The business of cyber security

NEW YORK - You see hacks and data breaches on the news all the time. Target, Yahoo, eBay, and Sony are just some of the major companies where millions of records have been stolen. But those are just the ones that make the news because they affect so many people. Experts say the majority of hacks (75 percent of them) happen at small or medium sized companies. You just don't hear about them.

Jim Ambrosini says the average American would be surprised to see the state of cyber security as it exists in most companies. And he would know. As the head of the cyber security practice at CohnReznick Advisory Group, he works with everyone from small doctors' offices to Fortune 500 companies.

CohnReznick has its own innovation lab to help clients solve their cyber issues, such as identifying priorities and risks and helping companies fix their most pressing problems.

Jim recently worked with a client who got hit with ransomware, so CohnReznick identified that as a high-risk item. Jim has been working in cyber security for decades but says businesses only started taking it seriously in the last few years.

It all changed in 2013 with the breach at Target. He says Target was hacked through a vendor, which then got into the HVAC system. Until then, Jim says, no one would've thought about putting an HVAC system on a high-security report. Because it made the news and there were some other high-profile breaches shortly afterward, like Sony and Anthem, it created awareness in the industry.

And the industry should be paying attention. Hacking costs consumers and companies as much as $575 billion each year, according to a McAfee study.

This year, New York State is taking cyber security pretty seriously too, with new rules effective March 1, 2017, that force financial institutions to have cyber programs, policies, and risk assessment plans in place and to report breaches within 72 hours.

But most businesses don't even know when hacks are happening. Jim says that during a recent assessment, CohnReznick found devices, called beacons, sending out information. In this case, a server was sending packets of data over to Korea. The company had no idea.

And that is pretty common.

Kim Peretti, a partner at law firm Alston & Bird in Washington, D.C., says that on average a company takes 5 months to discover an incident. That has decreased over time, but it's still a long time to go without knowing you have a breach.

Kim has also been working in cyber for almost 20 years as an information security professional and a lawyer. She helps companies respond to hacking attacks and cyber security incidents. Kim says investigating cybercrime is a lot like investigating physical crime, with a crime scene that needs to be re-created and understood.

In digital investigations, timing is everything. Kim says the digital evidence is fleeting. It can disappear quickly and be overwritten quickly, which makes it much more challenging, in some aspects than physical evidence. And that makes these cases tough to solve, especially because these crimes rarely originate in the United States.

Kim says U.S.-based law enforcement investigations can include not just one country, but multiple countries, pursuing a criminal attack. That means trying to work with law enforcement in several countries, gather foreign evidence, identify foreign witnesses, and identify foreign targets.

While you don't always hear about the investigations as much as the breaches, they do catch cyber criminals and even recover some of the money. When Kim was at the Department of Justice, investigators were able to recover a million dollars or more in some cases.

But for some businesses, especially the smaller to mid-sized ones, it is often too late. Jim says he sees a huge dip in market share and valuation every time a company is hacked. For the small- and medium-sized companies, he says, that can put them out of business. He worked with a private equity company that had a very hard time raising money after it was hacked because of damage to its reputation.

Just look at what happened with Yahoo. Last September the company reported that it was hacked in 2014 and said that 500 million users were affected. A few months later, Yahoo reported additional hacks that possibly affected a billion customers.

At the time, Verizon was working out a deal to buy Yahoo and ended up offering $350 million less because of the damage the breach had caused. Yahoo survived and is still being acquired, but for smaller companies, a breach can be a death sentence.