The cyber break-in isn’t so obvious and by the time the owner finds out, the thief is long gone and hard to find, let alone prosecute.

The damage in this case isn’t just to the business. It can have a ripple effect on anyone the company does business with.

It’s why the Vermont Attorney General’s Office and Norwich University have collaborated on a cyber-security project for small business.

“There have been issues with Vermont businesses being breached in the past,” said Ryan Kriger, an assistant attorney general.

Last month, the state held the first in a series of cyber-security workshops to make businesses aware of the problem and show them the precautions they can take to ensure their computer network is secure from breaches.

“We have been working with Norwich University to kind of get a sense of how safe businesses are here in Vermont,” Kriger said, “and we’ve determined that there are actually businesses that are not engaged in the most safe practices.”

Kriger said businesses have an obligation to protect “electronic personally identifiable information,” and to report breaches to authorities.

During its last session, the Legislature revised the state’s data security law requiring businesses and state agencies to report breaches to consumers within 45 days “after the discovery of notification.” The Attorney General’s Office must also be notified within 14 days of the discovery of the breach or when consumers are notified, whichever is sooner.

Kriger said a failure to report a breach could be prosecuted under the state’s consumer protection laws.



Malicious intent

He said hackers steal information by infecting computers with malicious software, commonly called malware.

Gone undetected, malware sends confidential information — credit card, Social Security, bank account information — back to the cyber-criminal’s host site.

Last month’s Montpelier workshop, Cyber Safety for Small Business, was attended by 20 business owners and information technology experts. They heard from Peter Stephenson of Norwich University’s Center for Advanced Computing and Digital Forensics.

“I think the whole idea of securing a business system is not fully understood by many small businesses,” said Stephenson, a cyber warfare and digital forensics expert. “This is not just a Vermont issue; it’s a national issue.”

He said the focus on cyber security is to help small businesses “that either don’t know what needs to be done or can’t afford to have someone come in and do it for them on a regular basis.”

Cyber attacks are becoming more of a threat worldwide. According to the Verizon 2012 Data Breach Investigations Report, there were 855 data breach incidents worldwide last year, resulting in 174 million compromised records — the second highest data loss total on record.

One Vermont company keenly aware of the cost of a cyber attack is Small Dog Electronics in Waitsfield and Burlington.

The Apple retailer took “a big hit” three or four years ago with the loss of credit card information, said Rebecca Kraemer, Small Dog’s director of information technology and consulting.

“We were able to find the breach and stop it in a matter of a week … from when we noticed it to when we had it fixed,” said Kraemer, who joined the company after the incident. “But unfortunately in that time customer information was stolen and we did have to go through the process of sending out letters and working with our banks.”

Kraemer said the company has taken “some pretty hefty measures” to beef up security of the company’s computer system. She said the system has multiple firewalls and servers with all customer information encrypted.

In addition, she said, Small Dog pays two outside companies to “attack” the system on a monthly basis to discover possible vulnerabilities.

She said in-store and telephone customer service representatives are also trained to detect potential fraudulent transactions.



National effort

While the state’s proactive approach in reaching out to businesses can help thwart cyber crime, a much more concerted effort is needed, according to U.S. Sen. Patrick Leahy.

Leahy, who chairs the Senate Judiciary Committee, said the increase in cyber threats requires action on a national scale, including the federal government and the private sector.

“The menace of cyber attacks and cyber theft is scalable across American society and throughout the economy,” Leahy said in an email. “Along with endangering our security, cyber threats also endanger our commerce, our infrastructure, our privacy and our creative output and intellectual property.”

Leahy, a Democrat, is sponsoring several pieces of legislation. One is the Personal Data Privacy and Security Act, which would establish a national standard to notify consumers of data breaches and improve data security. The other is the Cyber Crime Protection Security Act, which would give the government enhanced tools to prosecute computer fraud.

“Businesses and companies use this information for a host of reasons, and yet no national standard exists to notify consumers of breaches of this sensitive information,” Leahy said. “At the same time, in an increasingly digital world, a single assault on a regional power grid could indefinitely leave Vermonters in the cold and in the dark, with life-threatening consequences.”



Targets of opportunity

Kriger said the biggest threat comes from international gangs of hackers who steal information — from Social Security numbers to credit card numbers — to make money.

“It’s what the Verizon report calls the industrialization of hacking,” he said. “They’re just setting up systems to probe the Internet to find weaknesses.”

What the Verizon report (www.verizonbusiness.com/products/security/dbir/) found was that 79 percent of data breaches were targets of opportunity — meaning the victim wasn’t specifically targeted.

The report also found that 97 percent of the breaches could have been prevented through simple or intermediate controls.

Stephenson said it’s critical for a small business to ensure their anti-malware software is updated on a regular basis. He said another area that needs attention is the use of strong passwords to thwart attackers.

“Those are a couple of typical things that are easy to fix, low-hanging fruit,” he said. “You fix that and you’re not low-hanging fruit.”

Stephenson, who started his career in the Navy nearly 50 years ago as a crypto technician, also said a website that takes online orders makes a business vulnerable to all kinds of web attacks and data breaches.

If a company can’t afford to build its own website, he said the best option is to hire a host company.

“It’s part of an infrastructure that’s better protected because it’s sitting on that hosting company’s system,” he said.

Dovetailing with that, Stephenson said it’s critical for an online business to hire a third party to process credit card transactions.

“Yes, it costs a little bit to do that, but it costs a lot less than the upstream risk if you’re breached,” Stephenson said, “and you’re keeping card information and personally identifiable information on the site.”



Attack of the zombies

An attack by a cyber-criminal can not only steal information but actually take control of a company’s computer servers — in effect making those servers zombies that can be used to attack other systems.

“The attacker now has thousands of computers under his control that he can use to attack a larger organization,” Stephenson said, “and you don’t even know you’re participating in the attack.”

Cyber Safety for Small Business will also be offered in the fall with workshops in Burlington, White River Junction and Rutland.

Small businesses will also have the opportunity to undergo a free computer security check.

Scan Vermont, a joint program of the Attorney General’s Office and Norwich University, will conduct penetration tests to determine a company’s online vulnerabilities.

Norwich will also offer a series of low-cost weekend Cyber Security Bootcamps for information technology and security professionals.

Later this summer, the Attorney General’s Office will meet with interested parties in a Privacy and Data Security Roundtable. The meeting will focus on future legislation to protect consumers and businesses online.

In addition, the Attorney General’s Office recently hosted a program with Essex High School and Facebook for students, parents, and educators on how to keep children safe online. A video of the presentation is available at www.cctv.org/stream-player-build?nid=118516.

Information on upcoming workshops and an online application for Scan Vermont can found on the attorney general’s website under privacy and data security.

bruce.edwards

@rutlandherald.com