I’m a bit concerned about cybercrime. Actually, that’s not true. I’m very concerned about cybercrime. It seems it’s getting worse. And, no matter who I ask at my financial institutions, no one seems to have any concrete answers. In fact, they don’t really even seem to understand how online security actually works, let alone seem capable of explaining to me how we can protect ourselves. So I arranged an interview with Stu Sjouwerman (pronounced ‘shower-man’) to find out more about it. Stu recently wrote a book called Cyberheist: The Biggest Financial Threat Facing American Businesses Since The Meltdown of 2008, which goes into great detail about current state of cybercrime.
Stu is an IT cybercrime expert and has been professionally involved in information technology for 32 years. The last 20 years his main focus has been software for system administrators — specifically, security software. He started Sunbelt Software in 1994, and during 2005-2008 built a new antivirus product called VIPRE from scratch, integrated a firewall, and then sold the company to a large Venture Fund in Boston. His new company is called KnowBe4 and he told me about what the bad guys on the Internet have been up to recently.
TCW: Can you give us some examples of businesses (real ones with names) that have been broken into (bank accounts hacked) and what happened?
STUS: Oh, there are hundreds. We did some research on our own, and put them on a Google Map to show how active the bad guys are. You can zoom in and look for one in your own state; we have each incident including the company name, the date it was reported and the amount stolen, broken up in three groups. The green ones are all recently.
TCW: Which ones lead to lawsuits and what happened as a result of the verdict?
STUS: A court case in the press a lot these days is PATCO from Sanford, Maine. An employee clicked on a phishing link and their PC got infected with the ZeuS malware. After the bank was not able to claw back the transfers made by cybercriminals, Patco Construction sued Ocean Bank in 2009, alleging poor security after this $588,000 cyber heist. Recently the court protected the Bank, and Patco lost twice; first the money and then the court case. Ouch.
TCW: What is the difference between laws impacting consumers versus laws impacting businesses in this area? What protections are afforded consumers (and where are these documented) in the US versus businesses in the US?
STUS: Big Difference! Consumer bank accounts are insured up to $250,000 against any loss including cyberfraud, but this is not true for any kind of corporation, whether a non-profit, a church, a school district or a small business. All of these have been victims of cyberheists. The FDIC website has a lot of data about it, check out the section on Safe Internet Banking.
TCW: Why is there a lack of protections under the law for businesses?
STUS: Well, ever heard the expression: “The bank is not your friend”? They are really in it for the money. Their lobby (American Bankers Association) in Washington is blocking laws that would include businesses in that kind of protection as that could cut their profits significantly. It boils down to the fact you are so-called ‘self-insured’, but many organizations are not even aware of this fact. Obviously the banking industry is not promoting the fact either. They’d rather you don’t know.
TCW: With the CIA, Sony, Bay Area Rapid Transit and many other systems being hacked recently (including other high profile sites owned by governments, militaries, educational institutions, non-profit organizations and a wide variety of corporations — including banks, what are financial institutions doing to protect commercial accounts?
STUS: Let me give you a sarcastic answer to begin with: They are giving more money to their lobbyists! LOL. But seriously, they are not really interested in spending billions for your protection. It’s not ‘their problem’ as it’s the client’s PC that gets infected and for them it’s ultimately a small percentage and not worth the effort. In short: cost of business, next! In this case, legislation is the answer and I’m supporting an effort to get some laws into place about this.
TCW: If there aren’t protections for businesses, aren’t businesses going to be discouraged from eBanking / online banking or other eCommerce activities that could open their accounts up and leave them the victims of cybercrimes?
STUS: You bet! One more reason the banks are not shouting this from the rooftops. Blissful ignorance seems to be the banking mantra. When the shit hits the fan, they hide behind their lawyers and abdicate responsibility. There is one exception to this and one bank that does the right thing in this matter.
TCW: How come the bad guys on the Internet have gotten so much in the news recently?
STUS: Well, apart from digital delinquents line Anonymous, we are in the 5th generations of cybercrime now. With the 5th generation, there is a full-fledged underground cyber economy where stolen goods and services are sold in a “professional manner”. All the tools are for sale now, and relatively inexperienced criminals can get to work quickly. Some examples of this specialization are:
- Cybercrime has their own social networks with escrow services
- Malware can now be licensed and gets tech support
- You can now rent botnets by the hour, for your own crime spree
- Pay-for-play malware infection services that quickly create botnets
- A lively market for zero-day exploits (unknown vulnerabilities)
You can read more about these 5 generations here and understand in one minute how come this has become such big business.
TCW: What can companies do to protect themselves?
- Have your accountant use a separate PC to do online banking. That PC should not be used for web browsing or email. Ideally, if you have the expertise in house, make it a Linux machine or a Mac.
- Transfer your business account to JP Morgan / Chase. This is the ONLY bank that has business accounts insured against cyber fraud. The only one. It’s a scandal.
- Make sure all antimalware software is up to date and aren’t being turned off by employees because it slows down their computer.
- Never use a wireless network for anything financial-related, especially not in public spaces.
- Don’t have any company email addresses on your website. Use a web-form so that customers can communicate with you. Phishers use those email addresses for phishing attacks.
- Be proactive: Provide Security Awareness Training for employees to ensure they aren’t an easy target for hackers who break into the network through phishing email attacks. This is what we do at KnowBe4.
TCW: Well, looks like we’re out of time. Thanks for agreeing to squeeze me in to your busy schedule and for sharing such important information with our readers. I look forward to reading your book and learning more about the services you provide to companies who want to avoid becoming the victims of cybercrime.
STUS: No problem, Scott. I’m glad you found it useful. I’m hopeful that none of your readers will ever find themselves the victim of a cybercrime. Hopefully, through education, legislation and technology, we can minimize the threat and create a safer experience for all businesses operating on the web.