0816-Black-Hat_shutterstock

From phony iPhones preloaded with malware to election meddling and the rules of cyberwar, Black Hat USA 2019 wrapped up in Nevada last week with something for everyone to lie awake worrying about.

Unlike most of us, Shawn Murray was there, with about 17,000 other infosec professionals. He’s a cybersecurity consultant with the Pikes Peak SBDC, on the board of directors of the Information Systems Security Association, and chief academic officer and president/CEO at Springs-based Murray Security Services.

He talked with the Business Journal about some of his takeaways from the world’s “leading information security event” — and the things that should keep Springs business leaders up at night.

You’ve been breached

Last month, Forbes published a staggering list of 308 data breaches since 2005 involving the theft or compromise of 30,000 or more records, with Capital One’s July breach of 140,000 Social Security numbers and 80,000 bank account numbers just one of the latest.

Data breaches are increasing in number and severity and, as Forbes noted, most of them happen in North America.

“Between the [Office of Personnel Management] breach, the [Veterans Affairs] breaches, Equifax, Capital One, we’re talking about millions and millions and millions and millions of us, our privacy has already been breached — some of us many, many times over,” Murray said.

“Now what it comes down to is, instead of just trying to protect the sensitive data, there should be a new focus on monitoring. That’s the general consensus among the CISOs having this discussion … . Everybody’s been breached. That’s the assumption. So monitor what you have now.”

As an individual, you can monitor your own credit reports, sign up for a credit monitoring service, or even freeze your credit with all three credit reporting agencies to stop anyone from opening credit and requesting loans and services in your name.

And as the Colorado Secretary of State’s website points out, consumers are no longer the only targets of identity thieves.

“Business identity theft (also known as corporate or commercial identity theft) is a new development in the criminal enterprise of identity theft,” the website states. “In the case of a business, a criminal will hijack a business’s identity and use that identity to establish lines of credit with banks or retailers. With these lines of credit, the identity thieves will purchase commercial electronics, home improvement materials, gift cards, and other items that can be bought and exchanged for cash or sold with relative ease.

“The damage can be devastating to the victim’s business,” the site adds. “The damage to the victim’s credit history can lead to denial of credit, which can lead to operational problems. The cost to clean up and correct the damage can be hundreds of dollars and hours of lost time.”

Who has your kids’ data?

It’s not enough to keep tabs on the private information associated with your financial profile, Murray said. Find out whether cybercriminals have your children’s data.

“Children’s personally identifiable information is being used to open accounts,” Murray said. “There was a child in New Jersey, they ended up having to issue him a new Social Security number because he went to apply for student loans when he turned 18, but his information had been breached at the age of 7. He got turned down for all these loans, because he had bad credit — and the poor kid didn’t know anything about it. You’re talking 11 years of somebody using his Social Security number. It was so bad.”

More than 1 million children in the United States had their identities stolen last year, resulting in losses of $2.67 billion, according to Javelin Strategy’s 2018 Child Identity Fraud Study. Two-thirds of the victims were under 8, and another 20 percent were 8-12 years old.

In the report, Al Pascual, Javelin’s senior vice president for research, called the 1 million figure “the tip of the iceberg.”

Kids’ data might appear unlikely to affect a business, but identity theft — whether it’s your own, your company’s, or your child’s — has real business impacts.

A Ponemon Institute study found that victims of identity theft end up using an average of 175 hours of company time to deal with their identity theft cases — the equivalent of 21 “working” days of lost productivity. And the Javelin study found those 1 million cases of child identity fraud caused $2.6 billion in total losses and cost families $540 million in out-of-pocket costs.

Among other precautions, Javelin’s report recommends teaching kids to protect their identity online; checking and freezing a child’s credit; keeping physical documents secure; actively monitoring existing accounts; and watching for telltale signs like account statements, jury summonses and collection notices addressed to children.

Laws without teeth

“One of the big things we’re seeing a lot lately in the United States is everybody wants a right to privacy,” Murray said. “The general consensus is privacy’s dead; we’ve done too little too late. Everyone opts in [by accepting exploitative privacy agreements that accompany apps] on their mobile devices — FaceApp’s a prime example — and if you read their license agreement, you have absolutely no right to privacy whatsoever.”

Legislation isn’t protecting consumers’ privacy — and it appears impossible that it will catch up with current privacy concerns, let alone get ahead of emerging risks.

Colorado’s new consumer data privacy protection law went into effect in September, and is considered among the strictest in the nation. But laws are one thing; compliance is another.

“Legislation also needs to include assessment criteria,” Murray said. “It’s one of the things that we usually don’t do a good job of in legislation. If you take a look at the cybersecurity law that we just passed here in Colorado: Great law, where’s the enforcement? Where’s the criteria for assessing whether you’re compliant? And who does anybody go to to ensure that they’re compliant?”

It comes down to governments lacking the resources for enforcement, Murray said. And it leaves businesses and other organizations with more questions than answers, and inadequate protections.

“Great ideas. They just don’t have all of the back end, and that’s being recognized in the industry,” he said. “I can tell you, from the CISO’s perspective and the CIO’s perspective, unless you have that back end, they’re going to do the minimum.”