Hot topic: Cyber security, protecting networks

Breakfast with the Journal

Date-place: Tuesday, July 30, Embassy Suites

Time: 7 a.m. registration, 7:30 program

Cost: $23 for subscribers, $33 for nonsubscribers


Almost one-third of small businesses in the United States have been attacked through their computers, emails and cloud networks, losing millions each year to cyber criminals.

Even worse, nearly three-quarters of those businesses could not restore their company’s data. Every business is a target, and every business needs to be prepared to fight cyber criminals — from nation-states to organized crime — who want to steal industrial secrets, business cash or intellectual property.

Colorado Springs isn’t immune. In fact, local businesses are a big target for cyber criminals because of the type of companies that do business here: defense corporations, finance companies, banks and high-tech startups.

It all means that companies have to do a better job of securing information, particularly those groups that hold sensitive, secret third-party information from clients like banks or government agencies, said Doug DePeppe, founder of the Western Cyber Exchange and the Aspire IP law firm, two groups dedicated to stopping the cyber crime threat.

DePeppe, along with Jeff Beauprez, president of Colorado Networks, and Tim Beres, vice president and director of safety and security for CNA Analysis and Solutions, will be part of a Business Journal breakfast panel about cyber security, scheduled for July 30 at the Embassy Suites, 7290 Commerce Center Drive.

“They say that China has made inroads, not from building innovation, but from stealing innovation from other people,” DePeppe said. “And that includes companies here in the United States.”

DePeppe, an expert in defining threats to networks and businesses, recently traveled to Thailand to discuss international solutions to crimes that know no borders or national influence.

In the absence of clear ways to arrest cyber criminals who might be operating in the United States, but live in Belarus, Ukraine, Poland or other nations, DePeppe founded the Western Cyber Exchange, a group of companies who share cyber threats and information about the attacks they’ve fended off.

Victims won’t admit it

It’s an answer to one of the problems of cyber crime: Few companies want to admit publicly that they’ve been attacked, and fewer still acknowledge losing millions to cyber criminals.

“Going public with the kind of attack people are seeing, that automatically reduces the amount of confidence clients have in the business,” he said. “So businesses want to handle it on their own. But the problem is that means the hackers can use the same attacks over and over again.”

If businesses share the information, then they will know what attacks are coming and how to defeat them, DePeppe said.

And there’s one way to make sure business networks are safe from cyber criminals that has little to do with technology, firewalls or password security. It’s training.

“Train employees to watch and wait,” Beauprez said. “Think before they click. Just that simple action — don’t click on links you’re not sure about — can take care of many of the problems. Email, texts, attachments, all should be viewed with suspicion at first. It all boils down to training.”

Even things that most people take for granted are fraught with danger — the app stores, for instance.

“People think the app store is safe, that the products there have been vetted,” Beauprez said.

“But they’re wrong — not all of them have. And downloading that cool app could make your smartphone vulnerable.”

Businesses need a policy in place, he said, mandating ways to train employees not to click on links in emails, not to download questionable items to the network.

But cyber thieves are clever, said DePeppe, and they’re always working to find ways to make money by intruding on networks and the Internet. A common one is to get in the middle of a bank transfer and siphon money from the transaction.

Social media tactics

Sometimes the cyber crime takes a more devious approach, using social media as the gateway.

“It’s called a drive-by,” DePeppe said. “Someone will put an ad on Facebook or Twitter, for people who are interested in a specific thing, say the NFL. You go to the site, participate in a few chatrooms, forums. And then that same person, after gaining trust, puts up a link to their website, a place to buy fan items. You go there, and they have your credit card information.”

Or, if an employee goes there from work, it could plant lines of code into the network, waiting for the signal to download financial information or transfer intellectual property to another computer.

“It’s a great way to introduce malware into the system,” Beauprez said. “And it’s all done because an employee innocently went to a site. Social engineering networks are prime targets for these types of cyber attacks.”

Employees need to know the risks they’re taking on the Internet and with their company’s private information, both men said.

“There are threats out there, and they are getting more and more sophisticated,” DePeppe said. “When we had dial-up, there wasn’t any hacking; it took too long to get into a network. But now that connections are faster and faster, there are millions of chances to get into a network — and that’s only going to increase as technology gets more advanced.”