The Federal Bureau of Investigation wants San Diego businesses to know about the threats posed by cybercrime, and what they can do to defend against hackers, phishing attacks, malware and other types of online dangers.
To that end, the San Diego office of the FBI is carrying out a series of executive briefings, with the goal of educating business leaders about the expanding threat of cyberattacks, and the most effective ways to avoid being victimized.
“Businesses need to understand that cybercrime is the NEW organized crime,” wrote Supervisory Special Agent John Caruthers in an email. Caruthers oversees a squad of agents that battles national security threats posed by attacks from nation-states such as Russia, China, Iran and North Korea. A second squad focuses on criminals who target businesses for financial gain.
The new breed of criminal enterprise is organized like a business, with specialized job titles and roles, such as those who are good at social engineering messages, designed to lure a potential victim to click on a link, to coders who write malware, to money mules who withdraw the funds from fraudulent wire transfers, Caruthers said.
‘Left of Click’
The FBI’s goal in educating business leaders is to prevent cyberattacks before they occur, which is known among law enforcement circles as “left of boom,” or “left of click,” said Caruthers.
Cybercrime is “a real, not going away, and growing threat,” said James Skeen Jr., founder and partner with Lockton San Diego, an insurance brokerage. Skeen also sits on the board of the Cyber Center of Excellence, an industry group that supports the cybersecurity sector in San Diego. The CCOE and the San Diego office of the FBI are partnering on the presentations about cybercrime for local business leaders.
Last year, briefings were held for executives in the life sciences and hospital sectors, as well as general counsels with various companies. This year, presentations are scheduled for CEOs, defense contractors and executives in the tourism industry, among others.
“We will be in front of a thousand business leaders this year,” said Skeen.
$2.7 Billion In Losses
The extent of the threat from cybercrime is documented in an annual report by the Internet Crime Complaint Center, or IC3, a clearinghouse established by the FBI. Over the period from 2014 to 2018, the number of cybercrimes reported rose from 260,000 annually to 351,000 last year, with losses to victims totaling $2.7 billion in 2018.
California led the nation with 49,031 reported cybercrimes in 2018, resulting in losses of $450 million, according to the IC3 report.
Among the most prevalent crimes reported was “business email compromise,” a scam in which hackers send phony emails purportedly from the CEO of a company, or other top official, to employees of that company. The emails seek to lure the employees to wire money to what is actually a fraudulent account, purportedly at the behest of the CEO. According to the IC3 report, such crimes cost businesses $1.2 billion in 2018.
Being Held Hostage
Ransomware is another scam that can target businesses. When an employee clicks on a link, the software infiltrates the network and encrypts the company’s data. Hackers then demand ransom money, paid in Bitcoin, a digital currency, in exchange for the encryption key. The computer network at the city of Baltimore was recently targeted by a ransomware attack.
One group that received an FBI presentation was Biocom, a trade group for the life sciences industry. Joe Panetta, the group’s president and CEO, said the presentation touched on cybersecurity, counter-intelligence and the use of biological agents as weapons. “It was incredibly informative and eye-opening,” said Panetta.
Biocom members have a lot of sensitive information they need to protect, such as intellectual property and patient data from clinical trials, Panetta said.
Travel with a Clean Laptop
The group also learned that a simple business trip to China could lead to the loss of valuable information, through hardware and software designed to steal data from laptop computers. Executives were advised to bring only a “clean” laptop carrying no sensitive information on such trips.
“I’m pretty sure whatever is on my laptop will become their property within a couple of hours of my showing up in China,” Panetta said.
Hospitals are another sector with sensitive data that needs protection. Chris Convey, vice president for risk management with Sharp HealthCare, said patient medical records are a valuable commodity that can be sold for a profit on the “dark web,” an underground area of the internet frequented by drug dealers, hackers and other criminals.
Hospitals also must be concerned about hackers accessing networks, where they could potentially interfere with the operation of medical devices. At a recent Black Hat hacker conference in Las Vegas, hackers were able to take control of a heart pacemaker and alter its functions, Convey said.
One of the first lines of defense, he said, are employees of any company or organization, who need training to spot and avoid cyberattacks. “We’re trying to train them about the risks involved so they become a little skeptical and paranoid,” he said, and avoid traps such as providing their log-on information to would-be intruders.
Another important tool is software that blocks suspicious emails. Convey said more than 80 percent of email coming into the Sharp system is blocked as potentially malicious or spam, a statistic that shows the volume of possible threats.
The Risks of Inattention
Randy Sabett, special counsel with Cooley LLP, a global law firm with an office in San Diego, worked with the FBI to put on a presentation in May for corporate general counsels. The vast majority of data breaches, said Sabett, occur because someone either clicked on a link or took another action in response to a phishing attack or social media scam.
“All kinds of bad things can happen if people don’t pay attention to cybersecurity,” Sabett said.
If an employee gets an email from the CEO, asking him or her to wire $80,000 to a bank account but not to tell anyone, the employee would be wise to make a quick phone call to check on the order before carrying it out, Sabett said.
Notifying the FBI promptly of an online attack is also important, said Sabett, particularly in the case of a fraudulent wire transfer. Authorities may be able to recover the money with the assistance of the bank if the action is initiated soon after the transfer.
Caruthers, of the San Diego FBI office, said companies can take these steps to protect themselves online:
• Beware of the threat and educate all levels of the company.
• Use two-factor identification (such as a text message with an authorization code, in addition to a password) for access to the network.
• Segment the network to prevent a hacker from accessing the entire network at one time.
• Backup data and practice restoring it. Always keep backup data offline.
• Establish a relationship with the local FBI office.
Regarding the last item, Caruthers said it is important for businesses to contact the FBI before they are hit by a cyberattack. “Call us before an event takes place,” he said, so that companies already have a relationship with the law enforcement agency when and if a crisis such as a data breach occurs.
It’s also important to have a cyberincident response plan so that everyone knows what to do if an attack occurs, Caruthers said.
Cybersecurity officials stressed that preparation — from conducting a formal cyber-risk assessment to planning a response to an attack — is key to avoiding an attack in the first place, or bouncing back after a network or data breach.
Convey, of Sharp HealthCare, said, “The moment you get complacent is the moment you get hacked. If you’re not improving in some way, shape or form, then I believe you are taking steps backward. It’s always (about) continuous improvement.”