Last year, U.S. companies lost an estimated $100 billion through cyberattacks — and the attacks will likely increase as society moves toward the so-called Internet of Things, cybersecurity specialists warned San Diego's Corporate Director's Forum on Wednesday.
Four of the top 10 data breaches of all time took place in 2013, not including a denial-of-service attack this week, affecting a record-setting 400 gigabytes per second.
Hackers attack companies for many reasons, such as stealing credit card data, pirating new technologies and downloading information about corporate mergers and acquisitions. ("That information can be very lucrative," said Ronald Plesco, who oversees cyber investigations, intelligence and analytics at the KPMG consulting firm.)
Attacks have become so common that the FBI has begun calling companies while the attacks were still in progress. "I got a call from the FBI recently saying, 'Tell your client that Chinese hackers are trying to steal their technology right now,'" said Andrew Serwin, a partner in the global privacy and data security group at the Morrison & Foerster law firm. The FBI made 3,000 such calls last year.
Hackers have also become increasingly sophisticated in who they attack and what kind of equipment they use.
Serwin recounted how hackers recently infiltrated a college student's account to send out an email to his father, a corporate CEO, who was attending an out-of-town conference.
When the CEO responded, the hackers were able to infiltrate his computer to email the chief financial officer of the company for an emergency disbursement of funds, explaining that he couldn't go through all of the bureaucratic procedures because he was out of town. Over the next two days, the hackers pilfered $1.4 million.
Plesco said hackers went into a five-star hotel in California before a corporate convention and replaced all the hotel's surge protectors with special devices equipped with 4G wireless capabilities and Bluetooth that would transmit data from any device that was attached to it.
Shaygan Kheradpir, chief executive of Juniper Networks, which develops security systems, said that hackers in Africa were able to plant similar devices on the computers on the local branches of a multinational bank, which had a rippling effect that spread throughout the globe.
The speakers said there is no magic bullet to ward off cyberattacks, but they offered several precautions companies can take to limit the damage:
• Involve everyone. Instead of relying solely on the IT department to block hackers, make sure that all key departments are involved, including the finance, legal and human resources departments, which should stress the importance of cybersecurity to all employees.
• Control your data. Companies should take time to chart how many devices have access to sensitive data. "How big is your network? And how big is the attack surface?" Serwin asked, referring to the areas that would be most vulnerable to hackers.
Serwin recommended avoiding using "cloud storage" for any sensitive data. "Cloud computing involves giving your information to a third party, meaning you're no longer in control," he said. "There is no guarantee of how they will handle it."
Kheradpir stressed the importance of using encryption for sensitive data.
"Laptops will get stolen," he said. "If you haven't encrypted your laptop, you could get exposed legally depending on what kind of information is stored."
• Invite an attack. Ask someone with hacking skills to see how far he or she can penetrate your system to recommend how to close security gaps. In the past year, 46 percent of U.S. firms with $10 billion in assets staged "penetration tests” on their systems. "But that means that more than half of them didn't," Plesco said.
• Use more than one network. Particularly for companies dealing with sensitive data, ranging from credit card data to classified technology, it may be necessary to set up segregated networks — say, one for public contact, one for low-security communications between employees and one for high-security information.
• Make sure attacks are reported promptly. Plesco said that in one company, a chief financial officer stole the CEO's laptop just to see how long it would take him to report it was missing.
• Watch out for the unusual. Shaygan's company is working on a system that would spotlight unusual activity — for instance, a key executive in the company logging onto his computer at 2 a.m. and transmitting sensitive information — and install speed bumps to slowdown the transmissions until they can be investigated.