Business owners should expect to face a cyberattack. The only question is when it will happen and how to prepare, according to industry professionals.
Businesses are growing increasingly reliant on technology, but new technology brings new risks. Several businesses now face thousands of attacks every day.
“If you’re not worried about a hack, get worried,” said Brad Frazer, an attorney at Hawley Troxell.
Frazer spoke at an Idaho Technology Council cybersecurity conference March 1. Like other speakers, he said cyberattacks can hurt a business in different ways. Phishing attacks compromise confidential information, denial of service attacks freeze services, and other hacks steal trade secrets. And hack victims can be sued, Frazer said.
“Talking about a hack may seem like an academic exercise – until you get sued either for negligence, breach of contract from a non-disclosure agreement or your shareholders are suing you for the loss of trade secrets decreasing share value,” Frazer said. “It isn’t necessarily what happens during a hack that kills your business, but what happens after.”
There can be severe consequences during an attack as well.
Hackers have successfully gained access to Idaho Power’s system eight times in the last year. Each time, the hacker was quickly isolated and blocked from further access by Idaho Power staff, said Dick Garlish, compliance risk and security manager at Idaho Power. He said there have been 10 million attempts to breach the corporate system since 2011.
Failure to stop any one of those attempts could have resulted in power loss to thousands or the loss of valuable state infrastructure, said Zachary Tudor, associate lab director of national and homeland security at the Idaho National Laboratory.
Computer scientists at the Idaho National Laboratory test computer systems by hacking into them to find weak areas, Tudor said.
“(The INL and the U.S. Department of Energy) were responsible for the first full-scale test that showed exactly what a cyberattack could do to automated systems and electrical grids,” Tudor said.
“We performed a cyberattack that wasn’t your typical malware or anything. What we did was cause the machine to misuse its features in a way that would destroy the system while making it look like an accident,” he said. “It was the first large-scale demonstration of what could happen to critical infrastructure during an attack.”
The INL has since installed a power grid on its own land to help Idaho utilities improve their security measures, Tudor said.
“Threats are changing all the time,” Garlish said.
Small and medium-size businesses need to work on their security, too, said Matt Klinger, vice president of Fiberpipe, who spoke on a panel at the conference.
“You have to prepare for the worst because it is going to happen,” Klinger said. “Put yourself in a position where you can mitigate those attacks when they do happen.”
To lower the risk of lasting damage, companies can limit the number of machines on their network, make sure leaders and workers use proper password practices, and develop a protocol for verifying email accounts that requests specific information such as employee records. Many successful cyberattacks, including several recent ones in Idaho, have been a result of human error.
Companies shouldn’t stop after taking simple measures, said Kevin Andrews, vice president of technology at Wells Fargo.
“Cybersecurity isn’t about a technical job; it is about risk management,” Andrews said. “You can lower 80 percent of your exposure if you think of it as risk management and you think about how you cover your other risk areas such as financial risks.”
“As we move forward, I imagine we will talk just as much about what technologies we don’t want to use as the technologies we do,” Garlish said. “We have several computer systems capable of talking to each other, but we don’t turn them on because that just opens more doors for access.”