Thursday’s Breakfast with the Journal at the Mining Exchange Hotel delved into cyber security and threats posed by the Darknet, an anonymized network largely used by criminals to buy and sell nearly anything.
Speakers were Douglas DePeppe, a cyber law attorney with the Colorado Springs-based intellectual property law group Aspire IP, and Jeff Beauprez, a cyber security specialist with Colorado Networks. The presentation began with a brief timeline of cyber threats, beginning with malware’s evolution to virus in the 1990s and the monetization of stolen data beginning in the early 2000s.
They said cyber crimes grow more sophisticated every day.
The most valuable information falls into two categories: Protected Health Information and Personally Identifiable Information, or PHI and PII. They can provide bank accounts and routing numbers, dates of birth, names and even full medical histories. Full identification thefts, or Fullz on the black market, can be surprisingly cheap, at around $30 per identity. The return on investment, though, can be thousands of dollars via a fraudulent tax-filing, for instance.
DePeppe also discussed the vulnerability of business networks, citing a study where 1,600 networks were sampled and 97 percent had experienced a breach.
“An average company is compromised … every four days,” he said.
DePeppe said companies go weeks or even months without knowing they’ve been breached.
Target took action three weeks after a breach, and 40 million identities had already been compromised. DePeppe said one company had been leaking information for more than a decade before learning of it.
Beauprez recalled a client without even minimal firewall and encryption protection.
“This network was wide open. It gives me goosebumps thinking about what could have happened there,” he said, adding while hackers used to take down networks, now they will help keep it running in order to mine more information.
Beauprez said businesses need to assess what has worth and is stored on their networks, determine if it should be stored there, and then take steps to protect it if it should be. He said that if outsourcing security, know who is liable in the event of a breach.
DePeppe provided two general legal strategies for cyber security.
The first is establishing “Reasonable Security,” a legal term for due diligence, DePeppe said. That includes firewalls and encryption to make breaches more difficult.
The second is “Reasonable Management Behavior,” which tasks employers to ensure employees have the proper training to recognize ploys to compromise networks.
DePeppe said, for instance, accepting an invitation for social media through your email can be a sophisticated phishing scheme. Rather, accept all invitations directly via the website.
DePeppe concluded with several takeaways: He advised companies to encrypt company laptops. A lost or stolen unencrypted laptop can cost a company $30,000-$50,000 per laptop in damages.
DePeppe added that individuals and companies should employ discretion when accessing personal or client banking information. Doing so on an open WiFi network is not advised.