Not too long ago, security meant locking the home or office to keep out potential intruders. Today, intruders can break into a home or office computer and do just as much damage by stealing financial information and company secrets.
Vermont isn’t immune, as data breaches have become more common. Businesses in particular are favorite targets of hackers and cybercriminals.
John Burton, a South Burlington computer security expert, said cybersecurity is more problematic for small businesses that don’t have additional resources to invest in cybersecurity.
And, because larger businesses are more secure, Burton said cybercriminals target smaller businesses that are vendors to bigger businesses, hoping to find a backdoor.
“So, you see this phenomena where the smaller businesses are under more attack these days,” said Burton, president of Stormseye Associates, which advises company executives on cyberattack prevention and response.
Today, he said, cyberattacks are more sophisticated and harder to detect.
Burton said many of the attacks are taking the form of social engineering, “in trying to get people to do what they shouldn’t do.”
He said an often-used tactic is trying to get someone to reply to a spam email or click on a malicious link in a message that infects the computer.
M.E. Kabay is a professor of computer information systems at Norwich University. Norwich University, considered a leader in cybersecurity, is the recipient of $7.3 million in federal grants for cybersecurity education. The grants were announced this month by Sen. Patrick Leahy.
Kabay said attackers often send emails that carry “a sense of alarm” in an attempt to trick the individual to respond.
“That’s usually a giveaway,” he said.
He said small businesses are vulnerable to automated cyberattacks that cast a wide net.
“So, even small businesses can easily fall prey to email-centered attacks, and that’s an element of security they have to be aware of,” Kabay said.
He said government agencies like the IRS or law enforcement will never send threatening emails.
According to the 11th annual Verizon “Data Breach Investigations Report,” there were more than 53,000 incidents and 2,216 confirmed data breaches worldwide.
An incident is defined as a security event that compromises the integrity, confidentiality or availability of an information asset.
A breach is considered to be an incident that results in the confirmed disclosure of data to an unauthorized party.
The report found that small businesses make up the largest group of victims — 58 percent of all data breaches. Health care organizations comprised 24 percent of data breaches.
Rutland Regional Medical Center recently announced that an “unauthorized actor” gained access to nine employee email accounts. Affected patients of the hospital were notified, as was the state. The email accounts contained personal information used in the billing process.
In a letter to patients, RRMC said it could not confirm whether any personal information was actually “assessed, viewed or acquired,” but was notifying patients “out of an abundance of caution.”
The Vermont Attorney General’s office lists security breaches and incidents on its website (https://ago.vermont.gov/blog/category/security-breaches/).
Awareness and developing a plan is the first line of defense in combating cyberattacks, said John Quinn, the state’s chief information officer, who heads the 400-member Agency of Digital Services.
Quinn said the cost of a data breach can be significant, estimated at $233 per record, which can add up for a small business that has 10,000 records.
He said the cost could range from hiring cybersecurity experts to determine the cause of the breach and response, to legal costs and paying for credit monitoring reports for affected consumers.
With threats becoming more sophisticated, state government continues to invest in cybersecurity to stay on top of those threats.
“We provide security, networking, desktop support, application support to all the executive branch agencies and departments,” Quinn said.
Quinn’s agency is also working to educate municipalities on improving cybersecurity. He said Scott has assembled a cybersecurity advisory team to better educate residents and businesses.
Working its way through the Legislature is a $2.3 million cybersecurity funding request that would pay for equipment upgrades to the state’s computer system, Quinn said.
Kabay said one of the best and least expensive lines of defense in case of a breach is for a business to backup its data.
He said “too few” businesses have a data backup stored on an external drive.
“Backups are cheap, but they can save you untold pain,” he said.
He said having a backup is especially critical if the business is a target of a ransomware attack, where the attacker encrypts the data on the victim’s computer and holds it for ransom.
“A ransomware threat can cripple a business all at once, and you’re left with either hoping that you have a good backup of your system, or paying the ransom,” Quinn said.
Having anti-malware software installed on computers, tablets and smartphones for all employees is another critical measure, Kabay said. He said anti-malware programs should be set to update automatically.
Kabay and other security experts continue to beat the drum on the importance of strong passwords that can’t be easily guessed or hacked.
He also recommended that businesses use a password manager, a program that stores and generates new passwords randomly.
He said it’s important for each employee to have a unique ID and password to access the business’ system, as a shared ID or password can lead to problems.
“The problem with that is, if three people are using the same identification and same password to access the system, it becomes very difficult to identify which of them either innocently made a mistake … or which of them has gone bad and is deliberately doing something wrong,” he said.
Burton said cybersecurity can be done on a shoestring. He said one of the keys for a small business is employee training.
“It really comes down to teaching the employee to be suspicious and careful when using resources like your email and when you’re browsing,” Burton said.
Kabay’s website (http://mekabay.com) has a number of cybersecurity resources that can help businesses and individuals.
Burton added that the Small Businesses Administration and government agencies have resources available.