Stuart Madnick, MIT Sloan Prof. of Information Technology
From The Wall Street Journal
As technical defenses against cyberattacks have improved, attackers have adapted by zeroing in on the weakest link: people. And too many companies are making it easy for the attackers to succeed.
An analogy that I often use is this: You can get a stronger lock for your door, but if you are still leaving the key under your mat, are you really any more secure?
It isn’t as if people aren’t aware of the weapons hackers are using. For instance, most people have heard of, and probably experienced, phishing—emails or messages asking you to take some action. (“We are your IT dept. and want to help you protect your computer. Click on this link for more information.”) Although crude, these tactics still achieve a 1% to 3% success rate.
Then there are the more deadly, personalized “spearphish” attacks. One example is an email, apparently sent from a CEO to the CFO, that starts by mentioning things they discussed at dinner last week and requests that money be transferred immediately for a new high-priority project. These attacks are increasingly popular because they have a high success rate.
The common element of all these kinds of attacks: They rely on people falling for them. Read More
Mohammad Jalali, MIT Sloan Research Scientist
From The Conversation
Like any large company, a modern hospital has hundreds – even thousands – of workers using countless computers, smartphones and other electronic devices that are vulnerable to security breaches, data thefts and ransomware attacks. But hospitals are unlike other companies in two important ways. They keep medical records, which are among the most sensitive data about people. And many hospital electronics help keep patients alive, monitoring vital signs, administering medications, and even breathing and pumping blood for those in the most dire conditions.
A 2013 data breach at the University of Washington Medicine medical group compromised about 90,000 patients’ records and resulted in a US$750,000 fine from federal regulators. In 2015, the UCLA Health system, which includes a number of hospitals, revealed that attackers accessed a part of its network that handled information for 4.5 million patients. Cyberattacks can interrupt medical devices, close emergency rooms and cancel surgeries. The WannaCry attack, for instance, disrupted a third of the UK’s National Health Service organizations, resulting in canceled appointments and operations. These sorts of problems are a growing threat in the health care industry.
Protecting hospitals’ computer networks is crucial to preserving patient privacy – and even life itself. Yet recent research shows that the health care industry lags behind other industries in securing its data.
I’m a systems scientist at MIT Sloan School of Management, interested in understanding complex socio-technical systems such as cybersecurity in health care. A former student, Jessica Kaiser, and I interviewed hospital officials in charge of cybersecurity and industry experts, to identify how hospitals manage cybersecurity issues. We found that despite widespread concern about lack of funding for cybersecurity, two surprising factors more directly determine whether a hospital is well protected against a cyberattack: the number and varied range of electronic devices in use and how employees’ roles line up with cybersecurity efforts. Read More
Doug Criscitello, Executive Director of MIT’s Center for Finance and Policy
From The Hill
As we move beyond the widespread acceptance and use of online banking and trading platforms and push further into an increasingly digital financial marketplace, consumers face new forms of risk—namely, cyber risk—that would have been unfathomable previously. When confronted with risks that could be financially devastating, consumers are driven to mitigate and insure against such perils. Has the time come to purchase insurance for financial cyber risks?
Rational consumers seek to prevent, minimize or avoid adverse financial outcomes by purchasing insurance to protect against actual and perceived risks they can’t easily afford. Insurance essentially serves as a risk management and wealth preservation tool. However, consumers realize that it doesn’t make sense to purchase insurance when the cost of coverage is so high that they will pay substantially more in premiums than expected losses. In other words, they decide that self-insuring is the more cost-effective alternative.
Individuals today are increasingly concerned about their online security but don’t have a clear understanding of the amorphous yet perilous risks they face. In response, new consumer-directed insurance products are being offered to guard against cyber attacks.
MIT Sloan Lecturer Lou Shipley
From The Wall Street Journal
If you wanted to hack a business, which one would you pick: A Fortune 500 company with a large digital-security budget and a team dedicated to protecting its cyberassets? Or a small enterprise that doesn’t employ a single IT security specialist? Of course hackers are equal-opportunity criminals, but you get my point.
Security breaches at big companies such as J.P. Morgan, Sony and Home Depotdominate the headlines, but safety measures are crucial for organizations of all shapes and sizes. According to the 2012 Verizon Data Breach Report, 71% of cyberattacks occur at businesses with fewer than 100 employees. The average cost of a data breach for those small businesses is $36,000.
We can no longer assume that hackers are solitary figures sitting in basements fiddling with their laptops. They may be members of organized-crime groups or employed by nation states, and they have resources that can destabilize entire companies and countries. These hackers constantly look for Internet vulnerabilities. They break through firewalls, infect machines, and use phishing schemes to gain access through emails to people’s passwords and Social Security numbers. They can then leverage weaknesses in applications to cause a database to output its contents.
So what can the owner of a small business do to defend himself? Here are some tips.
MIT Sloan Lecturer Lou Shipley
The topic of digital security often brings to mind the image of bleak and dark future, where computers, mobile devices and other systems are riddled with malware and cyber criminals lurk, ready to steal our data and crash our systems. We have good reason to be nervous. We’ve seen plenty of cyber-security breaches in the past few years, like credit card thefts at Target and password issues at sites like LinkedIn.
Digital security is a major concern. Few other issues affect everyone, from individuals to companies to entire nations. So what is the future of digital security?
One discussion thread centers on email encryption, prompted by Yahoo joining forces with Google and Microsoft to develop an encrypted email system. While encryption is a step in the right direction, it’s probably not sufficient by itself. In addition to usability issues — like compatibility of platforms and the human tendency to reuse the same basic passwords — email only covers a portion of the digital world. It’s a partial “attack surface.”