Following this week’s stunning revelation that Russian crooks have stolen 1.2 billion usernames and passwords, the biggest breach on record, experts say making the internet more secure will take a massive global effort – everything from bolstering website security to a stronger push to prosecute the criminals to better vigilance by consumers.
How much all this might cost is unclear, with some experts estimating it could take billions of dollars while others insist it’s more a matter of redirecting what already is being spent toward more fruitful areas. But even then, critical information on the internet may never be entirely safe, given the growing sophistication and ability of hackers to find new ways to steal it.
The attack by a Russian gang, uncovered by a Milwaukee security firm, has inflamed concerns about data protection on the internet and whether the security practices of thousands of companies around the world are sufficient to protect the financial and personal information of consumers. Security experts say businesses need to take the lead in tackling the threat, particularly since the software and computerized gadgets they make to access the internet are frequently riddled with weaknesses hackers can exploit.
“There is zero or very little corporate responsibility being taken to ensure products in the market are safe,” said Melissa Hathaway, a former top federal cybersecurity official with the National Security Council and the Office of the Director of National Intelligence, who now has a consulting firm. “If we continue to see the market the way it is, we’ll see more victims.”
Critics have faulted many companies for being slow to address their cyber vulnerabilities because of factors ranging from ignorance about the extent of their flaws to the cost associated with patching them.
Alan Paller, director of research at SANS Institute, an organization that trains computer-security experts, said that because software can be easily manipulated by crooks, it’s essential to either make programmers responsible for the financial damage that results when their code is hacked, or at least make them demonstrate they know how to write safe software through a skills test.
Paller said companies also need to improve the ability of their security staffs to deal with cybercrooks who sneak into the corporate networks, adding, “I don’t think they know how to do it in many cases.”
Moreover, he said companies should stop wasting money writing security-related reports – some of which are required by the federal government – and focus more on actually battling hackers. That’s why he believes tackling cybercrime wouldn’t require a huge additional expenditure, because “fundamentally, it’s a shift from talking about the problem to fixing the problem.”
But others argue that companies will need to spend substantially more, because many of them so far haven’t taken the threat seriously.
Avivah Litan, an analyst with the research firm Gartner, estimated that many companies could protect themselves reasonably well by spending $50,000 to $100,000 a year on security, while larger firms might have to spend $5 million to $10 million. While that’s a lot of money, she added, the cost of a breach that results in the company losing its commercial secrets or alienating its customers could be much higher.
One key measure companies could take is to shift from having their websites accessed with usernames and passwords to employing biometric identification systems, according to Larry Ponemon, whose Ponemon Institute studies data-protection and privacy issues. He noted that some companies already offer voice-identification technology for accessing computer gadgets, and he predicts retinal- and facial-identification devices could become widely available within five years.
These five tips are among the most important things consumers can do to avoid being victimized by hackers:
– Never click on links in emails from people you don’t know or vaguely know. Many so-called phishing emails have links that lead to websites that can lure you into giving personal information or downloading malware to your computer.
– Beware of phony websites. These sites may have an address that’s very similar to a legitimate site, but the page can have misspellings, bad grammar or low-resolution images. If a site asks for personal information, double check the URL and make sure it’s not asking for information it shouldn’t.
– Don’t shop on a site unless it has the green “https” and a padlock icon to the left or right of the URL. Also, protect yourself and use a credit card instead of a debit card while shopping online, because a credit-card company is more likely to reimburse you for fraudulent charges.
– Use an extremely uncrackable password, like 9&4yiw2pyqx#. Phrases are good, too. Regularly change passwords, and don’t use the same passwords for critical accounts.
– Back up all of your data on your computer, smartphone and tablet in the event of loss, theft or crash. Also, routinely check your various financial statements for questionable activity.
Source: Intel’s security unit McAfee