One Saturday in March, Jordan Reid realized her website, Ramshackle Glam, had been stolen by a hacker and put up for auction on the Internet. Her discovery was the beginning of a scenario that sounds Kafka-esque.
The hacker tried to sell Reid’s lifestyle blog, which she has owned and operated since 2010, for a $30,000 “Buy It Now” price or to the highest bidder. He promised the buyer Reid’s site traffic, files and data. He also hinted that Reid was available for hire to continue writing content for the blog.
“It was a nightmare,” said Reid, who detailed the entire scenario on her site. “I would be on the phone with [website hosting] companies sometimes for up to 16 to 20 hours throughout the day. Sometimes I’d be on the phone with them at 4 in the morning. I tried to get my website back at times when the hacker thought I was sleeping.”
Not only was Reid’s personal property stolen from her, but also the hijacking of her site affected her livelihood because it is her family’s primary source of income because her husband is pursuing an MBA. Reid’s predicament highlights the cybersecurity risks businesses in all industries are facing at an alarming rate.
According to a 2014 PricewaterhouseCoopers survey, 77 percent of respondents detected a security event in the past 12 months, and 34 percent said the number of security incidents detected increased over the previous year. What’s more, 59 percent of respondents said they were more concerned about cybersecurity threats this year than in the past. But perhaps most striking, the survey finds that the average number of security incidents detected in 2013 was 135 per organization.
Hijackings and site ransoms are increasing, along with higher-profile cyberattacks on financial institutions and retailers. According to a study by Russia-based Group-IB, cybercriminals are stealing 400 million records each year. During fiscal 2013-14, the cybercrime market in Russia alone was valued at $2.5 billion, the study said, adding that more than 35 banks had their data compromised during the same period. More unnerving, the report stated the frequency of such attacks is increasing.
Data security has become a significant concern for organizations of all sizes, yet the laws that protect against cyberattacks are haphazard and vary from nation to nation, let alone from state to state.
Symantec Corp., a computer security and cloud storage company, estimates large companies with more than 2,500 employees have a 1 in 2.3 chance of being targeted for a cybersecurity attack. Similarly, cyberattacks on small to medium-size businesses made up 61 percent of all attacks in 2013, an increase of 11 percent from 2012.
“The rate of inquiry on this issue by businesses is exploding,” said Dani Vanderzanden, shareholder and co-head of the data privacy practice group at Ogletree, Deakins, Nash, Smoak & Stewart in Boston. “But the rate of implementation by businesses is much slower.”
The laws that govern cyber- and data-security for organizations vary by industry. However, there are universal, immediate practices all companies, regardless of size, can use to fend off cyberattacks.
Vanderzanden said a few of the most basic policies organizations can implement are encrypting data, requiring employees to change passwords for laptop and desktop computers frequently, and running virus scans. But having well-protected data goes beyond password changes and encrypted data.
A more advanced technique would be conducting an internal “phishing” scheme, whereby emails that mimic emails containing malware are sent to employees — like the typical email that informs recipients that they are the heir to a fortune left behind by a long-lost relative — and tracking how many are opened. Collecting that information can help an employer create a comprehensive cybersecurity training plan for employees.
Mike Heembrock, vice president and executive specialist at the Chubb Group of Insurance Cos., said the development of wearable technology presents another challenge to data security. Wearable technology hasn’t gained widespread use for most corporations. Companies should carefully consider the potential for cyber attacks and malware infiltration posed by wearable devices worn by employees for personal or business related purposes, especially when the devices may interconnect with company networks. Companies that promote emplolyee health and wellness may promote or provide fitness monitors that could become a risk to information security. Conducting a risk assessment of wearable devices used for this or similar purposes would be a good risk management practice.
“This technology represents an emerging threat and a challenge employers need to be considering,” Heembrock said.
A HAPPY ENDING
Having her website stolen taught Reid the importance of changing her password often, as the hacker who hijacked Ramshackle Glam initially gained access through one of her email accounts.
Fortunately for Reid, she was able to get her website back and all of its corresponding data, which she was told is a rare outcome.
After four days of fruitless phone calls and a little help from the FBI, it was ultimately some clever bait-and-switch tactics carried out by Reid and a family friend that saw her website safely returned to her possession. Reid said she wired the hacker about $10,000 and waited a tense 20 minutes for her site to be transferred to a dummy account. She then immediately sent the website to another account she created and placed a stop on the payment with the wire transfer company.
“It’s very lucky that I was able to get my website back. People in these situations usually don’t,” Reid said. “This is my family’s primary source of income. My husband probably would have had to drop out of business school if I wasn’t able to get my site back. It would’ve changed everything.”