Cyber-security in Florida
Targets: Four industries most at risk for cyber-attacks
Sri Sridharan, managing director of the Florida Center for Cybersecurity at the University of South Florida, identifies four business sectors most at risk for cyber-attacks: Financial services, health care, retail and energy/utilities. Cyber-crime, he says, is “a new evil” that businesses must confront.
Here’s a look at who’s trying to steal data and how companies are fighting back.
The financial industry was among the first targeted by cyber-criminals during an initial series of large-scale attacks in the early 2000s. While cyber-crime now extends well beyond the financial sector, banks remain a prime target for criminal gangs trying to steal account information and money online.
Cyber-criminals stole nearly $1 billion from about 100 financial institutions in the U.S., Germany, Russia, Ukraine and China during a recent two-year period, according to security firm Kaspersky Lab.
One response from the financial sector has been to cooperate and share information. Two years ago, the Depository Trust & Clearing Corp. (DTCC), which clears and settles securities trades, teamed with the non-profit Financial Services Information Sharing and Analysis Center in a venture called Soltra.
Tampa-based Soltra oversees a software platform that aggregates information about cyber-breaches, disguises the identities of companies and individuals and converts the data into a usable format for sharing. Soltra CEO Mark Clancy, previously managing director of technology risk management at DTCC, says the goal is to enable companies to respond to threats in seconds rather than minutes or hours.
“The median number of days between intrusion and awareness is 205 across all industries. Imagine a burglar roaming your house for 205 days,” Clancy says.
Medical identity theft ranks among the fastest-growing types of cyber-crime. In one common scenario, a medical ID thief persuades an employee at a hospital to turn over electronic health records, including names, birth dates, Social Security numbers and insurance policy data. The criminal then resells the information on the black market to theft rings.
The thieves in turn might set up a fake medical clinic and use the stolen patient information to file bogus claims with Medicare, Medicaid and private health insurance plans. Other thieves might use the medical information to file tax returns seeking bogus refunds in the patients’ names.
Greg Enriquez, CEO of cybersecurity firm TrapX, says stolen health credentials are 20 times more valuable than credit cards on the cyber-crime black market. Unlike a stolen credit card, a Social Security number can’t easily be canceled once fraud is detected. “Health care is becoming the No. 1 attack area,” he says.
Cyber-criminals aim to infiltrate point-of-sale systems at stores for a simple reason — that’s where they can obtain valuable customer data such as credit and debit card numbers. Frequently, they use the stolen information to create duplicate cards and rack up thousands of dollars in illegal purchases.
Since the Target data breach of 2013, banks have made a big push toward adoption of chipenabled cards. The cards contain microchips that transmit a unique one-time code to validate an in-person sales transaction and are considered less vulnerable to cloning schemes than magneticstrip cards. Meanwhile, large store chains have begun upgrading their payment terminals to accept the new cards.
The change is driven, in part, by a shift in liability for breaches at retail establishments away from banks. Merchants who can’t process the chip cards are now considered liable for fraudulent charges at their stores, says James Miller, spokesman for the Florida Retail Federation.
“It’s incumbent for retailers to protect themselves and their consumers and to make sure they’re upgrading their technology,” he says. “If word gets around that you’re potentially exposing people’s information, they will avoid your business.”
Energy / Utilities
The U.S. Department of Energy has identified cyber-security as one of the top challenges facing the nation’s power grid.
During a 12-month period in 2013-14, hackers penetrated the computer networks of 37% of energy companies, according to a survey by ThreatTrack Security. While none of the incidents resulted in a power blackout, they exposed the potential for so-called bad actors — nation-states, cyber-terrorists and “hactivists” — to disrupt critical infrastructure.
FPL CEO Eric Silagy says Florida’s largest investor-owned utility spends more than $100 million a year to defend against all kinds of attacks, including cyber-attacks. He’s reluctant to discuss the company’s cyber-security efforts in detail for fear of undermining them but says they are layered and take many forms. “It’s a constant learning process and battle,” he says.
There’s Insurance for That
Insurers increasingly are offering coverage for costs associated with a cyber-attack or data breach, including lost revenue, litigation and ransomware — a type of malware that encrypts a company’s data so that employees can’t access it until the company pays a ransom.
Businesses can thwart ransomware attacks by backing up their data, but many have been slow to do so. A recent report says one particular set of ransomware, called Cryptowall, garnered $325 million for an Eastern Europe-based crime syndicate.
PricewaterhouseCoopers estimates that the market for cyber-insurance is worth $2.5 billion and will reach $7.5 billion by the end of the decade.
“The more astute businesses are saying, ‘We have to educate our staff about the obvious things that can be done to prevent being compromised, but we can’t prevent everything,’ ” says Ed Furey, CEO of Orlandobased business consultancy Furey Advisors. “A $1- or $2-million cyber-liability claim is very real.”
New Business for Lawyers
Law firms also are mobilizing to meet the demand caused by rapid growth in cyber-threats. Many Florida firms have added cyber-security specialists or practice groups to defend corporate clients pre- and post-breach. “Cyber-security issues permeate everything” that businesses do, says Tampa litigation attorney Calvin Hayes, who is part of an 11-member cyber-security team at Buchanan Ingersoll & Rooney. “It comes at companies from all angles, and it’s Energy / Utilities SECURITY CYBER something they all need assistance with, whether they know it or not.”
For the legal sector, cyber-crime represents not only a new business opportunity — but also an additional expense. Law firms have had to safeguard their own systems from cyber-criminals, who view them as a virtual treasure trove of sensitive client information.
“Law firms have a lot of really interesting information that could allow a criminal to commit another financial crime, such as insider trading,” says Mark Clancy, CEO of software platform venture Soltra.