AI: Newest Tool in Cybersecurity Arsenals
YOUNGSTOWN, Ohio — On the ever-shifting front lines between hackers and cybersecurity, artificial intelligence is the newest vanguard against attacks that could cost businesses and individuals millions.
Stemming from a wave of high-profile ransomware attacks in 2013, antivirus companies such as Carbon Black and SentinelOne have risen as new players in the cybersecurity world. The systems are built on AI technologies that monitor how programs act rather than simply checking files against definitions in a database.
“The problem with that is [viruses are] getting pretty sophisticated. It takes a while for the definitions to catch up to what’s happening,” says Ralph Blanco, CEO of ECMSI in Struthers. “It’s a matter of creating layers of security because there is no one fix for everything – from content filtering to spam filtering to even breach detection software with built-in AI.”
Last year, the FBI reported 7,812 cybercrime victims in Ohio – a figure that includes not only data breaches but also scams and extortions – and total losses of $97.7 million, sixth-highest in the country. Nationwide, the bureau reported the total loss from compromised business email accounts at $1.2 billion.
“Right off the bat, training and end-user education is something every business needs to key in on. That mitigates a lot of problems,” says Robert Merva, CEO of Avrem Technologies, Canfield. “You can have all the technology in the world to protect you, but someone can click the wrong box and let something in. Even though it’s 2019, people are still clicking phishing emails.”
Most industry publications say it takes about six months for a data breach to be found. In that time, if security isn’t up to par, hackers can have unfettered access to a company’s system and all the data that goes with it.
When that happens, Blanco says, a disaster recovery plan is crucial. Among the included items should be how to get a system back up and running after an attack.
“At a base, you want to make sure you’re backed up locally and to the cloud; but the real conversation is what the expectation of the customer is to become functional if there’s a disaster,” he says. Each disaster – whether a hardware failure, cyberattack or fire – comes with its own challenges. Blanco notes.
Each plan, adds ECMSI service manager Dave Galioto, is unique to the company for which it’s written.
“There are some companies who say they can be down three or four days and not miss anything but there are others who say, ‘We’re billing X dollars a day. We can’t afford to be down for half an hour.’ It’s always about the time they need” to get systems functioning, Galioto says.
In the event of a breach, cyber-liability insurance policies can mitigate some of the fallout, says Mercy Komar, an agent at L. Calvin Jones, Canfield. Among the coverages are paying for fines and loss assessments, third-party liability, business interruption, media liability and extortion.
The latter, which increasingly takes the form of ransomware, ought to be a concern for businesses of all sizes, according to Komar.
“The robots don’t care who you are; they’re just out there trying to get in. And once they’re in, that’s when they figure out how much they can get you for,” Komar says. “I’ve had restaurants ransomed, fence contractors ransomed.”
According to Verizon’s Data Breach Investigation, 43% of cyberattacks in 2018 were directed at small businesses and 69% featured hacking, while 34% were perpetrated by internal actors. Still, as has been the case since the advent of malware, user errors make up most of the ways systems are accessed. Verizon reported 33% of breaches were the result of social engineering, 21% the result of casual errors and 15% the result of misuse by authorized users.
“Back in the day, they all had misspellings and things that made it easy to say, ‘This isn’t real.’ But now they look so legit that there’s no doubt it’s a challenge for companies,” says Galioto of social engineering and phishing.
Social engineering involves creating fake emails that have the appearance of legitimate messages – often featuring company logos and employee names – to have employees turn over information or create false billings.
“Those are still the big ones because they’re easily changeable and you can adapt them to any situation,” Galioto says. “Social engineering is still the biggest threat out there right now. The best way to prevent that is through good email security and good end-user education so your people know what to look for.”
To encourage cybersecurity, Gov. Mike DeWine last year signed into law the Data Protection Act. While it doesn’t include penalties for companies that lack a cybersecurity plan, it does offer affirmative defense protections for companies that adhere to certain security frameworks such as those laid out by HIPAA, the National Institute of Standards and Technology, Center for Internet Security and others.
“If your business complies with a national standard for cybersecurity, whether it’s a NIST framework or HIPAA, and you suffer a breach or data loss, and someone sues you – you can provide an affirmative defense against that litigation,” says Avrem’s Merva.
In such cases, the company must provide documentation that it was following security standards at the time of the breach. Such laws, Merva believes, are likely to become more and more common.
“In the next year or two, there’s going to be some kind of regulatory compliance for every business in every state. New York just did it for insurance companies. The Ohio law was a step in the direction,” Merva says. “You may as well just get it out of the way before you’re forced to do so.”
Copyright 2020 The Business Journal, Youngstown, Ohio.