SALT LAKE CITY — It may come as a surprise that a former top administrator from the Department of Homeland Security, the 240,000-employee agency tasked with keeping the country safe from outside threats, said the biggest cyberthreat to U.S. businesses is likely not from some intricate plotting by a rogue nation-state intent on toppling the largest economy in the world.
"One might expect me to answer that the very complicated threat from abroad is the greatest danger," said Alejandro Mayorkas, former deputy secretary at DHS. "But in fact, that’s not necessarily the case.
"It's the simple stuff."
Mayorkas, now a partner specializing in cybersecurity issues at the law firm WilmerHale, said the most common point of entry for digital criminals who target businesses is via the company email system.
"It’s the unknown email that asks one to click on the site that one cannot verify the authenticity of," said Mayorkas. "And it’s the individual inside a business that clicks on that site and all of a sudden let’s the bad actor in."
About 275 attendees at the U.S. Chamber of Commerce's 2017 Cybersecurity Conference in Salt Lake City on Thursday also learned from Mayorkas and others that some of the most effective strategies to keep those "bad actors" out of their systems are just as simple as the scams run by internet criminals.
"Most importantly, don't click on a site with which one is not familiar," Mayorkas said. "Check first with an information security officer, check with a peer, check with an outside entity."
While the simplest steps to avoid becoming a victim of a cyberattack follow a path of common sense practices, due caution is still not being widely embraced by computer users. According to the Federal Bureau of Investigation's 2015 Internet Crime Report, businesses and individuals lost over $1 trillion that year (the latest for which data is available) and the agency received almost 290,000 complaints related to cybercrimes. The U.S. Chamber of Commerce estimates that 25 percent of users who receive a phishing email open it and 10 percent click on the malicious link or download a malicious attachment.
Jessica Farnsworth, commander of the Utah Attorney General's Internet Crimes Against Children Task Force, explained that cybercriminals have become very good at laying the groundwork for gaining illicit access to business data.
"Offenders will do a lot of research online," Farnsworth said. "Identifying employees that may be working there and doing searches on those employees."
"Then," she said, "they will usually send an email or make a phone call pretending to be a CEO or business partner."
What comes next depends on what the intruders are after. Personal information from customer or transaction lists can be used for identity theft. Groups intent on making a political statement may be looking to disrupt access to a particular company's website. And, in an increasingly common ploy, criminals may be looking to lock up a business's access to its own data and charge a fee to unlock it in a so-called ransomware attack. Tammy Georgelas, of counsel with the Salt Lake law firm Parsons, Behle and Latimer, told conference attendees that the best way to deal with a ransomware attack is to ignore it, sort of.
"The best response is not caring that your information is being locked down," said Georgelas. "Because, you have robust backup not connected to your network."
The U.S. is far and away the most popular target of internet criminals when viewed from a global perspective. Over 80 percent of all reported cybercrime occurred in the country with the next closest, the United Kingdom, hosting only 2.47 percent of victims. Utah ranked 31st in the U.S. for number of reported cybercrime incidents with 1,947 and 31st in losses, with just over $6.5 million. Those rankings are about where the state is at in terms of national population rankings, as well.
The expert panelists and speakers were united in their advice to business owners and noted that best practices are equally effective and applicable to maintaining personal digital security.
• Always change a device's initial default password and regularly update passwords on all devices. And, use strong passwords with a mix of letters, numbers and special characters.
• Stay current with program and application updates and patches. They frequently contain fixes to identified security glitches.
• Never open an email from an unknown source, never click on a link or open an attachment in an email from an unfamiliar source.
• Avoid use of public Wi-Fi systems.
There are also numerous, free and trustworthy guides for small and medium businesses to build more robust defenses from would-be cyberattackers. They include the Federal Trade Commission's Start With Security Guide, the Department of Homeland Security's C3 program and the National Institute of Standards and Technology's cybersecurity framework.
The Salt Lake Chamber of Commerce, which hosted Thursday's event, also offers resources for local business including a cybersecurity toolkit.
By Art Raymond, Deseret News
Published: March 23, 2017 6:40 p.m.
Updated: March 23, 2017 6:52 p.m.