The State of Cybersecurity: Hackers Are Having 'Breakthrough Levels of Success'
We're not even halfway through 2014, and already it has been an incredibly trying year for cybersecurity experts. If it feels like data breaches are happening all the time--from the Heartbleed bug, to last week's FBI announcement about five Chinese military officers who hacked corporate secrets, to eBay admitting that a "large amount" of their 148 million customers' data was swiped two months ago--that's because they are.
Patrick Peterson, the founder and CEO of San Mateo, California-based email security firm Agari, says foreign hackers are a constant adversary for firms like his. "If you look at the indictments of the Chinese military, that is perhaps the worst-kept secret in the security community--that a number of foreign-state actors have sophisticated teams who do battle with us everyday in cyberspace." he tells Inc.
Recently, Peterson's firm released a report, the Agari Q1 2014 TrustIndex, that revealed how weak security standards against email attacks are plaguing U.S. companies. Out of 133 companies surveyed, 100 of them were categorized as "east targets." Among the 11 industries Agari rated, the greatest increase in ThreatScore (a measure based on how many malicious emails are sent to a company's domain) was in the travel industry, which rose by 400 percent from the previous quarter.
See below for Peterson's take on the state of cybersecurity.
Inc.: What has been the mode of attack lately?
Patrick Peterson: What we're seeing the most in Q1 is these blitzkreig-like email attacks. Back two years ago, criminals used to collect some assets, go after an attack, and run it until it didn't work anymore. Now, they'll spend weeks perfecting the attack, invest in four or five pillars of that attack--creative email, a creative landing page, taking over legitimate servers so their emails come from trustworthy sources, perfecting malware in the way it gets downloaded.
They have multiple teams working on this and instead of rolling it out constantly and seeing what kind of success they had, they wait until they're all lined up and ready to go to market, if you will, and basically launch this blitzkrieg rollout. They do this because they know there's a half-life on their attacks as people figure it out, so this blitzkrieg makes it so [they] do the most amount of damage in the least amount of time possible. They basically run through the defenses before anyone can figure it out.
Are we seeing historic levels of hacking?
PP: I think it is an evolution, but we are seeing breakthrough levels of success by criminals in foreign states that have not ever been seen before. The phenomenon of criminals from foreign states getting access to data is not new, [but] their success in doing it and what they do when they have that data is truly revolutionary. In the past, they would hit Target and steal some encrypted credit card information. Now they are getting to a point-of-sale terminal and getting the credit card information in the 10 milliseconds before it's encrypted permanently and irrevocably. Those are the types of things that aren't just evolutionary. Once they succeed and have ecosystems and data synthesis going on, they're now able to do far more damage than they could've before.
For businesses, what's the impact?
PP: Most of the crime is financially motivated. We see two elements: the actual financial loss and brand damage. Target suffered no financial loss in the big attack. If you take a Target credit card and run up $10,000, that's between the criminal and the bank. Target has no liability. Despite that, Target will run up a multi-hundred-million-dollar cost for the investigation, the lawsuits, and for the compensation for the organizations damaged. So we see a significant financial loss, even if it's not a direct cost to them.
Most business that are successful can absorb these costs. But even worse, the brand damage and the reputation costs and loss of customers and customers' trust will take years to repair. If you look at the most recent cybercrime story, eBay said the criminals got access to their customer database encrypted, which dramatically limits what the criminals can do. But most people in the U.S. have no idea what that means and will think before they use eBay to do business. The acquisition of that customer and the buildup of customer trust, which allows you to do business at scale, can be easily lost from a data breach, and that is something irreparable in a short-term period.
Will customers know if there's been a breach?
PP: In the majority of cases, you would absolutely not know. You would click on your British Airways, UPS, Booking.com itinerary, call your wife while you're clicking on the email to open it up and say, "Did you book us a trip to the South of France?" and nothing would happen. Call your credit card with the ticket number and they don't have anything either. In general, you won't know if the criminals extracted information or any other details about what they're up to. There's one exception, which is a new flavor of malware that came out September of last year called CryptoLocker. You click and then the next day a message will pop up and say, "We've encrypted your hard drive. Give us $400 in Bitcoin if you want it back."