Cybersecurity critical for banks and other industries
According to the FBI’s most recent Internet Crime Report, the bureau received 800,944 complaints of digital-related attacks on infrastructure that houses critical assets and information during 2022.
The FBI estimated the attacks reported in 2022 caused about $10.3 billion in damages, up from $6.9 billion in 2021.
In order to fight back and prevent attacks from malicious hackers, a new industry has been born in cybersecurity, with jobs that are designed for “white hat hackers,” according to Nitin Sukhija, associate professor and director of Center for Cybersecurity and Advanced Computing at Slippery Rock University.
“Cybercrime basically involves malicious attacks online,” Sukhija said. “It could be attacks on software or anything connected to your cyber infrastructure which is the foundation. Cybersecurity involves securing the aspects of that infrastructure, such as data.”
The most common type of malicious activity by hackers is phishing, according to the FBI’s report. The bureau received 300,497 complaints related to phishing in 2022.
“It starts by getting their passwords from an employee,” Sukhija said. “I get a password by sending an email to all the employees of that organization with a link. Then when they click that link it will ask to put the information from the employee in on that fake webpage. Then you would have entry.”
Les Graves, an associate professor in Butler County Community College’s Business & Information Technology division and coordinator of BC3’s networking and cybersecurity program, said during phishing, hackers will most likely pose as a manager, which is why he is urging for better training within organizations to be able to detect what is legitimate and what is not.
Graves said the most common way to tell if an email sent to a user has malicious intent is if the email asks the recipient to supply sensitive information, such as usernames and passwords, while also putting unneeded time pressure on the recipient.
“It’s one of the top three ways hackers try to get into the system,” Graves said. “About 50% of exploits are because of users.”
Graves said the secondary attack once a user has been phished is ransomware, which is a type of malware that permanently blocks access to the user’s personal data unless a ransom is paid.
Graves said hackers also can get into a user’s account by trying to answer the security questions associated with the account.
A common security question is “What is your mother’s maiden name?” which sometimes could be easily figured out through social media searches on the user.
To combat this, Graves recommends using a technique called “security by obscurity” when setting up answers to security questions.
This involves the user making the answers to the questions wrong on purpose.
“There is nothing in that security system that says you have to give the correct answer,” Graves said. “You could set it up with any answer as long as that’s the keystrokes you give to that question, you answered it correctly.”
Multifactor authentication is another way organizations can help ensure their employees’ accounts are secure.
When a user logs in to their account with their username and password, a text message will be sent to the cellphone associated with the account. The message will have a number and/or letter code which will then be inputted manually by the user to obtain access to their account.
“The multifactor means not only do you have to provide what you know, which is your username and password, but then you have to give it a code,” Graves said. “You are presenting two things, which means it’s harder for a hacker to get both of those things and get in to then pose as you.”
The final step to preventing digital attacks is for an organization to have all of its systems up to date to give a server the best chance to defend against a hacker.
“If hackers see that, they are probably salivating because those softwares don’t have the latest security patches,” Graves said.
Graves said about 99% of phishing attempts can be thwarted if an organization has multifactor authentication in place and its systems up to date.
In November 2021, BC3 itself fell victim to a slew of cyberattacks that affected the college’s databases, hard drives, servers and other devices.
In response, BC3 hired a third-party company to help bolster its security systems, first by assessments and audits and then through comprehensive strategies.
Sukhija said dependency on cybersecurity is increasing and pointed to one industry that needs it more than most.
“The financial industry is very dependent on cybersecurity,” Sukhija said. “Everything is all online, especially cryptocurrency.”
Lou Palumbo, chief information officer at NexTier Bank, said NexTier has invested more than $1 million over the past five years in its cybersecurity systems.
“It’s money well spent,” Palumbo said. “Cybersecurity is so important for a bank. We are in charge of keeping and protecting people’s finances but also their private information like addresses and Social Security numbers.”
Palumbo said NexTier takes a “multilayer approach” to cybersecurity through firewalls and anti-malware.
The bank also has federal examiners come in regularly to check their systems. But it doesn’t stop there.
“We hire third-party companies, and they basically try to hack us to find any flaws in our system,” Palumbo said. “If they find something, we tighten those flaws.”
Graves and Sukhija said they have seen an uptick in students enrolling in their cybersecurity programs over the past few years as they help train them how to serve as information technology specialists for different types of companies.
“They could probably look for a job at some of the biggest firms out there which are third-party cybersecurity firms,” Graves said. “That means they rent themselves out to organizations. Some organizations don’t have the budget to have full time IT professionals.”
Locally, Graves said a lot of his former students have gone on to work for Armstrong as technical service representatives.
Sukhija said his program has two concentrations. One follows policies and procedures where students learn how to govern and apply policies within an organization.
“The other concentration is basically computer sciences, which involves learning about software and their behaviors,” Sukhija said. “They will learn how to defend these hacks.”
According to the FBI’s most recent Internet Crime Report, the age group most likely to be targeted for a digital attack is those 60 and older.
However, Sukhija thinks there is a simpler answer to who is more likely to be the target of these malicious attacks.
“Anyone online could be a target, but most likely it would be someone or a business with assets to take,” Sukhija said. “Data is a major asset.”
— Article by Steve Cukovich, photos submitted