The Tipping Point

February 10, 2017

The Tipping Point

Another year done, another year begun.  Is it finally time for the world to take cyber security issues seriously?  Some would say it already does, but I’m not sure I agree.  This past year, we’ve seen some of the biggest breaches in history, for the first time ever, the issue took center stage in the U.S. Presidential election, massive vulnerabilities in the Internet of Things have finally come to light, and the number of small to mid-sized businesses attacked was higher than ever before.

Both sides of the US political system leaned heavily on cyber security rhetoric this past election:

  • The right claimed the left put Americans’ security at risk by using a private email server.
  • The left claimed the right colluded with a foreign power to hack the election.
  • Concerns of unsecure electronic voting machines abounded, and even gave a third-party candidate cause to call for a recount in key states.
  • One party’s national committee emails were compromised and leaked to the public.
  • The CIA even claims that entities tied to a foreign government financed “troll farms” that spread fake news about one of the candidates.

Regardless of how one might feel about the election, the candidates, or even these claims, the fact is that this happened—these things were discussed, and at great length.  In business:

  • An Austrian aerospace parts manufacturer, FACC, was hacked and over 50 million dollars were stolen.
  • University of Central Florida’s database was breached and the Social Security Numbers, names, and student/employee ID numbers of 63,000 students, former students, faculty, and staff were lifted.
  • The United States Department of Justice was attacked by individuals angry about U.S. relations with Israel, and information about 30,000 Department of Homeland Security and FBI employees was leaked.
  • The IRS lost the personal information of over 700,000 citizens.
  • Yahoo! admitted to two data breaches from 2013 and 2014 wherein they lost the personal information of over a billion accounts, and still don’t know who did it, how they did it, or exactly what they stole.
  • UC Berkeley, Snapchat, 21st Century Oncology, Premier Healthcare, Verizon, Systema Software, Tidewater Community College, Medstar Health Inc., Phillippine Commission of Elections, Wendy’s, LinkedIn, Oracle, Dropbox, Weebly, National Payment Corporation of India, AdultFriendFinder.com, the list goes on and on.

The National Institute of Standards and Technology released new guidance on how to develop secure systems for the Internet of Things.  You know of plenty of Internet connected front door locks, garage openers, light bulbs, thermostats, security cameras, voice activated assistants, stereos, smart watches, and automobiles out there.  Many, if not most of them are woefully insecure.  Easily discoverable default passwords and unalterable hardwired credentials abound.  The DNS service DYN was taken down by a botnet of over 100,000 hacked IoT devices in a recent Distributed Denial of Service attack using these very weaknesses.

This is just a sampling of some of the most high-profile events from last year.  For every one of these, there are a hundred successful attacks on small to mid-sized businesses that never even make the local news.  The effects are often even more devastating for those businesses because they don’t have the capital or safety net to deal with a harsh blow such as having money electronically stolen from their accounts, losing their clients’ sensitive information (and thus, their clients’ faith), or having their entire database encrypted and held ransom.

And yet, most small businesses are content to just trundle along, choosing not to see that their path is flanked on both sides by a chasm of heartache, and just “hoping for the best.” For those companies that do choose to take actionable steps to secure their businesses and their future, they should be proud to know they stand out from the rest of the crowd.  Increasing their security profile increases the likelihood that hackers will move on to easier victims.  Additionally, they stand to increase their competitive advantage over their competitors who don’t take these steps.  Consumers and other businesses are beginning to strongly consider how capable companies they do business with are at safeguarding their data, and rest assured, buyers will always vote with their wallets.