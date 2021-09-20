From the fiscal to the physical, hackers and cyber criminals pose a potential threat to everything from bottom lines to power lines and U.S. companies are ill-equipped to protect themselves or their customers, according to a University of Virginia researcher.
UVa’s Chris Maurer, a professor in the McIntire School of Commerce, worked with University of North Texas researchers Kevin Kim, Dan Kim and Leon Kappelman in reviewing cybersecurity efforts by small, medium and large business organizations.
They found most were not as prepared as they could be to stave off cyberattacks.
“We believe there is a harsh reality lurking beneath the surface within many organizations. While they may be saying the right things in public to satisfy investors, underwriters and customers, there is an apparent lack of urgency in promoting a truly resilient and secure organization,” the team wrote in the paper, published earlier this year by the Association for Computing Machinery.
The study showed that about a third of organizations earning more than $1 billion in revenue a year did not have a dedicated computer security officer.
“Our research did not have to dig very deep to find surprising gaps in organizational security practices,” they wrote. “Further, the security practices most commonly missing from organizations tend to be those that provide visibility, leadership and integration with the business.”
Cyberattacks are big business for computer crooks. In May, Russian cybercriminals crept into the computer-controlled Colonial Pipeline, which pushes petrol for jets and vehicles between Houston, Texas, through the South, and up to New Jersey.
The company itself shut the pipeline down and paid $4.4 million in bitcoin to the hackers, of which $2.3 million was later recovered by federal law enforcement agencies.
In six days, as many 80% of gas stations in the South and Southeast, including Central Virginia, were out of fuel. Panicked people pumped gas into a variety of containers from stock watering tanks to plastic grocery bags.
Some attacks can pose a health danger. In February, a hacker increased the amount of sodium hydroxide – lye – in Oldsmar, Florida’s water treatment system. The move could have had drastic health consequences to customers, but a worker spotted the adjustment and immediately reversed it.
Other attacks cost business big money. When Target Stores computer systems were hacked on Black Friday 2013, more than 110 million customers had their credit card numbers, associated personal identification numbers and even emails and addresses scooped up by hackers.
The data breach cost the company more than $300 million, officials estimated, not including $90 million that was covered by insurance.
For their research, Maurer and colleagues asked companies and organizations questions on five common best practices for computer security. They asked about chief information security officers; cyber-insurance policies to offset costs of breaches and attacks; self-evaluations; regular cybersecurity training for employees; and incorporating cybersecurity reviews or considerations in business and technology processes.
“So, is cybersecurity worse than we think? We think the answer is yes,” the study states. “After peeling back the layers to identify specific practices within organizations, there is much to be desired.”
Maurer said part of the reason that companies and corporations lag behind in assuring cybersecurity is that it is hard to quantify the benefits in terms of dollars.
It’s hard to prove that security works because you can’t prove that it prevented a data breach that never occurred.
“If you’re working in a business and you have an idea to boost profits or boost revenues, you can generally get funding for it if you can prove that an investment of a million dollars is likely to bring a return. With security, you can never prove you’re going to get the money back,” Maurer said. “A lot of companies will set a cybersecurity budget and go through the motionsm but it’s not always the right things that they’re doing and it’s not usually enough.”
The random nature of cyberattacks makes it difficult to determine what companies are doing a good job at security.
“If you are an expert in cybersecurity and you are excellent at your job 99.99% of the time and you get breached, you are a failure because of that one breach,” he noted. “If you’re a hacker and you fail 99.99% of the time, you could be considered a success because there was that one time you got in and got paid and stole data.”
That one success is not always the fault of the computer system.
“Usually, the first thing that fails is a human being making some kind of mistake. If I program a computer system to block traffic a certain way, it will do it without fail,” Maurer said. “You can train people, but we don’t always follow rules and sometimes we’re just tired and responding to emails very quickly and accidentally hit a link.”
Once inside a strong security system, hackers must run a gamut of security efforts designed to make access to data more difficult such as data encryption in and out of network and encrypting databases as well as requiring more than one form authentication in addition to a password.
The first step at stopping hacks is to stop their entry. That means training people to think security, he said.
“Unfortunately, most training programs are poorly designed and are just a requirement that employees check off,” he said. “It’s important to think carefully about training programs with realistic scenarios.”
Maurer said one reason security at most companies could be lacking is the sense that it is inevitable.
“People say that it's not a matter of if, but when a hack occurs. They’ve seen that the financial impacts and poor reputation don’t seem to have long-lasting financial impacts and some are prepared to face consequences if it occurs,” he said.
“Cybersecurity threats are not going anywhere, but there are steps to take that can limit their scope,” he said. “They’re not just financial threats, but when you look at vulnerabilities in utility grids and water systems, they can be threats to safety, too.”