Keeping Up with the Hackers
Columbia Business School

Spending on cybersecurity—and the cost of cybercrime—is soaring. It raises a question: Why is it so hard to protect data? Jennifer Kitses explains.

Last fall, Equifax, one of the three largest credit-reporting agencies in the United States, revealed that hackers had breached its defenses, carrying out what is believed to be one of the biggest data breaches of all time. The attackers had accessed the names, social security numbers, birth dates, addresses, and, in some cases, even the driver’s license numbers of more than 145 million consumers.

The Equifax breach, like earlier major cybercrimes against global infrastructure sites, hospital networks, email providers, financial services, and hospitality and travel sites, brought hacking to the forefront of the public’s attention—at least temporarily. But companies large and small have long been aware of their vulnerability to hackers, devoting significant sums to staying a step ahead of them; spending on cybersecurity is expected to climb to $113 billion a year by 2020, according to Gartner, a research and advisory firm. Yet despite this dedication of resources, hackers continue to succeed. The cost of cybercrime is soaring: a report by the research firm Cybersecurity Ventures estimates that losses associated with hacking, including not only stolen money but also lost productivity and damage to companies’ reputations, will reach $6 trillion a year globally by 2021. “Everything is hackable,” says Marie Susan Lee ’03, a forensic accountant at Lee CPA. A vigilant cyber defense, therefore, is critical.

Many cybersecurity experts have come to accept as the new reality that every single day, almost every single one of the world’s businesses, government entities, and educational institutions risks being a cyberattack victim. For most companies, the question is no longer whether their firewalls will be breached, but whether thieves will be able to abscond with critical information, such as their customers’ identities. It might make you wonder: Why is it so hard to protect data?

An Endless Supply of Attackers
One reason for the difficulty in keeping sensitive information secure? There is a seemingly bottomless supply of talented hackers working around the clock and around the world. Attacks by malicious software, known as malware, and specifically by ransomware—intended to steal data that attackers then offer to return for a hefty price—are getting more aggressive and damaging. Where hackers were once interested in reaping illicit financial gains, it now appears more and more hackers just want to be destructive. “The threat is pervasive and it is global,” says Bob Hammer ’67 (’65GS), chairman, president, and CEO of Commvault, a data-protection and recovery software firm. “And it is very hard to protect against constant attacks, as hackers are looking for new techniques to infiltrate a given system. It’s a race on both sides.” Hammer estimates that his company deals with thousands of attacks every month. Successful attacks have cost some companies tens of millions to hundreds of millions of dollars in lost business and repairs. “In the last year, we’ve had three major corporations get hit with massive attacks,” he says. “Thousands of their servers were compromised, and their ability to operate their businesses was dramatically impaired.”

illustration by Øivind Hovland

The number of hackers and the frequency of attacks mean that any weak point in a system is susceptible to attack. However, despite how well these risks are understood theoretically, many companies and individuals don’t take the necessary steps to defend their data, experts say. “When you look at some of the recent hacks, several of them didn’t occur because of poor technology, but rather from human error,” says Ileana van der Linde ’97, head of JPMorgan Asset & Wealth Management's cybersecurity awareness program. Breaches often occur because people are not sufficiently aware of their risk and how to address it. Van der Linde points to several cases, including the 2016 hacking of the Democratic National Committee, where staffers fell victim to what is known as spearphishing, which targets a specific organization or individual, and inadvertently exposed themselves to malware.

In the case of Equifax, the company was warned about a critical vulnerability months before the attack but failed to move quickly to patch its system. “Hackers go where it’s easiest in the process,” van der Linde says. “Humans are often the weak links in the chain.”

You Can't Build a Moat Around a Cloud
As companies, seeking space and convenience, move their data into the cloud, there is no longer a single perimeter to defend. “The cloud increases the attack surface,” Sullivan says. “If a company has a customer service application that they used to run in their data center but now they run part in Microsoft Azure and part in Amazon Web Services, then they’ve pushed their data out of their castle. Now they’re storing it in forts in the hinterlands.”

However, there is some good news: breaking through a company’s firewall is considerably easier than actually extracting any data. “It takes the attacker a number of steps to go from initial intrusion to the point where they can execute the mission of the attack, which is to steal information. This multistep process is known in the industry as the kill chain. If you identify the attack in progress, then you can thwart it,” says Sullivan. Still, he adds, that process is taxing for companies. “Enterprises are sort of DDoS-ing—or overwhelming themselves—with the number of alerts that their tools are generating,” he says, referring to distributed denial of service attacks, which attempt to make an online service unavailable by flooding it with traffic. “Probably 90 percent are false positives or irrelevant, and that bogs down the analysts who are trying to respond.”

“Hackers go where it's easiest in the process. Humans are often the weak link in the chain.” — Ileana van der Linde '97

Once an urgent true positive alert has been identified, a company’s security experts have a number of tools at their disposal to assess their risk. They might compare the IP address of the attacker against public and private databases of known threat actors. If the traffic contains a file attachment, they could “throw the file into a sandbox,” using a software-analysis tool that reveals how the malware behaves, Sullivan says. Often, companies are advised to use a network-forensics tool to determine who else in their network has been talking to the malware’s command and control server in the last 30 days, which helps determine the extent of the intrusion.

For corporations, the best defense is a combination of backing up data and establishing disaster-recovery sites that are completely separate from their internal networks, says Hammer. He recommends having secure, storage-efficient backup copies—one local and one offsite, perhaps in the cloud. Just replicating data is not a defense against cyberattacks; ransomware easily compromises the original and replicated copies. But what if companies don’t protect themselves well enough? “They pay,” Hammer says. “There are a lot of institutions around this country that pay ransom to hackers because they haven’t had reliable backup and disaster-recovery solutions in place.”

Throwing Money at the Problem
Given the potential costs of a major attack, many companies think the answer is to devote an ever-increasing budget to cyber defense. But some experts say this money isn’t always well spent. “Cyber cannot be solved solely with a purchase order,” says James O’Shea ’09, head of reengineering in the global security engineering group at RBC Capital Markets, who notes that some major banks are spending hundreds of millions of dollars a year on cybersecurity. “Is half a billion dollars too much or too little?” O’Shea asks. “Nobody knows.”

O’Shea believes that rather than companies focusing exclusively on “hygiene” elements of cybersecurity, such as maintaining firewalls and backing up data, they should be redesigning the business processes themselves. “Who you are, strongly proven, along with where you are, what device you’re using, and which transaction you’re attempting to perform — that set of information should be used to determine whether a transaction should or shouldn’t be allowed to proceed,” he says. “Business processes should be robust and should make explicit all assumptions about what is and what isn’t correct behavior for each party’s role in each transaction, and not just rely on technology to catch loosely defined bad behavior.”

O’Shea advocates developing closed-loop processes for more business transactions. In an equity trade, for example, settlement occurs after a buyer and seller each enter their side of an order in their respective order books; if the orders don’t match, the trade is rejected. He contrasts this with a typical funds-transfer system, in which the recipient of a transfer does not need to know that money is coming; the transactions are more vulnerable because of that ambiguity. “Cyber is a business problem, not merely a technology problem,” O’Shea says. “Business leaders should know that a transaction is correct, and know how they know, rather than just assume correctness.”

Protect Yourself
As individuals, we may not be able to do much about whether the companies we rely on—our employers, our banks, our credit card companies—are good stewards of our personal data. However, there are steps we can take to limit our risks. A good first step is to understand the nature of the threat that can expose us to hackers. “You have to really look at every device that you have,” says van der Linde. “How is your data being used? How are you accessing it? Who else has access to your data?” For example, many of the smart devices we use every day—such as fitness trackers, appliances, and games—can be easy targets for hackers. Van der Linde suggests minimizing that risk by taking advantage of a feature on most home routers that allows you to keep your Internet of Things or smart devices on a different network than the computers and devices you use for finances. “You have to be conscious, not just of the devices themselves, but of the networks they are on,” she says.

Passwords are one of your first lines of defense and a great place to start lowering cyber risk. Using easy-to-guess passwords, such as a child’s or pet’s name that you may have used on a social media site, can make you an easier target. Passwords should be long and complex, ideally using a phrase, song title, or parts of a poem, along with numerals and special characters. And because passwords are often the point of entry for hackers, van der Linde recommends using different passwords for different sites or tasks. Both individuals and small businesses should consider using a password manager that features strong encryption. “The more we can eliminate the potential for human error, the safer we are,” she says.

If you have been hacked, you should freeze your credit report and also notify the IRS, says Lee. “Your tax returns might be falsely filed,” she says. “It can take up to a year to correct your identity.” She warns individuals to be particularly wary of phishing attempts to steal data, log-in information, or credit card numbers, usually by tricking you into clicking on a link in an email or opening an attachment. “The number one method hackers use is phishing. And they’re getting more and more clever,” she says. Always check the domain of the sender, and your gut. “If something looks weird, don’t click on the link, and don’t open the file,” Lee says. She suggests viewing YouTube videos from the SANS Institute, for example, to educate yourself about cybersecurity. Simple fixes can result in highly effective protections.

Though hackers may be more sophisticated than ever, the nature of the war remains much the same. “The attackers haven’t really had to change their game that much in the last 10 years,” says Sullivan. “Software has to be continually updated. Every time you have to update your software, there’s the potential to introduce some known or unknown vulnerability. That’s why enterprises today seek a continuous view both of their threats and of their vulnerabilities. It’s a never-ending cycle.”

Cybersecurity is a balance between risk and convenience; there will always be breaches and losses, and in all too many of these cases, we have only ourselves to blame. “As long as human beings are flawed in nature,” Sullivan says, “I know I’ll have a job.”