If a thief breaks into a garage and steals tools or even a file cabinet, the victim probably wouldn’t hesitate to call local law enforcement to report the crime.
But if a hacker breaks into a small or midsized business’ computer network, the victim may not instinctively call the police. For some, there’s a perception that it’s not worth the hassle to report because law enforcement can’t do much about it. A victimized business also might stay silent over fears of disciplinary or retaliatory action.
Trevor Jones and cybersecurity experts at Dakota State University (DSU) hope to change that. They want to ease business owners’ concerns about reporting cyber incidents and law enforcement’s ability to investigate and solve crimes.
Jones, former secretary of the South Dakota Department Public Safety, recently joined DSU’s staff as director of digital forensics within Madison Cyber Labs. The digital forensics laboratory, or DigForCE Lab, wants to accumulate data from law enforcement agencies to research threats and help develop investigation techniques and training for officers.
Jones was one of three featured speakers Oct. 25 at the Better Business Bureau Federation’s 2018 cybersecurity program: Insecurity in a Digital World. The BBB in South Dakota sponsored the event in cooperation with three prominent, Sioux Falls-based businesses: SDN Communications, Avera McKennan Hospital & University Health Center and KELOLAND Media Group.
In addition to Jones, the featured speakers included Chris Aeilts, a sales engineer with SDN, and Jared Ducommun, a risk management consultant with Howalt+McDowell Insurance, a Marsh & McLennan Agency LLC Company.
All three presentations at the free, two-hour program were insightful and potentially helpful for small and midsize companies. Business people in the Sioux Falls area who didn’t attend this year should plan on attending the annual program in 2019.
Jones urged businesses and individuals to report suspected cybercrimes to local law enforcement agencies, just as they would other crimes. The local agency might not be able to solve it, but they could bring in another agency. Also, the accumulation of data will help fight cybercrime.
In addition to local police agencies, state organizations that might be able to help cyber victims are the South Dakota Fusion Center and the South Dakota Division Consumer Protection (phone 800-300-1986).
“There’s no deterrent if you don’t call law enforcement,” Jones said.
One of the executives who attended the BBB program, Korena Keys, CEO of KeyMedia Solutions, pointed out during a question-and-answer session that some businesses might be reluctant to report possible breaches because they don’t want to open themselves to legal liability or other negatives.
“We need to quit punishing the business owners. They’re not going to report it if there are significant repercussions,” she said.
Keys raised a good point and a legitimate issue. Some businesses might hesitate to report suspected cybercrimes, even though public breach-disclosure laws and regulatory standards in some industries require action.
Another challenge - some small law enforcement agencies lack the personnel or expertise to investigate cybercrime. But Jones says victims should still report the criminal activity. Give local authorities the first opportunity to investigate. They can seek help if needed and possibly build upon their own expertise.
“There comes a point there’s so many victims, you can’t push it away,” Jones said.
Ducommun talked about cybersecurity insurance, which is an emerging product for businesses. A survey of 1,141 executives across North America by the Marsh & McLennan Agency revealed some interesting conflicts in business beliefs and practices.
For example, nearly 60 percent of survey respondents considered cyber threats to be among the top five risks their business faces. However, their actions send a different message:
- Only 18 percent had a cyber incident response plan.
- Only 36 percent had a plan to train employees to recognize phishing emails.
- Only 23 percent had conducted penetration testing of their online defenses.
About 90 companies offer cybersecurity insurance, but the service is not standardized. So, buyers need to pay attention to the details of the coverage they consider, Ducommun said.
Aeilts talked about social engineering and the art of manipulation. Attacks don’t just come from electronic sources, but email is a popular vehicle. So-called phishing emails use fraudulent tactics to trick recipients out of information of value or money.
Aeilts noted that a study by Verizon in 2017 indicated that 3.6 percent of recipients clicked through an email that contained a phishing attack.
“It’s worth your time, if you’re an attacker, to do this kind of thing,” he said. “Our goal is to get that number down.”
SDN is a leading provider of broadband connectivity and cybersecurity services for businesses in the Sioux Falls region.