Hackers made quite a bit of news in 2016, from the recent breach of billion Yahoo accounts, to the potentially tilting the presidential election. What can we expect to see in the way of cyber attacks in 2017?a
Barry Kelly, CEO of Kelser Corporation, a technology consulting firm based in East Hartford, Connecticut, says that while major, headline-grabbing hacks are likely to continue, hackers this year are going small. "Many companies that have very valuable data believe they aren't big enough to suffer a cyber attack. As a result, they do very little to prepare themselves. Hackers know this and target them for that reason."
A surprising 65 percent of cyber attacks are aimed at small and medium-sized businesses. Kelly identifies several industries as particularly enticing targets for hackers over the next year.
Small manufacturers, big secrets
The large defense and aerospace manufacturers have vast supplier networks of hundreds of small job shops all over the country. "These smaller manufacturers often have classified information and trade secrets that foreign entities or competitors would love to obtain," says Kelly.
Plus, with so much advanced manufacturing equipment connected to a network these days, hackers can shut down or damage machinery (in fact, the US may have done this to weapons facilities in Iran). Ransomware--when hackers lock companies out of their own data until a ransom is paid--is especially effective against manufacturers. "Having a plant shut down for even a single day can come at a huge cost," Kelly explains.
In direct response to this situation, any manufacturer in the supply chain for the Federal Government is going to have to step up their cyber security game this year -- they have until December 31, 2017, to meet strict new guidelines from NIST. However, as Kelly points out, "the requirements are so thorough, it can take 6-8 months to get compliant."
The doctor hacker will see you now
"Health information is some of the most valuable data on the black market because it can be used to commit insurance fraud," says Kelly, citing small clinical practices using out-of-date systems such as Windows XP as particularly juicy targets for hackers.
Like manufacturing machinery, internet-connected healthcare equipment can be hacked. As Kelly points out, the stakes are potentially quite high: "It doesn't take a Hollywood screenwriter to imagine why you wouldn't want a hacker to remotely control a ventilator." The Mayo Clinic is leading a charge to close this gap, but the healthcare industry as a whole hasn't yet caught up with the hackers.
When you think of potential targets for cyber attacks, colleges and universities probably aren't the first to come mind, but education is the only industry that has to deal with students hacking their servers to change grades or obtain test answers.
"Campuses have an unusually complex mix of networks and users, which can leave them open to unexpected liabilities, such as cybercrimes being committed from computer labs," says Kelly. "Universities aren't just classrooms and dorms. They're also hospitals, research facilities, and laboratories, all of which are interconnected, making their exposure to hackers greater."
Case in point, UMass agreed to pay a huge settlement in November because an information breach violated HIPAA regulations.
Hi Larry in accounting, please authorize this fraudulent transaction...
"If you work in accounting at your company, and you haven't gotten an email that appears to be from your boss asking you to approve a wire transfer that just seems odd, you probably will in 2017," says Kelly.
Obviously, hackers want money. The main way they get it isn't technical wizardry-- it's good old fashioned trickery, and they're getting better at it. "Hackers are so creative and patient these days," Kelly explains. "Breaches often go undetected for weeks or months as hackers gather information about your company, your email style, and your schedule, and then use that information to impersonate you. A lot of hacks that won't be noticed until 2017 have already occurred."
Naturally, financial advisors, investment firms, or any business that routinely handles monetary transactions is an inviting target for this type of attack. Since it all stems from phishing (tricking folks into giving up their passwords), the best method of prevision is regular cybersecurity training for all employees.
Who won't get hacked in 2017?
"I just don't see there being a silver bullet anytime soon," says Kelly, who emphasizes that internal IT staff usually need assistance from a cyber security partner to put adequate protections in place. "IT staff are generalists -- they are busy making sure that the business has the technology it needs in place to operate, and that can mean anything from backing up files in the cloud to fixing a printer. Hackers are specialists. They've made an intense study of how to bypass security measures. It's a bit like a town cop trying to defend against Ocean's Eleven. Without some help, there's just no chance they're not getting in."