On a global scale, it’s an ever-growing and ever-changing issue. One that can quickly impact and devastate virtually anyone who utilizes digital technology.
And as digitization grows in society, so does the threat of cybercrime.
“Counteracting cyber threats is an all-hands-on-deck process,” John Yaros said. “The world is getting more digital and the areas we need to protect are growing.”
Yaros knows this all too well. It’s the world he lives in as the securities and bureau chief for the Idaho Department of Finance, the state’s prime regulator and overseer of all financial activity statewide.
To help provide the public and small business owners the tools and resources to deal with the ever-present threats posed by cyber criminals, Yaros, along with a myriad of state and federal officials shared their expertise in the world of fighting digital crime during the recent Idaho Small Business Cybersecurity Summit held at the Idaho Response Center Chinden Campus.
The summit focused on protecting individuals and businesses from cyberattacks, and identifying and reporting cybercrime, a problem that totaled $8 billion in losses globally last year.
“As many as nine in 10 Americans utilize financial technology at some level,” Yaros said. “The one guarantee I can make is more cybercrime is to come. Criminals are not going to stop. They have over a 1,400% return on account takeovers. It’s an incredibly profitable crime for them.”
As director of the U.S. Small Business Administration Boise office, Shannon Madsen knows the impact cybercrime can have on small business, entities that are “particularly vulnerable” to cyberattacks. Small business owners, she said, must recognize the “importance of being prepared” to help thwart cybercrime.
“Small businesses often don’t know what they don’t know,” Madsen said. “It’s one of the biggest hurdles in our dealings with them.”
According to Madsen, roughly 43% of cyberattacks are directed at small businesses, yet only 14% of these ventures are adequately prepared to defend against such a crime.
Risk assessment and employee education are key to saving one’s business from the untold damage a cyberattack can cause.
“It’s highly imperative to train your team,” Madsen said. “A well-informed employee is often the best line of defense against a data breach.”
For small business owners, it takes but one cyberattack to lead to data breaches, lost revenue and what she described as “consumer churn,” a significant loss in a company’s customer base.
“Damage to reputation is one of the largest impacts of a cyberattack,” she said. “It always goes back to reputation because if customers can’t trust you, they will go elsewhere. They will fear whether this type of crime can happen again.”
In his role as a state cybersecurity coordinator and federal advisor to the Cybersecurity and Infrastructure Security Agency (CISA), Josh Stemp echoed Madsen’s plea for businesses to train and educate all employees on the need to diligently practice proper cyber hygiene.
“We need to teach people to fish to prevent bad stuff from happening in the first place,” Stemp said. “Up to 80% of what we do is preventative in nature. We want to stop bad things from happening in the first place.”
And most of those bad things originate in the form of what is commonly referred to as business email compromise, or what Madsen coined the “top threat” to those who operate a small business.
“Remain diligent about what email you open. The difference in a character can be as simple as a zero or an O,” she said. “You don’t want to be one cyberattack away from losing everything. If you take anything away from me today, develop a strong, complex 16-character password.”
In fact, Madsen told attendees she recently learned that experts say it could take up to a billion years for criminals to crack a 16-character password, compared to minutes or hours for criminals to hack an eight-character password.
“Having unique and strong passwords is critical,” Stemp said. “As for strength, longer is far better than complex. Strength is definitely key.”
Along with detailing a thorough checklist outlining prevention resources and instructions on how to respond to a cyberattack, Stemp narrowed down the process of cybersecurity to three simple steps: Update, login and backup.
“Update means keep all software functioning and perform a continuous scan of your external network perimeter,” he said. “Then be sure to use multifactor authentication for all login identity. And be sure your backup remains immutable and offline, immutable meaning data cannot be changed.”
Classifying ransomware as the “No. 1 threat” for government agencies as well as small and large businesses, Stemp recommends protecting financial records, tax documents and even intellectual property by implementing the “3-2-1” method of securing data.
The process is as simple as three copies of data, two different mediums for storage, with one version stored offsite.
“Have an offsite version and make the offsite version an offline version,” he said. “A lot of ransomware software can now find and target your backups to destroy them. That is the leverage the criminals need over you to get you to pay. I can’t stress backups enough.”
Even if it means having to take an “old-school” route to help protect one’s business interests.
“Plug in and update once a week or month. Take your device and put it in a safety deposit box or a safe,” he said. “If this is considered too complex, get a flash drive and stick it in a desk drawer.”
Whether the problem is ransomware or business email compromise, Chris Volmer, a cyber and infrastructure security manager with the state office of Emergency Management, reiterated that the fight in what he described as the “ever-evolving battle space” of cybersecurity is never over.
“We need to understand that our adversaries are continuing to make improvements in their methodologies, tactics and techniques,” Volmer said. “Cybersecurity is not just one and done. We can’t just say we found a solution and then call it a day.”
A concept that Volmer said helped spur Gov. Brad Little to implement a state-sponsored Cybersecurity Task Force. In March 2022, the group released its official report with 18 recommendations focused on five major objectives to help “create a more resilient cyber posture” for both the public and private sectors.
Objectives contained in the report include: Safeguard Idaho’s infrastructure and provide active cyber deterrence; increase investments for cyber professionals in both the workforce and education; ensure election integrity; actively engage the public in cyber awareness and education; and continue to address cybersecurity throughout Idaho.
That same year Little’s task force came together, the U.S. Department of Homeland Security made an additional $1 billion in federal grant funds available nationwide to states looking to beef up their cybersecurity measures.
During the past four years, Idaho has received more than $12.5 million through the cybersecurity grant program.
“What we’ve consciencely done in the state of Idaho is take a look at the governor’s task force recommendations and road-mapped them to these monies to do what we need to protect ourselves,” Volmer said.
For Josh Hurwit, who serves as the U.S. Attorney for the District of Idaho, prosecuting cyber criminals will always remain a priority, but “prevention of cybercrime” he said, is the best starting point.
“The government has devoted more resources to recovery, prosecution and criminal investigation than it has to prevention,” Hurwit said. “My hope is that through events like this with our partners throughout the state, we can work more with businesses on the front end.”
In his office, most of the cases he deals with typically originate through local agencies.
“Nothing we do at the federal level in law enforcement happens without the help of our local partners,” Hurwit said. “Our role is to help on the backend once a crime happens.”
And when it comes to cybercrimes, there is no time like the present to seek help.
“Speed is critical, and reporting quickly is key,” Kevin Maloney, a deputy criminal chief with the U.S. Attorney’s Office, said. “In order for us to have better chance to recover stolen funds, victims of cybercrime have to move fast to get the cooperation of the people who can help you.”
Malone strongly reiterated the importance of business owners taking advantage of all resources available to help protect their assets and their livelihood.
“If you own a small business, your number one goal should be to never want to meet any of us from the federal government except at a conference like this,” he said. “You never want us knocking on your door to collect evidence from a cyber intrusion.”
Or as Volmer said, “mitigation is the low hanging fruit” in the world of cybercrime.
“My whole presentation should have just been about a strong password and multifactor authentication,” he said. “That is cyber hygiene 101. If you can do those things, you are already 90% ahead of the population, whether it is a business or a government agency.”