Cybercrime reaches ‘epidemic’ levels in Greater Cincinnati
by Andy Brownfield – Reporter for Cincinnati Business Courier
A local cybersecurity expert says it’s not a matter of if your small business is being hacked, it’s how often.
Brent Cooper, president of Covington-based tech firm C-Forward, said there were 140 million new cyberattacks in 2014, which increased to 250 million in 2015. He said those attacks could be as much as four times higher in 2016.
“Cybercrime is now at an epidemic level and people don’t know just how bad it is,” Cooper told me. “We’re seeing attacks daily, and you can see them coming in minute by minute on firewalls and different security tools.”
Most attacks aren’t the giant breaches like what rocked Target in 2013 where thieves stole every credit card used at its 1,797 U.S. stores. Most cybercrime looks relatively benign, but it only looks that way. Most attacks are coming in as emails designed to trick the recipient into thinking it’s from an official or trusted source but in reality carries malicious software or malware, often something called “ransomware” that holds a computer system hostage until the owner pays hackers a ransom.
“These attacks can cripple a business,” Cooper said. “The criminals are getting paid, so they’re acting with impunity. The majority of small businesses are not even reporting them.”
BDO consulting director Jessica Allen told me cyber criminals have shifted their focus away from consumer data to attacking companies themselves. She said a CEO she worked with kept getting calls from his company on vacation and when he finally answered, his team wanted to double-check that he authorized a suspicious-looking $1 million payment. The hackers who sent the email even knew that the CEO was on vacation.
“There are two types of companies: ones that have been breached and ones who just don’t know it yet,” Allen said. “A lot of people think they’re too small, but there’s no such thing.”
One thing companies can do to safeguard against the kind of social engineering attacks like what the CEO Allen mentioned is to have a process in place where two different people have to authorize any payments that go out or use multiple means of communication such as a phone call to backstop email communication.
Cooper recommends multiple factors to authenticate any login or online transactions: something you have and something you know. The something you know would be a password or security question, while the something you have would be a token that is randomly generated and good for only 30 seconds so only the person in possession of it would be able to authenticate themselves.
“We are genuinely scared,” he said. “If we don’t start taking cybersecurity more seriously, it’s not going to get better, it’s going to get a lot worse.”