Cybersecurity expert: Health care, legal businesses are particularly vulnerable to attacks

photo of dean sapp
Dean Sapp presented information to attendees of a cybersecurity seminar. Photo by Sharon Fisher.

Small- to medium-sized businesses are increasingly at risk of being hacked, but they can protect themselves.

The Federal Bureau of Investigation gets a “handful” of calls every week from the Boise area about cyber attacks, said Clark Harshbarger, special agent for the Federal Bureau of Investigation, in Boise. Harshbarger attended a May 31 seminar organized by Zions Bank and presented by Dean Sapp, chief information security officer for Braintrace, a Salt Lake City security company.

Sapp told representatives from a couple of dozen Idaho businesses that 58 percent of the data breaches in 2017 happened at small- to medium-sized businesses. He predicted that attacks against small business would increase as larger businesses take a more active role in protecting their data assets.

Sapp said the attacks cost businesses money, data, and the trust of customers. Sixty-five percent of customers said they lost trust in a hacked organization, while 31 percent discontinued their relationship with the organization, he said, citing a study from the Ponemon Institute.

Health care and legal organizations are particularly vulnerable because they hold a large amount of personally identifiable information, Sapp said. Hacking Boeing’s law firm is typically much easier than hacking Boeing itself, he said. Medical records, in particular, have enough information in them to let hackers create credit accounts, he warned.

Physically securing devices such as laptops, computers, and even printers and scanners is also important, Sapp said. Printers and scanners typically have hard disk drives that store images of the pages printed or scanned with them, he said. When such devices are serviced or discarded, the hard disk drive needs to be wiped or destroyed, he said.

The first step: Get a “threat assessment” to determine vulnerabilities, and then follow the recommendations, Sapp said. Then,  don’t rely on your company’s overworked IT department to protect you. He related the story of one organization that was two years behind on installing security patches. “If somebody tells you that your web page isn’t very safe, look into it,” he said.

Organizations should also adopt some sort of security framework, such as the one offered by the National Institute of Standards and Technology, Sapp said. This helps businesses keep track of the tasks they need to do to keep their computer systems secure. Companies should also secure their email and their passwords, which are common vectors for attacks. Once an attacker gets into a victim’s email, they can download every message and gain access to all that data, he said. In addition, an attacker can use email to change the passwords to other systems and lock the owner out of those systems, noted attendee Brett Adler, chief technology officer of Retrolux, a Boise company that writes software for electrical light distributors.

Passwords don’t need to be overly complex, so you can ditch the numbers and odd capitalizations and punctuation that can make such passwords hard to remember, Sapp said. Instead, it’s simply a matter of length – the longer the better. An eight-character password can be hacked in about a second, he said. He also recommended that organizations use two-factor authentication, such as the authenticator software provided by software vendors like Google and Microsoft, which uses a smartphone to help prove the user’s identity.

And if your business does get hacked? There are steps for that, too, Sapp said. In that case, talk to your legal team, talk to your insurance representative (he recommended specific coverage for cyber breaches), follow your incident response plan if you have one, consider hiring a specific incident response firm through your legal department, and file a report with the FBI, which might be able to recover any money lost, he said.