How government, business are looking at cybersecurity in changing tech landscape

When it comes to cyberattacks, computer experts say there are two types of businesses — those that have been attacked and have dealt with it and those that don’t yet realize they’ve been attacked.

In other words, every business, industry and organization, regardless of size, either has been or soon will be targeted by cyber criminals. The goal of these attacks can range from simple computer mischief and network disruptions to data theft and multimillion dollar ransom demands.

High-tech hackers from around the world routinely attack computer systems using a variety of technologies, techniques and software platforms including viruses, ransomware, spyware, worms, phishing, adware and Trojan horses, each capable of wreaking digital havoc that can lead to tremendous economic consequences.

From Online Mischief to Catastrophic Impact

Cyberattacks have been around almost as long as there have been computer networks. In 1981, a computer hacker named Ian Murphy (who was also known as “Captain Zap”) became the first person to be convicted of a cyber “crime” after he was charged with hacking into AT&T’s computer system and manipulating its internal clock allowing people to make free long-distance calls during peak times. (Ironically, Murphy eventually became a cybersecurity consultant.)

From that relatively simple beginning, cyber attacks have become exponentially more sophisticated, causing trillions of dollars’ worth of economic damage annually worldwide as a result of data destruction, lost productivity, embezzlement, fraud, intellectual property theft, damaged consumer confidence and other factors.

In 2021 cyberattack damage to businesses and industries worldwide amounted to an estimated $6 trillion, double what it was in 2015. To put that in perspective, the economic damage caused by cyberattacks last year exceeded the GDP of most nations on earth. By 2025 that figure is projected to reach $10.5 trillion, potentially more than the cost of damage caused by all the world’s natural disasters in an entire year.

For cyber criminals, ransomware can be both profitable and relatively low risk. According to the World Economic Forum’s 2020 Global Risk Report, the prosecution rate for ransomware attacks in the United States is only about 0.05% meaning the vast majority of computer hackers who use ransomware are rarely caught, charged or convicted.

In a ransomware attack, a computer system or network is infected with malware that encrypts, locks, or otherwise makes data on the system inaccessible. Data remains locked until a ransom is paid in an exchange for a key code that unlocks the system.

According to cybersecurity experts, ransomware attacks happen, on average, every 11 seconds. Most ransomware attacks aren’t publicized. In fact, most of the time businesses don’t want the public to know they’ve been hacked unless they’re required by law to let their customers, patients and/or clients know their personal information may have been compromised.

One of the most newsworthy ransomware attacks happened in May 2021 when the Colonial Pipeline, one of the nation’s largest fuel distribution pipelines, was attacked resulting in a week of gasoline shortages and price gouging throughout the mid-Atlantic and Southeastern United States. A ransom of $5 million in Bitcoin was reportedly paid to the hacking group calling itself DarkSide, believed to be based in Eastern Europe. The F.B.I. eventually recovered some of the ransom Bitcoin worth about $2.3 million, and while no arrests were made in the aftermath, DarkSide was reportedly shut down under pressure from Russian authorities.

Cybersecurity Liability Insurance

Ransomware attacks and other forms of malware have led to a new niche in the insurance industry — cybersecurity liability insurance. A cyber insurance policy can help a company, organization or even a municipal government pay for any financial losses they might incur as the result of a cyberattack or data breach.

Such a policy came in handy when the City of Cape Girardeau’s computer servers were hacked in February 2020. The hack was discovered during the Martin Luther King holiday weekend after city officials noticed they weren’t receiving any emails. “Sure enough, we went in to investigate and discovered something was terribly wrong and we had potentially been hacked,” recalled Molly Mehner, Cape Girardeau’s deputy city manager.

The attack not only shut down the city government’s email system, it also made data in various departments — including utility billing, accounting, licensing, permitting and others — inaccessible. “They (the hackers) didn’t destroy any data, just encrypted it and made it impossible to access,” Mehner said. Shortly after discovering the hack, city officials received a demand for a “ransom” payment in exchange for a computer “key” to unlock the data.

“The email said they wanted a ridiculous amount, somewhere around a million dollars or 1.2 million in Bitcoin, and they said they’d help us get everything restored once we paid it,” Mehner said, adding that without cybersecurity liability insurance, the city might have been on the hook for the total ransom amount. “But having [insurance] was huge,” she said. “We would have been lost without it.”

The city notified its cybersecurity insurance carrier and law enforcement authorities of the ransom attack. A forensic examination of the city’s computer system, conducted by the city’s cybersecurity insurance provider, found that while the system had firewalls and used standard security protocols, the hackers were probably able to gain system access when a malicious email was opened. Once ransomware infected the computer system, hackers were able to access server passwords, block user access and encrypt documents.

Thanks to its cybersecurity liability policy, the city was able to avoid the full brunt of the ransom demand and only had to pay a $25,000 policy deductible. The ransom was paid, and a de-encryption key was received, but it took more than a month for the city to regain full functionality of its computer system. As a result of the cyberattack, the city added new virus software to every computer, paid for additional Cloud backup storage of critical files, and reinstalled and configured certain software that could not be restored, bringing the total cost of the computer hack to more than $250,000 which was paid out of the city’s emergency reserve fund.

In 2021, the city’s annual cybersecurity insurance premium was about $35,000, but this year the premium more than doubled to $79,000, thanks, in part, to the growing number of ransomware attacks worldwide and the challenges of identifying and prosecuting computer hackers. In the first quarter of 2022, overall cybersecurity insurance premiums in the U.S. increased by 110%, reflecting an increased number of ransomware claims and the growing sophistication of cyberattacks.

“Hackers are always one step ahead with their software, so you have to be vigilant,” Mehner said. “You have to constantly remind your employees not to click on suspicious links or email and if it looks suspicious delete it.”

Banks Guard Against Data Breaches

Financial institutions such as banks and credit card companies are often targeted for cyber attacks by hackers seeking personal information such as bank and credit card accounts, Social Security numbers and other sensitive data. Cyber criminals can then sell data on the black market to identify thieves and others who leverage the information to gain illicit profits.

For Heather Dameron, senior vice president and chief credit officer at First Missouri State Bank in Cape Girardeau, cybersecurity is a constant concern as it is for virtually all federally-insured financial institutions.

Banks, she said, have been “extremely diligent” with all types of cybersecurity malware, especially since 2015 when the Federal Financial Institutions Examination Council (FFIEC) created its cybersecurity assessment tool, or CAT. The tool is used by banks and other businesses in the financial services industry to identify their risks and determine their cybersecurity preparedness.

“We are regulated by the government and the government is making sure both on the state and federal levels that we are trying to do everything we can do to protect our customers,” Dameron explained. “They do penetration tests annually, trying to hack in and then we get reports based on any weaknesses they might find.”

Another aspect of the FFIEC’s cybersecurity assessment program involves regular testing of employees to make sure they know how to defend against cyberattacks. “Employees are our first line of defense. They have to be on guard about opening [unfamiliar] emails or suspicious links,” Dameron said. One accidental “click” could be all a hacker needs to infect a bank’s computer network.

Phishing (pronounced “fishing”) is another tactic cyber criminals use to steal personal information. Phishing is the fraudulent practice of sending people emails purporting to be from reputable businesses — such as a bank or credit card company — asking recipients to confirm their passwords, credit card numbers and other personal information.

“We take it for granted that customers sometimes think a bank would contact them,” Dameron said. “They don’t realize they could be attacked so we have to let them know we will never call [or email] them asking for a password, an account number or anything like that.”

One hacker could easily send thousands of fake emails a day to unsuspecting people and if only a handful of recipients comply with the hacker’s request for personal information, then the “phishing expedition” was a success.

Malware Evolution and Simple Safeguards

Dr. Mario Garcia, director of the Institute for Cybersecurity at Southeast Missouri State University, says it’s difficult to thwart all cyber attacks because of the “continuous evolution” of malware.

Garcia, who came to SEMO in 2020, has a background in artificial intelligence and software engineering, but has focused much of his attention on cybersecurity for the past 20 years. Today he heads the cybersecurity program at SEMO, which was the first Missouri university to offer an undergraduate degree in cybersecurity and is recognized by both the National Security Agency and Department of Homeland Security as a National Center for Academic Excellence in Cyber Defense Education. The program is also the 10-time defending champion of the Missouri Collegiate Cyber Defense Competition.

Cybersecurity defense experts and academic research facilities around the world are continuously researching and “reverse engineering” new forms of malware in order to develop effective virus protections against them, but even the best cybersecurity precautions won’t stop all attacks. “You can reduce a good amount, probably 99%,” Garcia said, “but you’re never going to reach 100%.”

Depending on the policy, cybersecurity liability insurance can help pay ransom demands to recover encrypted data and at least some of the economic losses caused by a cyberattack, but it cannot stop the attack itself. That’s why Garcia believes its better to invest in technology and education to deter cybercrime.

“If they [businesses] invest in technology, then the insurance is not needed,” he said. “If a hacker trying to penetrate a system sees there are multiple layers of protection and encryption firewalls then he’s going to go somewhere else and look for low-hanging [unprotected] fruit.”

Strong passwords that are changed often can go a long way toward protecting computer networks, but Garcia recommends against using any common words that can be found in the dictionary because with the right software they can be hacked in a matter of seconds. “To create a strong password, you need to have a combination of lowercase, uppercase, numbers and special characters,” he said. “If you use those four categories and the password is more than eight characters long, then it can take a couple of billion years to break.”

Although details are still being worked out, Garcia said the university’s Institute for Cybersecurity is developing plans for seminars to help area businesses strengthen their defenses against cyberattacks. In the meantime, he recommends several books, including “The Art of Deception,” written by Kevin Mitnick, a cyber criminal turned computer security consultant. His books detail many of the schemes and techniques computer hackers use to break into computer networks.

Proposed Cybersecurity Grant Legislation

Two bills in the Missouri Legislature — Senate Bill 674 and House Bill 2436 — call for creation of a first-in-the-nation cybersecurity grant program to help businesses enhance their cybersecurity defenses. The bills call for up to $10 million in grants to be invested in cybersecurity technology with funds divided equally among small, medium and large businesses. Grants would fund up to 90% of costs associated with cybersecurity protections such as risk assessments, anti-virus software and employee training.

Neither bill received approval before the end of the most recent legislative session, but Kara Corches, vice president of governmental affairs with the Missouri Chamber of Commerce and Industry, believes they’ll eventually pass. “I hope so,” she said. “I think from the committee hearings on these bills earlier this year it was clear this is a growing concern, and our state leaders recognize something needs to be done.”

Just as elsewhere in the nation, Corches says the frequency and economic impact of cyberattacks in Missouri is accelerating. “And it impacts businesses of all sizes,” Corches noted. “We conduct an annual survey of CEOs across the state and last year for the first time we asked a question about cybersecurity. The results were pretty staggering. Our survey found almost 90% of Missouri businesses think cybersecurity threats are a growing concern and roughly a quarter of businesses in Missouri say cybersecurity threats are a top concern. That’s pretty significant.”

The state chamber, Corches said, is working to raise awareness and encourage investment in cybersecurity protection. “As you can imagine, small business owners can’t afford professional IT support. They don’t know where to begin with creating cybersecurity infrastructure, so I think it’s important that the state take a leadership role in establishing this grant program and encourage business owners to start thinking about cybersecurity investment.”

By doing so, Corches said lawmakers will help protect the state’s economy. “We at the Missouri Chamber are strongly supportive of investing cybersecurity because it's an economic issue,” she explained. “If we have a cyberattack that shuts down a food supplier or a key manufacturing plant, that’s job loss and that’s products that can’t be made. The security of our economy hinges on cybersecurity in these modern times.”