All it takes is a basement-dwelling hacker with a can of Mountain Dew and an Internet connection.
That was one insight investigator Scott Haugaard of the Nebraska State Patrol shared Wednesday with about 100 people at the Cyber Security Summit hosted by the Better Business Bureau at Bellevue University. Haugaard was part of a panel that discussed how businesses and individuals can report online security breaches — and avoid them in the first place.
The summit included a keynote address from Attorney General Jon Bruning and a live hacking demonstration as well as two panels with, in addition to Haugaard, officials from PayPal, payroll service provider ADP, law firm Baird Holm, the University of Nebraska at Omaha, the Business Ethics Alliance and the Council of Better Business Bureaus.
The summit focused on protection from hacking, viruses, phishing scams and online identify theft.
Bruning said he was recently the victim of identify theft, driving home the point that it can happen to anyone.
“Education is the best defense” when it comes to scammers, Bruning said. Once someone has stolen information or money from you, it's almost impossible to recover.
Ben Steinberg, chief information officer for the Council of Better Business Bureaus, agreed that awareness is one of the best ways to avoid falling victim to hacking and data breaches.
“You've got to get ahead,” he said. The easier it is for a scammer to target you, steal your information or scam you, the bigger target you are.
Having proper anti-virus software, making sure your business's third-party vendors are secure, regularly updating your computer's applications and software, and having a separate computer or server for data storage are key ways to protect businesses from security breaches, he said.
Of anti-virus software, “free isn't always good,” said William O'Connell, ADP vice president of business operations and portfolio management. He also said cheap Web hosting might not be the best idea for businesses that are storing sensitive client data.
At Schrock Innovations, a computer repair shop with locations in Omaha, Lincoln and Papillion, about half of workers' time is spent fixing computers that have been infected with viruses and malware. CEO Thor Schrock, whose company was not part of Wednesday's summit, agreed with O'Connell that free security software is not the best option.
Schrock said hacking, a targeted activity, is not as common as untargeted attacks such as viruses and malware. Still, many people do not purchase anti-virus software.
“People don't seem to make that connection that we're transitioning from a world of physical theft to a world of digital theft,” Schrock said. He referenced a hacking attack that victimized Visa and was tied to average computers infected with malware.
“This is a real crime that costs real money, but a lot of people don't see the individual responsibility to protect their individual machine,” Schrock said. “Protection costs money.”
Just like Bruning's point that anyone can be a victim of identity theft, anyone — including a business that fixes infected computers — can be a victim of a malware or ransomware attack. Schrock Innovations' front-desk computer in Lincoln was recently attacked by a ransomware virus that demanded money in exchange for allowing the business access to the computer's files. Fortunately, the business had backed up its data in two separate hard drives.
“Most people, we can't even get them to make one backup, let alone two. If we hadn't had that second backup we would have had to make the decision to pay the $500 or lose every file. A lot of businesses would pay the $500,” Schrock said.
Haugaard of the Nebraska State Patrol said one of the biggest problems with security breaches is that businesses often don't report them. That's because the information technology employee who would report the breach often is the same person who was supposed to prevent it. He advised companies to treat their IT staff like professionals and to have a plan in the event that their business's computers are attacked.
“You need to listen when they start talking security,” Haugaard said.