Heartland Payment Systems, Radisson Hotels and Network Solutions have made news because of data breaches. In 2008 285 million records were compromised according to the 2009 Data Breach Investigations Report by the Verizon Business Investigative Response Team.
However, the Federal Deposit Insurance corporation (FDIC) reports that online crime is attacking small and medium sized businesses and fraudulently draining funds from their bank accounts.
In a recent podcast with Doug Johnson Senior Policy Analyst for the American Bankers Association noted that although it is hard “get a fix on the exact number” “law enforcement and institutions have really seen the exploit migrate from large businesses to small businesses”.
Smaller businesses may not be aware of this type of fraud or know how to protect themselves.
Johnson recommends authentication at the business customer level and educating customers about how to protect themselves.
“It starts very cagily by the fraudsters, mostly from Eastern Europe, doing some social intelligence associated with the business” said Johnson “ so they might know who the CFO is, or they might know who someone in HR is or what have you, or in IT.”
“Then they will send an email, which might be a Microsoft update for instance, or some other thing, which that particular individual would be aware of. The CFO might get something that purportedly is coming from the Better Business Bureau, for instance, things of that nature.”
In other words, an email that looks legitimate or expected may be a bait.
Recently, the Rippoff Report pointed out that Two-thirds used the sender’s name to gauge whether a mail was spam, 45% looked at the subject line and 22% use “visual indicators.” About 3% relied on the time a message was sent to judge if it was legitimate.
As technology improves judging an email on visual clues can be problematic. Businesses obviously need to avoid clicking links in these emails.
“I think that it is not unusual for business customers to in their busy day not even think about the emails that they are clicking on” he said.
Chris Novak, managing principal at Verizon Business Investigative Response Team describes online security as a “kind of cat and mouse game “ requiring vigilance over a continually evolving threat.
Mr Novak has investigated criminal and civil data breaches for over a decade.
“I think the biggest thing is the evolution of malware. We are seeing that the malware is getting more advanced, and the hackers — particularly the organized crime groups – they actually have development teams” he said.
“Some of the malware is purposely built just for one specific victim environment, and the hackers have the capability to do that.”
Novak expresses concern that people think there are just a few types of malware that viral protection can handle.
“Malware is evolving rapidly with added capabilities that may frighten some people he said.
“The key piece if really making sure that you stay up on the latest and greatest threat information to know what you need to do protect yourself.”
Fortunately the recent big name security breaches demonstrated that event monitoring and log analysis revealed what was happening in 82% of cases. To be effective this requires a combination of people, processes and technology.
Novak expressed concern that people have developed an over reliance on technology.
“The problem with a lot of that is, like most technology, it is pre-configured to understand certain things and detect certain threats, but for the most part it is based on what’s been programmed into and how it has been configured.”
“In a lot of cases, you need a backup to technology of those appliances with people resources that can look at it and kind of do sanity check on it and say ‘You know what, this doesn’t look right. Someone logged into their bank account 7000 times today, and that is probably a problem.’ Sometimes the technology picks up things like that, and sometimes it doesn’t.”
Data can be moved in and out of an environment so quickly, which is why monitoring is so important.
“The biggest breaches that we’ve ever investigated took place in 24-to-48 hours. That’s all the hacker needed, depending on how organized they were.”