Mainebiz

V O L . X X I I I N O. X V I I I A U G U S T 7 , 2 0 1 7 36 B usinesses have always had things of value: Money and information. Bad guys, since businesses began, have tried to fi gure out ways to steal those things. ose basics haven't changed. e diff erence is, the bad guys aren't in the basement next door drilling through the walls into the vault. ey're running algorithms that dig right into the heart of a business's most important currency: its information. e people in Maine whose job it is to help banks, hospitals and other busi- nesses protect that currency agree that staying ahead of the bad guys takes constant attention, and more busi- nesses are getting on board with that. As the bad guys' methods have gotten more sophisticated, businesses are getting more sophisticated at how they protect themselves. e biggest trend is simply more awareness, more realization that no one is safe and more preventive measures to keep the bad guys at bay. Small businesses are growing more aware that they're among the most vulnerable — larger corporations have the resources to take action before a cyberattack. Small businesses that put off paying for prevention now are realizing it's worth the money. 'Not if, but when' "We're past the 'if ' question, it's a matter of when," says Peter Guffi n, a partner at Pierce Atwood and chair- man of its privacy and data security practice. Cyberattacks are just for Yahoo and Verizon, but they're for the little guy, too. "More and more businesses recognize the truth" in the fact that they're going to have an incident, he says. And that doesn't just include data theft, but more serious threats, like ransomware that can take over a business and shut it down. " ere's an increasing investment by companies in tools to detect bad stuff ," Guffi n says, and that includes increasing the budgets for those tools. Guffi n says businesses are also making the eff ort to build robust response plans. "It's a playbook you pull out," he says, to determine the nature of an attack and whether law enforcement or attorneys should be called in. "It's a recognition that 'this can shut us done,'" Guffi n says. It also means staying on top of what's going on in the company's data system, say both Guff on and Peter Fortunato, a manager in the risk and business advisory practice at account- ing fi rm Baker Newman Noyes. Fortunato says that it may not seem much to a business if there are log-ins from a place there shouldn't be if it's only a small amount. But those "breadcrumbs" can end up bringing down a business. Say goodbye to 'Password1!' Usernames and passwords are major breadcrumbs, Fortunato says. e good old days of simple pass- words that you change every 90 days by changing a number are long gone. So are the more recent almost-as-simple days of eight-digit passwords, or clev- erly using @ instead of "a." e bad guys are way ahead of us. All they need is a username and password, and they have access to your world. And if you use similar passwords at work, they have access to your work world, too. And your employer's world. You get the picture. A password that's easy to fi gure out "is like locking your car, but leaving the window down," says Fortunato. He says employer user names that are easy to fi gure out, like a fi rst initial and last name, compound the issue. Once someone reaches in that window — and we make it so easy — everything is up for grabs. Fortunato says most people are not aware of the sophisticated methods the bad guys use to easily solve our password tricks. And once they have, how much of our infor- mation we hand over. e National Institute of Standards and Technology, which sets security guidelines, is advising passwords be 16 to 20 characters. e good news is, you don't have to change them every 90 days. Fortunato says that when passwords have to be changed, people tend to do obvious things. Like change a "1" to a "2." e longer passwords are eff ective because most words in the dictionary are shorter. at's another thing. at pass- word should also have random letters that make sense to you, but wouldn't to anyone else — no dictionary words. Businesses are also tackling the issue of convincing employees that password security is important. Cyber headaches How to stay ahead of the hackers B y M a u r e e n M i l l i k e n C O R P O R AT E S E C U R I T Y F O C U S 0 50 100 150 200 250 300 350 400 450 500 Hospitality Education Technology Financial Services Retail Other Industries Government Health Care 2013 2014 2015 2016 Ignoring it is Ignoring it is Ignoring it is Ignoring it is Ignoring it is Ignoring it is Ignoring it is Ignoring it is Ignoring it is Ignoring it is Ignoring it is Ignoring it is Ignoring it is Ignoring it is Ignoring it is not an option. — Christine Worthen Pierce Atwood Other: 500,075,182 records Government: 391,687,371 records Technology: 391,653,136 records Health care: 35,279,635 records Retail: 32,551,173 records Financial: 13,323,589 records Hospitality: 9,569,173 records Education: 4,370,002 records S O U R C E : breachlevelindex.com S O U R C E : breachlevelindex.com NUMBER OF RECORDS BREACHED BY INDUSTRY, 2016 NUMBER OF BREACH INCIDENTS BY INDUSTRY, 2013–2016 1,378,509,261 RECORDS BREACHED

• Cover