Eric Fulton described how he camouflaged himself in a suit to slip unnoticed into businesses, coffee and papers in hand, where he fleeced their electronic networks — swiping login information, identifying weaknesses in security systems, even lifting an entire computer.
Fulton, the CEO of Treasure State Internet did it all with those businesses' permission; he's a computer security expert who gets hired to try to beat security systems so businesses can correct flaws. He revealed his methods to a group of Billings-area businesspeople at a conference Wednesday to "scare the pants off them."
Fulton and other experts spoke about the risks hackers pose to data collected and stored on business' networks at the Montana Cybersecurity Summit in Billings. The summit was hosted by Commissioner of Securities and Insurance Matt Rosendale.
Speakers referenced a variety of hacks, from the Equifax hack that potentially exposes data from almost 150 million Americans to the Columbia Falls school attackers where hackers manipulated personal information to threaten students in an attempt to extort a ransom from the school district.
The average cost of a data breach for a business is $3.8 million, said Lamont Boyd, who works for FICO, a company that produces a type of credit score.
"That doesn't include the reputational harm," he said.
Worldwide, data breaches cost about $5 billion last year, he said. That figure is expected to hit $2 trillion by 2020.
"All of that rolls down to all of us," he said, referencing consumers and businesses.
Being a small business in a small population state like Montana doesn't offer any extra protections.
Last year, more than 200 businesses in Montana reported being hacked, said Marcus Meyers of the Montana Office of Consumer Protection, affecting more than 400,000 Montanans — many of whom were put at risk by the Equifax breach.
"(Hacks) can happen at any size business," Fulton said. "Rather than just ignoring it, there's things they can do to mitigate the risk."
Mark Bassingthwaighte, a risk manager with ALPS, an insurance company, offered a host of simple preventative measures, like:
- Don't write down passwords.
- Never use computers' "remember password" option.
- Use basic encryption for emails.
- Send sensitive information as attachments.
- Use two-factor authentication, which sends a text with a code to confirm a login to an account.
"One of the biggest problems is a false sense of security," he said. "It's all about doing something stupid, just out of naivete."
If a business loses information, it can sometimes be recovered in a matter of days or weeks, he said.
"(But) in some instances, there are things that simply cannot be corrected," Bassingthwaighte said.
General insurance plans typically don't cover costs for data breaches, and cyber-attack-specific insurance often requires that businesses adhere to protocols to minimize risk.
"You have to be in the game," he said.
In a seemingly bleak landscape, Fulton offered a ray of light. There was one business' security system he couldn't beat — a small Midwestern grocery store.