It has become a common corporate nightmare: An employee gets an email saying a package has arrived for pickup. The email says it’s from Amazon, or maybe UPS. The employee doesn’t remember ordering anything online. To get more information, she clicks a link in the email.
At that point, it’s game over. A malicious virus scours her hard drive. It travels to other computers in the company. It spreads just like a cold.
A simple click can put an entire business in jeopardy. It can land enormous amounts of private information in the wrong hands. Social Security numbers, home addresses, human resources information can all be leaked. Faceless hackers might hold the information for ransom.
It happens all the time, according to people who work in the cyber security industry. And not just to places like Target and Sony, but to small businesses whose owners never saw it coming.
“Sometimes we think this stuff isn’t going to hit our area. The cyber world doesn’t care what size your community is,” said Julie Wheeler, president of the Better Business Bureau of Western Virginia.
And when a cyber attack does happen, the first phone call is likely to one of the people involved with RISE.
The Roanoke Information Security Exchange is a recently formed organization for cyber security professionals in the Roanoke Valley.
Rob Garbee founded the group because he wanted to meet with other people who share his career path. Many IT workers in Roanoke operate as one-man shows, he said. He jokes that IT professionals often have offices in basements and back offices, away from the heart of business operations.
But when a hacker attacks, a cyber security employee can be the most important person on the payroll, especially as dependence on electronic information grows.
“Most people don’t think about security until they get burned,” said Nathaniel Sykes, an IT manager with R&K Solutions who is involved with RISE.
The organization counts about 35 members who meet once a month. They’re typically casual events where IT professionals can tell war stories and fraternize. More importantly, they can share notes.
There are other cyber security groups in the region, but most are centered in the New River Valley and focus on learning about cyber security. Garbee wanted a place in Roanoke for professionals to gather.
“I thought, ‘It sure would be nice if I can talk to other professionals to talk about what I am dealing with,’ ” he said.
So he made some calls last fall, and RISE had its first meeting in October.
“All these types of individuals are kind of on our own trying to figure this stuff out,” Garbee said.
The group allows members to discuss how to play defense against cyber attacks that are more frequent and advanced every day.
Most RISE members act as security guards for the businesses they serve, protecting private information and computer systems from unwanted intruders.
“On the defensive side, we have to be right 100 percent of the time,” Garbee said. “The attacker only has to be right once.”
Some of them work for large companies, which have teams of IT employees to guard data and computer systems. Others work for companies that contract out their expertise to small businesses that lack the resources to hire full-time IT employees.
Businesses of every size face cyber threats.
Wheeler of the BBB said big businesses are targeted because of the large amounts of data they keep. Small businesses can be threatened because of their weak safeguards.
The Better Business Bureau warns businesses of all types of scams, from sketchy door-to-door salesmen to malicious emails. Cyber threats are a big part of the problem now, she said.
“Those are things that can bring a business to its knees,” she said. “This is stuff that goes to the heart of your business and your credibility.”
Many small businesses, she said, fail to back up the information on their servers. So when a cyber attack destroys that data, they might have to re-create all of their records.
“When you think about that effect on a small business … it’s monstrous,” she said.
The men and women involved with RISE try to keep an electronic collapse from happening. And if it does happen they have the tools to minimize the damage. Plotting how to defend computer systems from different types of threats is the topic of most meetings.
“From my viewpoint, you can never know enough about security, and these meetings give me the opportunity to hear and see what other companies are experiencing and the methods or tools they may use to address security issues within their organizations,” said Allen Surface with SyCom Technologies.
Stealing precious data
A big part of RISE members’ jobs is educating employees about how to avoid attacks. Cyber security professionals at larger companies will phish their own employees, acting like hackers to test vulnerabilities and to see which tricks employees are mostly likely to fall for.
Ted Nickerson, a security manager at a large local company, told of another cyber security professional who tested a company’s employees on Valentine’s Day, sending out a fake e-card for people to click on.
“There was nearly an 80 percent click rate on those e-cards,” Nickerson said, emphasizing how hard it is to teach people not to open emails with bad links.
“Short of going up and slapping the mouse out of somebody’s hand, it’s going to happen,” said Garbee.
Malicious email is one of the most common ways cyber attacks occur, according to several RISE members.
“If I had to tag a most common attack that is successful, it would be email phishing attacks where a person receives an email that looks legitimate with either an attachment or URL link inside the email,” Surface said. “It is important to note that your security policy is only as strong as your weakest link.”
Sometimes hackers are looking for information to steal. Sometimes they want to cause problems for the company by shutting down its Internet capabilities. Sometimes it’s about money. Ransomware is a particularly bad problem right now for businesses of all sizes. Hackers capture a company’s private electronic information and hold it hostage until a payment is made. Once they’re paid, the hackers will typically release it. But it could cost a company thousands of dollars.
Ransomware is a particular problem for businesses that need constant access to their electronic data, such as health care companies. Sometimes, cyber security experts will advise business owners to simply pay the ransom.
“They will give you the key to get your stuff back,” Garbee said. “Because if there is ever the word that they did not give you the key, people stop paying.”
Several of the group’s members said they have consulted with Roanoke-area businesses about ransomware many times. The public usually never even hears about these attacks.
“A lot of businesses don’t want to admit they’ve been hacked so they don’t tell anybody,” said Nickerson.
Benefits of collaboration
But at RISE meetings, the experts can share their tricks of the trade to prevent attacks. For example, Sykes said one problem he sees is preventing electronic accounts from being compromised. Most companies require employees to log in before they can use their work computers. Hackers can compromise those accounts to collect information.
Garbee, aware of this issue, uses a specific system to make the information harder to reach.
Sykes said he borrowed the idea from Garbee and implemented it into his own work.
Garbee, meanwhile, said he learned that others in the group had developed a solution for security monitoring.
“So I went and looked at what they had and said, ‘Huh, that would work well in our environment,’ ” he said.
Cyber security has received a lot more attention in recent years, especially after high-profile hacks such as the Target security breach last year. Doug Turpin, the technology director at Ethos Technologies, hosted a cyber security forum for members of the Salem-Roanoke County Chamber of Commerce last spring to explain how businesses can protect themselves online. He is on the chamber board and felt it was an important subject for its members.
“A lot of small businesses don’t have the resources to protect themselves,” he said. “Now retail, medical, legal, everybody has a financial risk involved in being hacked.”
And the hackers are becoming more clever. Turpin said one local company faced a cyber attack when a fake email was sent using the name of the CEO, asking for W2 tax forms for employees.
Ethos hosts lunch-and-learn events on the security topic. Turpin was aware of RISE but has not been to a meeting. He said getting cyber security professionals together and hearing different perspectives is good for the region.
Randy Marchany, the chief information security officer at Virginia Tech, spoke at RISE meeting. He said there is “a huge shortage of skilled cyber security people” in the area, calling it “a buyer’s market.” Area community colleges and Virginia Tech have launched programs to encourage students to enter this field.