Title and Settlement Companies Must Remain Vigilant Protecting Data and Money.
The coming year will see a massive escalation of cybersecurity risk, warns Christopher Skinner, chief executive officer of technology security firm SpiderOak. The threats will be driven by both state sponsored groups and individual bad actors.
The following are 9 threats and trends to look out for across business, governmental and personal arenas, according to Skinner.
When you receive an update from a software vendor to install an update, how do you know that update is real? Criminals are using the normal software update process to get companies to infect all of their clients, which then affects everyone down their software supply chain. In fall of 2017, the popular CCleaner application—designed to optimize software performance on computers—was breached by hackers who installed a back door in the software, affecting more than two million users. “This is the kind of breach that destroys trust between users and software providers,” says Skinner, “and makes consumers want to avoid doing business with the provider in the future.”
When Russia wanted intelligence on NATO alliance plans in the Baltic region, it turned to a new kind of secret agent: the soldiers’ own smartphones. Troops from the U.S. and other NATO countries found evidence of their personal phones’ being accessed from a Russian IP address. “Gaining access to your phone essentially puts its functionality in the hands of a remote user—who can geolocate you, take pictures of where you are, eavesdrop on your conversations and gain access to personal information that can be used to intimidate you,” says Skinner.
SpiderOak predicts that the 2018 tax season will see more fraudulent returns than ever—driven largely by the Equifax breach affecting 145.5 million people. “Fake tax returns will likely explode this year given all the Social Security numbers now exposed,” says Skinner. While Chinese hackers remain the prime suspects in the Equifax case, taxes are a favorite target of another state: Russia. On the eve of this year’s Constitution Day in the Ukraine—during which the country celebrates its independence from the Soviet Union—accountants in the former USSR were hit with a massive cyberattack, the largest in Ukraine’s history. The virus infected the software that businesses are required to use to file tax returns, causing havoc for both the companies and the governmental computers to which they are connected.
“If you can plug it in, you can hack it, and this puts the 2018 elections at risk,” says Skinner. “The move to prevent election meddling is far behind where it needs to be, and there are vulnerabilities everywhere from the storage of voter rolls to easily hackable electronic voting machines.” Skinner notes that 21 states’ voting systems were targeted by Russian hackers in the 2016 election cycle, but “this process starts far ahead of the election itself—it’s happening now.”
Congressional testimony from Facebook, Google and Twitter in November revealed the extent of Russia’s influence campaign on social media during the last presidential election cycle. More than 126 million of Facebook users were served Russian propaganda, the company finally admitted, after months of downplaying the extent of the threat. “The volume of fake news stories was clearly too large for the companies to handle, even with the extensive use of third-party contractors hired specifically to address this threat,” says Skinner. “If even tech companies with huge resources are having trouble controlling the spread of fake news and accounts, most other technology and media companies will be even more at risk.”
“One of the most frightening things about the breaches at Equifax, Target and elsewhere is what we haven’t seen—yet,” warns Skinner. Once criminals have stolen the data they need— including Social Security numbers, birthdates and other personal details—they can sit on the data for months or years until people let down their guard and turn off their credit freezes. “Your data can just be sitting out there on the dark web, waiting to be sold or used, well after you think you’re safe.”
“The most common password last year was ‘123456’—that’s a problem,” Skinner says. “Human nature wants to simplify, so we use weak passwords and the same password for multiple sites.” But, he says, much as 9/11 forever changed the way we travel, major cybersecurity breaches are pushing companies to adopt much more complex protocols around digital security. “Three billion Yahoo accounts and passwords being hacked reflect the catastrophic implications of a breach, and companies are realizing that passwords alone aren’t going to cut it. There has to be a one-two punch of both authentication and encryption to secure your data.”
Up-to-Date—10 Years Too Late “The problem with regulations is that they address what’s gone before—not thinking about what’s to come,” says Skinner. “Hackers are forward thinking and creative, staying far ahead of current security protocols. All it takes is one employee who isn’t trained in how to safeguard his or her computer and log-ins. The smart hacker takes advantage of this weak link, enters through that employee’s credentials and then has access to your whole system. Checking the boxes on compliance doesn’t begin to secure systems and data the way they need to be.”
“Imagine if a landlord gave a master key to all apartments to every single resident in the building—that’s how most companies’ systems are structured,” says Skinner. “When one computer or set of credentials is breached, you have now opened the door to the whole system. In the vast majority of companies, employees have far too much access to information that they don’t even need. And given the interconnected systems companies have with their vendors, and then their vendors’ vendors, they don’t even know how far out their connected system stretches. This opens companies up to so many risks that they don’t even know about.”
Copyright © 2004-2018 American Land Title Association. All rights reserved.
This article has been used and reprinted with the permission of The American Land Title Association. The material is for general information purposes only and is not to be relied upon or used for any particular purpose. Title Industry Assurance Company, RRG and The American Land Title Association shall not be held responsible in any way for, and specifically disclaims any liability arising out of or in any way connected to, reliance on or use of any of the information contained or referenced in this article. The information contained or referenced in this article is not intended to constitute and should not be considered legal or professional advice, nor shall it serve as a substitute for the recipient obtaining such advice.