Lock that data up

Loras Evan of RSM US LLP discusses cybersecurity during the CBJ’s Nov. 4 Power Breakfast. At left are Kate Minette, retired general manager and head of assessment scoring at Pearson, and Tom Wilcox of Involta LLC.


By Dave DeWitte


CEDAR RAPIDS—Addressing cyber threats is an increasingly important part of every company’s risk management strategy, according to experts at the Nov. 4 CBJ Cybersecurity Power Breakfast, requiring the same level of attention as fires, tornadoes and floods.

Reports of cybercrime are on the rise in Iowa as in the rest of the nation, according to panelist Alexandra Cassar, an FBI special agent. Ms. Cassar, one of two FBI Cybercrimes Task Force agents in Iowa, said many crimes go unreported because small businesses don’t want their business partners to know about them. Some 1,454 complaints involving $2.6 million in cybercrime losses were reported in Iowa in the latest FBI crime statistics.

Most of those crimes were perpetrated using email intrusions such as ‘spear phishing,’ in which emails arrive in an employee’s mailbox appearing to be from a familiar business or person, and requesting confidential corporate or personal information for a seemingly legitimate purpose.

That data is then used to either directly or indirectly access the victim’s accounts or valuable corporate data.

“It’s definitely something we’re seeing more of, with more frequency,” said Ms. Cassar, one of five speakers who spoke to attendees at the Hotel at Kirkwood Center.

“Ninety-five percent of threats have a component of phishing in them,” said Tom Wilcox, vice president of technical services operations at Involta LLC, the fast-growing data center and hosted services provider based in Cedar Rapids. When a phishing email is sent out, 11 percent of recipients typically click on it, Mr. Wilcox said. Involta works with clients to ensure their employees learn to recognize such emails and avoid them, but even in the best-trained companies, 4 percent still open them.

Security software is available to block phishing emails, Mr. Wilcox said, but can be expensive. He said the most cost-effective strategy for companies is employee education and promptly applying the security patches released by software vendors as they become aware of vulnerabilities. He also suggested that companies send out non-invasive emails to employees to test whether they can identify spear phishing attacks.

Vendors and other business partners should be part of every business’ cybersecurity strategy, panelists said, noting that the massive 2013 data theft from retailer Target began with a security breach at a vendor. Emails from businesses partners are often trusted by employees, potentially leading them to open emails and respond to data requests that could be illegitimate.

State-sponsored cyberattacks originating from China was a topic that surfaced more than once in the discussion, moderated by Kate Minette, retired general manager and head of assessment scoring at Pearson.

RSM US LLP recently conducted a ‘honey pot’ operation that created a decoy target for cyber fraud, according to Loras Even, a principal in the firm’s IT and services practice. Mr. Even said the honey pot was targeted by hackers from around the globe, but the most obvious attacks originated in China. Because China requires that Internet servers be registered with its government, he said it’s possible the Chinese were trying to find out if the server was properly registered.

Mr. Wilcox said familiar patterns of cyberattacks from China indicate they are part of a strategic approach to developing the Chinese economy, by using the Internet to steal information that gives U.S. companies their competitive advantage. The data thefts appear to be from individuals hired, trained and housed by the Chinese government, he said.

When a data breach occurs on a company’s network, Mr. Even said the company usually learns about it from a third party – often a customer, vendor or even law enforcement.

“You almost have to assume the worst case,” Mr. Even said. The response required is almost always more complicated than previously imagined, he said, requiring not only identifying, isolating and removing the threat, but a series of recovery steps that can include notifying customers and business partners, and determining how to prevent similar threats going forward.

Among the precautions suggested were to have a computer forensic expert on retainer so that the company has someone to turn to in order to identify and respond to intrusions that have taken place, because time in responding is critical.

Businesses should also look at cyberthreats as they would any other part of their risk management policy, said Max Smith, executive vice president of risk management for TrueNorth Companies. He noted that business insurance policies typically don’t cover losses from cyber attacks.

Policies indemnifying against cyber risk have been in the market about two decades now, he said, and are becoming more reasonably priced. Still, he said, they are only a “risk transfer” rather than a risk reduction, and a management strategy typically includes a package of precautions ranging from hardware and software to well-enforced security policies.

Insurance may not help with some of the worst damage from cyber attacks. Mr. Wilcox said a loss of client data to a cyberattack can severely damage the reputation of a small business, making customers afraid to do business with it.

Theft of credit card information is a major target of cyberattacks against individuals, panelists said.

The new generation of EMV credit cards featuring smart microchips will largely eliminate the theft of credit card information at merchant locations as they become the norm over the next seven to eight years, according to Kevin Christensen, vice president of audit for the payments network Shazam. He warned that the cards won’t prevent theft in online transactions, however, as those still require that the credit card number and security code be entered and transmitted across the Internet.

Panelists strongly recommended monitoring monthly credit card balances and utilizing fraud alerts and other security protections offered by card issuers. Mr. Even said he personally uses a credit card issuer that is not his regular bank, keeps a low credit limit, monitors monthly statements and subscribes to fraud alerts.

The Cybersecurity Power Breakfast was sponsored by the Eastern Iowa Airport, with support from Involta, RSM and TrueNorth Companies.