The Business of Cyber Security
all right we tell you about hacks data breaches all the time on the news target Yahoo eBay so need to some of the major companies where millions of records have been stolen so who is helping these businesses protect themselves and do the criminals ever actually get caught Allyson Morris is here to tell us about the big business of cyber security and we've all experienced it it it's huge these breaches it's amazing when you talk to people because just about it won't say oh yeah my credit card got hacked driver later oh yeah lovely right fantastic you never know right away yeah it is incredible when you think about all of the big brands that have been hacked but those are just the ones we report because they affect so many people experts say the majority of hacks 75% of them in fact happen at small or medium sized companies you just don't hear about them [Music] I think the average American would be surprised to see it a state of cybersecurity as it exists in most companies and Jim Ambrosini would know at the head of the cybersecurity practice at Cohn Reznick he works with everyone from small doctors offices to fortune 500 companies so this is our Innovation Lab where we used to strategize on helping clients solve their cyber issues his firm identifies the priorities and the risk and helps companies fix their most pressing problems in this case the client got hit with ransomware so we would probably color that red for a higher risk items Jim's been working in cybersecurity for decades but said businesses only started taking it seriously in the last few years it all changed in 2013 with the breach at Target with Target they were hacked through a vendor which then got into their HVAC system no one would have ever thought about putting an HVAC system as a high-risk item on a security report until then and because it made the news and there are some other high-profile breaches that happened shortly after that Sony and anthem and several others who created a lot of awareness in the industry and they should be paying attention according to a McAfee study hacking cost consumers and companies as much as five hundred and seventy-five billion dollars a year this year the state of New York is taking cybersecurity pretty seriously too with new rules effective March 1st that forced financial institutions to have cyber program policies and risk assessment plans in place and to report breaches within 72 hours but most businesses don't even know when hacks are happening we're actually just doing an assessment earlier last week and we found devices we call it beaconing which is sending out information in this case it was had it had a server and it was sending packets of data over to Korea the company had no idea the average time that a company for which a company discovers an incident and when the incident occurred is about five months that's decreased over time but that's a long time Kim petty has also been working in cyber for almost 20 years as an information security professional and a lawyer essentially what I do is help companies respond to hacking attacks and security fiber security in investigating cybercrime is a lot like physical crime Kim says with a crime scene that needs to be recreated and understood in digital investigation timing is everything digital evidence and contrast of physical evidence it's much more fleeting short-lived it can disappear quickly and be overwritten quickly so that makes digital investigations much more challenging in some aspects than physical investigations and that makes these cases tough to solve especially because these crimes rarely originate in the u.s. us-based law enforcement investigations can involve not only one country but multiple countries in pursuing an investigation for any criminal attack that means trying to work with several countries law enforcement in several countries to gather foreign evidence identify form witnesses and foreign targets well you don't hear about the investigations as much as the breaches they do catch cyber criminals and even recover some of the money at least when I was at DOJ we had some good examples where even at a you know with younger criminals we were able to recover a million dollars or more but for some businesses especially the smaller to mid-sized ones it's often too late every single company that has been hacked has had a huge dip in the market share in their valuation and so forth really for the small and medium-sized companies it could be the difference between them even being in business anymore you work with a private equity company that got hacked and they had a very difficult time after that raising funding because the reputation was highly damaged and just look at what happened with Yahoo last September the company reported it was hacked in 2014 and said they thought 500 million users were affected and then a couple of months later they reported additional hacks that possibly affected a billion customers at the time Verizon was working out a deal to buy Yahoo and they ended up offering 350 million dollars less because of the damage the breach had caused now yahoo survived they're still being acquired but for smaller companies a breach can absolutely be a death sentence that it has to be right it's like the stakes are too high you got to get that right yeah I don't seem to be too incentivized to get it right things tell you about it two years later next nothing really happened this sad thing they wait and the cost of preventing a problem and curing a problem big difference you're much better off being prepared they're trying to clean it after a problem with these companies being punished for that all right I'm Alan
https://youtu.be/AqiuUw1jQ3s