Twenty-five years ago, hackers needed advanced skills as well as motivation to successfully attack businesses on the internet. Online criminals almost needed the equivalent of a master’s degree or a doctorate to be successful.
Today, all they need is motivation. They can buy whatever tools they need to anonymously disrupt programs or possibly steal valuable information.
“You don’t need the skills. You don’t need anything else. You just need motivation,” said Jay Patel, a supervisory special agent with the FBI advised about 225 business people in Sioux Falls. “It’s a target-rich environment. The tools are out there. All they need is to want to achieve this purpose, and they can do it.”
Patel was one of the featured speakers at the Sioux Falls Cybersecurity Conference, which was held March 27 at the Holiday Inn City Centre. The regional conference was hosted by the Sioux Falls Area Chamber of Commerce and the U.S. Chamber of Commerce.
SDN Communications, the premier, regional provider of broadband connectivity and cybersecurity services for businesses, was the lead sponsor of the event.
National and local cybersecurity experts provided representatives of small and midsized businesses with troubling examples of successful hacks and good advice to help protect networks.
Hackers often exploit known vulnerabilities in software as weaknesses are discovered and publicized. So Patel stressed the need for companies to apply software patches promptly and keep protective equipment up to date.
“You must have the most current version running on all your systems if you’re connecting them to the internet,” he said.
Patel also encouraged businesses to make use of tools such as the NIST Cybersecurity Framework. NIST, which is short for the National Institute of Standards and Technology, is a federal agency that worked with businesses to develop flexible guidelines to help companies improve cyber risk management and protect the nation’s critical infrastructure.
The ISO/IEC 27001 is a security standard that also can help businesses improve their security posture. It’s a certifiable standard published by the International Organization for Standardization and the International Electrotechnical Commission.
Patel also stressed the value of public-private cooperation. He urged regional businesses to participate in InfraGard, which is a collaborative partnership between the FBI and members of the private sector. Members are vetted. They benefit from information such as threat advisories from federal agencies, intelligence bulletins and vulnerability assessments.
Several speakers at the conference stressed the need to strengthen what is generally considered the most vulnerable point of any business network: the people who have access to it.
Security technology is a critical part of cybersecurity, and equipment can become outdated or fail. Even so, the easiest way for hackers to get into a protected network is to be ushered inside. So, employees at many businesses are under constant attack from criminals trying to trick them out of sensitive information or encouraging them click on tainted links.
“We’re only one or two clicks away from being PWNED on a daily basis,” said Chuck Cinco, chief information security officer at PREMEIR Bankcard. Threats such as ransomware, Distributed Denial of Service attacks and data theft are common threats.
Cinco stressed the need to engage employees in relevant, dynamic, ongoing training, and to hold sessions much more than once a year.
Ryan Manship, vice president of Redteam Security Consulting in St. Paul, said that businesses need to pay attention to the physical security of their networks, as well as to the effectiveness of their equipment and the awareness of their people.
Redteam Security’s flagship service is called “redteaming,” a practice in which a team of ethical hackers secretly infiltrate and test a company’s physical, technological and human layers of protection. Often, the simulated attacks become a matter of figuring out employees and how to work around them, Manship said.
“People, statistically, are the weakest link,” he said.
SDN also offers a quarterly report on local cyber insights. Request the latest Cybersecurity Threat Landscape Report below.
Related blog & video: Yikes! Video documents vulnerability of cyber infrastructure