting terrorists and foreign adversaries.
Cyber crimes not only are affecting big business, they increasingly are targeting small businesses, non-profits organizations, and public health and safety organizations that are more vulnerable, less invested in cybersecurity programs, and have a greater rate of being compromised through ransomware. Often, midsize and small businesses think they are "under the radar" and therefore don’t prioritize their cyber risks, which results in them being a prime target. No matter what size the business, there is need for better communication between staff and management about the execution of cybersecurity policies, procedures, hardware, and software, and the damage that a breach can do to the company, customers, and the bottom line. Various studies done over the past two years show that the focus of discussion about cybersecurity still is limited to a company’s executive team.
Staff also needs to be educated on the seriousness of the security threats, the ever-changing landscape, and the allocation of adequate resources to protect systems. In 2012, the FBI issued an alert to warn small and midsize businesses about cyber criminals hacking into company computers, gaining access to authorized individuals’ online banking logins and passwords, and then sending wire transfers to Chinese companies near the Russian border. Between March 2010 and April 2011, the FBI detected 20 such incidents. The attempted fraud amounted to $20 million, with actual losses totaling $11 million.
Globally estimated, cyber-attacks are costing business over $450 billion a year, including direct damages and subsequent disruption to the normal course of business. Though juridical courts remain reluctant to hold companies, their officers, directors, and executives liable for data breaches or cyber-attacks, most cybersecurity experts believe they will do so in the near future. While the limits of legal liability for a cyber-attack are still unclear, the aftermath of recent cyber-attacks continues to demonstrates that financial and public safety consequences can be drastic.
The risks businesses face relative to loss of personal data depends on whether they act as a data controller or processor of that data, and the obligations they have under their country’s data protection acts. With malicious software easily available for download from the internet, the number of potential attackers has grown exponentially. Hacktivists have attacked businesses across a range of sectors because of activities they disagree with.
Common methodology by attackers: Phishing
Phishing is the attempt to acquire sensitive information such as user names, passwords, or credit card numbers by masquerading as a trusted entity via electronic communication. Digital vandalism includes denial of service (DoS) attacks, viruses, or other types of malware, often intended to simply disrupt a business. Cyber-crime has become an unfortunate aspect of the information age because information can hold greater value than goods or cash.
Costs to small businesses
Cyber-crime is on the rise and small businesses have become a prime target for phishers, with incidents more than doubling over the past five-year period. Many phishing attacks have targeted employees who have responsibility for company finances. For example, phishers send email messages to these employees and hope that they are opened so that they can gain access to the company’s financial information.
For a small business, the breach of customer information quickly can have the company’s operations spiral downwards or put them out of business. A single incident can damage a company’s reputation and result in unrecoverable losses, with nearly 50% going out of business within six months of an attack. Small businesses still are focusing on meeting minimum compliance requirements to stay in business, due to the fact that their focus is on maintaining their small margins through growth and not appropriating sufficient funds to absorb the cost of a security breach.
With innovation driving changes in software, as well as increased competition, small business owners no longer need to spend six figures to get a risk assessment; cyber risk evaluation in real time is now available to collect and analyze data to detect potential threats, consider current security measures, and allow for immediate action to be taken in the event of a breach.
Business owners must be cognizant and continuously plan for:
- Business lost during the attack and recovery period while executing corrective actions. Having a plan to protect from and respond to an attack is only part of the solution, plans need to be constantly re-evaluated to ensure compliance with applicability, regulatory requirements, and changing legal framework.
- Loss of company assets, including banking information, strategies, proprietary information, and customer information.
- Damage to reputation that is unquantifiable such as being black listed by search engines
- Due diligence. Legal woes that can be costly and time-consuming.
- Investments into cybersecurity measures. Prevention efforts and enforcements of basic policies are key.
Though we may perceive stolen data to be the major consequence of cyber attacks, there are other devastating consequences. Industries such as oil & gas, utilities, chemical processing, and transportation rely on industrial control systems (ICS) that operate equipment to manage critical processes used daily by consumers. Compromise and manipulation of the ICS can have a catastrophic consequence on public safety, health, environment, and overall economy. Many of these small businesses provide services and products to control systems commonly used in the electrical power, oil & gas, chemical, and manufacturing industries; from panel builders that may do the initial PLC programming to emergency field support that bring their own laptops to troubleshoot a company’s equipment in a major process, these now all become vulnerability points.
With more frequent and consequential attacks on critical infrastructure networks, more effective operational cybersolutions are required that aggregate, analyze, and correlate various sources of data across multiple platforms into a near-real time visualization that depicts the emerging potential threats. Organizations have to look beyond themselves to collaborate and to assess the impact of a cyber-attack on their corporate partners, suppliers, and vendors. With complex systems of interacting devices, networks, organizations, and people to facilitate the productive sharing of information, this quickly is becoming as much of a benefit as it is a threat.
Data protection: U.S. sectoral approach
The United States follows what is referred to as a sectoral approach to data protection legislation. Under this approach, the laws of data protection and privacy rely on a combination of legislation, regulation, and self-regulation, rather than governmental policy alone. Since the 1990’s the U.S. has followed a policy geared toward allowing the private sector to lead the way in data protection. This means that companies should implement their own policies, develop their own technology, and individuals should prevent the dissemination of their private data. Pursuant to this policy, the US has not developed any federal data protection laws.
European data protection laws
The European Union, on the other hand, has a unified data protection law called the data protection directive. This directive regulates the processing of personal data within the EU and is an important component of the EU’s privacy and human rights law. However, recognizing the need to modify this law to deal with globalization and technological developments, the EU prepared a draft European general data protection regulation that will supersede the data protection directive, which was adopted in April 2016, with a two year transition before it applies in 2018.
About the author
Anil Gosine has over 18 years of construction management, operations, and engineering experience within the industrial sector with a primary focus on electrical, instrumentation, and automation process and systems in the U.S., Canada, and Central America. He has been involved heavily in the utility industry for over 11 years, engineering, implementing, and managing a wide range of projects, utilizing a wide array of products and control system technologies within this industry segment. Anil is an active member of several professional organizations and independently participates in industry forums and technical committees for infrastructure development, industrial automation design and implementation, data analytics, and cybersecurity processes. Anil is the global program manager for global industrial projects with MG Strategy+ and leads the Strategic Efficiency Consortium Security Workgroup with specific focus on cybersecurity metrics, threats, vulnerabilities, and mitigation strategies for ICS and security intelligence and analysis.