Cybersecurity experts agree protecting data is no longer something that can be ignored as attacks proliferate and become more sophisticated.
While it’s hard to identify the number of breaches that occur, there has been an increase in their quality and impact, said Karl Muenzinger, director of consulting at Janus Associates, a Stamford-based information security firm that works with all sectors, including government. Hackers can target and cause damage to organizations as large as the U.S. Office of Personnel Management, stealing confidential information of about 25 million people, or as small as a midsize business, stealing passwords or crashing websites.
“I think people’s approach to security is improving, but the risk is increasing faster than people’s reaction to it,” Muenzinger said. “This is becoming more and more visible.”
U.S. Rep. Jim Himes, D-Greenwich, said many breaches happen because of a lack of “cyber hygiene,” when people click on bad links in an email that then allow hackers into the system. In the case of the recent OPM breach, it was most likely a sophisticated attack from a hostile government, he said. There are units in Russia, China, North Korea and Iran focused on breaking into U.S. systems, he said. He said each U.S. government agency is responsible for its own security.
A federal law that was passed in the House of Representatives and awaits Senate approval will set standards for security, for notifying victims of hacking and for improving communication between public and private sectors to warn of attacks, he said. Companies and the government do not communicate well because of privacy concerns, he said.
“Government agencies and the private sector need to really make this a mission-critical initiative,” he said. “What happened at OPM was a catastrophe and it could probably have been avoided if the management at OPM had prioritized cybersecurity.”
He said the OPM victims are at risk of identity theft or of being exposed. Muenzinger said the attack is damaging.
“It’s being characterized by people on the inside as being more impactful than the Snowden or WikiLeaks,” Muenzinger said. “So it’s a big deal.”
Patricia Fisher, president and CEO of Janus Associates, said government employees are “extremely annoyed” and it will now be harder to find cybersecurity professionals who want to work for the government.
She said although Katherine Archuleta, director of the Office of Personnel Management, was the one to resign, the middle managers are at fault. In government, this layer of employees is embedded in the organization and has the power to change processes, she said.
“(Archuleta) takes the blame for it and she has to, but she didn’t cause the problem,” Fisher said. “She probably didn’t even know about the problem. If she had known, she might have tried to stop it and have been totally unable to.”
Technological capabilities of hackers are increasing and hard to keep up with, especially if infrastructure has not been secured in the past few years, Fisher said.
“When you’re not interested and not focused on something, that’s when things happen,” she said.
News of three technological failures on one day at the New York Stock Exchange, United Airlines and The Wall Street Journal also brought attention to the danger of weaknesses in prominent companies.
Muenzinger said the three organizations’ claimed the problems were glitches, but some believe it could have been hackers. From a technical point of view, it takes a long time to unravel what occurred, he said.
“They may not know themselves exactly what happened,” Muenzinger said.
Daniel Jackson, a computer science professor at MIT, said he would not be surprised if either was the case: an attack or a bug. In general, it shows “that our exposure to failures is growing, and that we can’t afford to treat cybersecurity as an afterthought,” he said.
Fisher said those in security are concerned whatever happened could be focused on critical infrastructure, like utilities. Last year, the state Public Utilities Regulatory Authority released a cybersecurity plan to protect against a growing number of attacks. Connecticut is the first state to present a cybersecurity strategy in partnership with utilities, according to a press release from Gov. Dannel Malloy.
Jackson said every type of business is vulnerable to cyberattacks. “If you have something worth taking or breaking, someone will try and do it,” he said.
Meunzinger finds companies often put one person in charge of security and walk away. Cybersecurity is an ongoing process that takes maintenance, he said. He advises organizations to do risk assessment with a professional, to perform practice attacks and to strengthen systems and credentials. Basic cybersecurity training is also helpful, he said.
More people are becoming educated, Fisher said. The Connecticut Technology Council hosted cybersecurity seminars in March and June and has another scheduled for September in East Hartford. The Danbury Area Computer Society, a nonprofit, hosted Ira Wilsker, an expert on Internet security, to speak about hacking threats at a meeting earlier this month. Last year, the University of Connecticut and Comcast Corp. opened a Center of Excellence for Security Innovation at the school’s Storrs campus.
Fisher said rapidly growing companies whose infrastructure does not keep up with their growth are at risk for attacks. She is aware it is challenging for small and midsize companies to put resources toward cybersecurity. Still, improving security is less expensive than a cyberattack. Many companies who wanted to negotiate price of security measures are willing to spend any amount of money once they’ve been breached, she said.
“People really looking at bottom line are more and more interested,” Fisher said. “Too bad they weren’t doing that five years ago.”