
It can take 229 days or more for a company to discover that they’ve been hacked and usually the company finds out by a knock at the door from the FBI. Ron Plesco, an internationally known information security and privacy attorney for KPMG, gave that startling statistic when he spoke to PFMA’s Loss Prevention committee on “How to Handle a Digital Disaster” during the group’s March 11, 2015 meeting in Camp Hill.
Plesco noted that it’s also usually a bank that notifies a company about a breach. “Knowing who to contact before you find a hack is vital,” he said.
When Target’s data was breached last year, it was the banks that gave them the first notice. Their data was hacked through a vendor.
Who’s doing the hacking? Plesco said Russian and Mexican gangs have gone high-tech and are heavily involved in hacking.
According to Plesco, one in 400 emails has something bad in it trying infiltrate your system. Currently, a Romanian – Nigerian organized crime group is scamming companies by finding out the names of company CEO and CFOs. They follow their travel at conferences and have them appear to send an email to their company employees with an invoice saying that the company owes money to a vendor that they saw at the conference and to pay the invoice. These people hack the account codes and change them so that the vendor never sees their payment. Before companies realize it, they are out $600,000 or more. Plesco said one red flag is that the email address ends in .cm instead of .com. Millions in fraud is taking place on a daily basis.
This fraud is getting a lot of attention from the media. “The news cycle loves a good hack,” he said. Boards and company CEOs are freaking out about possible hacking. “They’re getting more money to spend on security because of the problems,” Plesco said. “It’s not making a dent. The criminals are too sophisticated.”
The early hackers were isolated criminals committing credit card fraud. Today, they are organized, foreign states gathering financial information, intellectual property and gaining strategic access into companies. Due to oversaturation, Visa Gold cards are worth a $1 on the black market today. Company payrolls and pharmacies are being hacked. Medicaid and Medicare health information is also a hot item on the black market today.
Plesco noted that it’s also usually a bank that notifies a company about a breach. “Knowing who to contact before you find a hack is vital,” he said.
When Target’s data was breached last year, it was the banks that gave them the first notice. Their data was hacked through a vendor.
Who’s doing the hacking? Plesco said Russian and Mexican gangs have gone high-tech and are heavily involved in hacking.
According to Plesco, one in 400 emails has something bad in it trying infiltrate your system. Currently, a Romanian – Nigerian organized crime group is scamming companies by finding out the names of company CEO and CFOs. They follow their travel at conferences and have them appear to send an email to their company employees with an invoice saying that the company owes money to a vendor that they saw at the conference and to pay the invoice. These people hack the account codes and change them so that the vendor never sees their payment. Before companies realize it, they are out $600,000 or more. Plesco said one red flag is that the email address ends in .cm instead of .com. Millions in fraud is taking place on a daily basis.
This fraud is getting a lot of attention from the media. “The news cycle loves a good hack,” he said. Boards and company CEOs are freaking out about possible hacking. “They’re getting more money to spend on security because of the problems,” Plesco said. “It’s not making a dent. The criminals are too sophisticated.”
The early hackers were isolated criminals committing credit card fraud. Today, they are organized, foreign states gathering financial information, intellectual property and gaining strategic access into companies. Due to oversaturation, Visa Gold cards are worth a $1 on the black market today. Company payrolls and pharmacies are being hacked. Medicaid and Medicare health information is also a hot item on the black market today.
Health insurance group policy numbers are worth $24 on the black market. Criminals are making cards to obtain free health care.
Hackers are getting into companies’ systems, waiting for them to remove fraud protection to make payroll and then they move that money to an offshore account.
There is a certain activist population that doesn’t like corporations. They are hacking into websites and stealing information such as healthcare, billpay and direct deposits, bonus cards, pharmacy and quarterly financial reports. Some are even paying employees to steal information.
Pharmacies are being attacked through their internet connections. Sixty percent of websites are infected. Social media accounts such as LinkedIn are also a danger. Plesco says 10 percent of connection requests are fake.
Security agencies monitor chat rooms set up by Romanian mafia. These groups have 39,000 members selling items such as skimmers, fake ATM fronts, malware and passwords.
While chip and pin has been touted as a secure solution vs. a mag strip on cards, Plesco says it can be hacked and it’s not going to protect that data.
His advice to combat hacks:
1) Use the best tools. Our weapons must be better.
2) Educate your employees. Make sure that you are in compliance.
3) Have a response plan in place. Tailor it to your business needs. Keep it up-to-date.
4) Designate the proper team to implement your plan. Get to know your “geeks” and make sure they are educated. Keep them informed about potential schemes.
5) Your CEO is not always the best fit for being the face of cyber security.
Remember attorney generals love to prosecute cyber attacks. And lawyers don’t want to hear that you could have prevented it.
Plesco suggests keeping informed about the latest threats. The National Retail Federation has a sharing initiative between companies such as Nike, JC Penney, Target and Wal-Mart. Sign up for alerts, such as those from the National Cyber Incident Center and state police.
Hackers are getting into companies’ systems, waiting for them to remove fraud protection to make payroll and then they move that money to an offshore account.
There is a certain activist population that doesn’t like corporations. They are hacking into websites and stealing information such as healthcare, billpay and direct deposits, bonus cards, pharmacy and quarterly financial reports. Some are even paying employees to steal information.
Pharmacies are being attacked through their internet connections. Sixty percent of websites are infected. Social media accounts such as LinkedIn are also a danger. Plesco says 10 percent of connection requests are fake.
Security agencies monitor chat rooms set up by Romanian mafia. These groups have 39,000 members selling items such as skimmers, fake ATM fronts, malware and passwords.
While chip and pin has been touted as a secure solution vs. a mag strip on cards, Plesco says it can be hacked and it’s not going to protect that data.
His advice to combat hacks:
1) Use the best tools. Our weapons must be better.
2) Educate your employees. Make sure that you are in compliance.
3) Have a response plan in place. Tailor it to your business needs. Keep it up-to-date.
4) Designate the proper team to implement your plan. Get to know your “geeks” and make sure they are educated. Keep them informed about potential schemes.
5) Your CEO is not always the best fit for being the face of cyber security.
Remember attorney generals love to prosecute cyber attacks. And lawyers don’t want to hear that you could have prevented it.
Plesco suggests keeping informed about the latest threats. The National Retail Federation has a sharing initiative between companies such as Nike, JC Penney, Target and Wal-Mart. Sign up for alerts, such as those from the National Cyber Incident Center and state police.