Recently cyberattacks have been on the rise - often targeting municipal governments, universities and hospitals. In July, a cyber security breach at Northwest Arkansas Community College shut down services and delayed the fall semester, and last week, the city of Bella Vista closed its offices after a reported cyberattack. Ozarks at Large's Daniel Caruth spoke with Scott Anderson from the Forge Institute - an Arkansas-based cybersecurity firm - about the uptick in cybercrime and how the biggest targets are often not who you would expect.
The following is an edited version of that conversation.
Scott Anderson: I'd say a lot of bigger organizations have a better budget for cyber security. So yeah, they may be targets, but they have people that can focus on this day in and day out. Small- and medium-sized organizations are more vulnerable.
Daniel Caruth: And I mean, you know, it seems like a lot of these, these cases, they've been cropping up a bit more. And that might be, you know, anecdotal, just we're hearing about it more. Does it feel like more cyber attacks are happening?
SA: Yeah, I mean, I watched the news. Again, I would say that the adversaries are well-trained and getting more and more sophisticated, right? It used to be with advancements in technologies, like artificial intelligence. For example, everybody's hearing about that on the news. A lot of people's information is out there for others to find, which lets the adversary kind of play the long game and figure out the best way to social engineer somebody to gather information about them so they can well craft a phishing email or text or call. And that's how the bad people are getting in. The adversaries are getting better.
DC: Do we know? Can we identify who it is? Is there a main culprit? Is it someone who's just trying to get money, a hacker? I mean, what is kind of the profile for these people who are trying to get in or entities that are trying to get in?
SA: It used to be very specific. You would have nation-states, for example, in terms of military and, again, military background.
So nation-states would have specific tactics, techniques, and procedures that they would be hacking and trying to get into government systems or critical infrastructure or whatnot. Then you have hacktivists, and their motivations are different. You have your criminals, obviously they're motivated by money.
But in this day and age, those lines are blurry because you have some nation-states that are hiring criminals because they're after money to do their dirty work.
DC: I think a lot of, especially for people who maybe been established in business a long time, they maybe don't think about the internet or cybersecurity as some real, but what are the dangers of a cybersecurity attack? How devastating can this be? Because now, we live so much of our lives online and in these networks, and so much secure and vital information is kept there.
How devastating can it be when one of these attacks is carried out?
SA: Oh, I mean, very devastating, not to mention the long-term effects. So if information is stolen or exfiltrated, there's no telling what that information will be used for later or sold for on the dark web and utilized years from now. I would also say that I think that like 60% of small businesses that had a cyber event shut down within a year.
And that's a big number. And so we do a lot of awareness stuff through the Arkansas Cyber Defense Center. And the goal is to implement some best practices, right? So if an adversary really wants to get in, they're going to find a way.
But if you make it more challenging for them, and that's the same thing everybody's probably heard of, right, is regularly patching your systems, training your employees how to identify phishing, and using strong passwords or procedures. They can verify that this really is a customer. Access control only gives people access to what they need.
Don't give them keys to the kingdom or administrative rights on all the systems. When an event happens, make sure you have good backups and recovery plans in place, and they can't just sit on the shelf. Those are things that you need to practice.
I've even heard of schools and emergency action plans kind of thing is, have a script on how you communicate to the public about it, right? I mean, I've heard stuff in the medical industry. I've heard stuff in schools, K-12, but also universities and the energy sector, right? That's really important. And we're working on some research and some ways to kind of help the state with that.
DC: Yeah, well, so for those of us out there, I mean, maybe, you know, even just like a homeowner who's now, I've moved all of my information to like smart thermostats and got a new security system, or if I'm a small business owner who's switching to more digital stuff, how do I become a better steward of my own security? And you know, maybe if that's not my forte, how do I tackle this?
SA: The Arkansas Cyber Defense Center has some analysts who are there to provide some help. We can also do some assessments to find where and prioritize what efforts need to be worked on. But there are a lot of great resources out there, not just from the Arkansas Cyber Defense Center.
Homeland Security puts out some good stuff through CISA. FBI has got some good best practices. If you're doing work from home, or you've got a small business, and you use your computer at the house but also at the office, the same thing goes with what I mentioned earlier, right? Keep your systems patched, make sure you have antivirus, and use multi-factor authentication.
DC: Do you see this problem getting worse? Or, you know, when do you see it maybe getting better? It was just like us getting smarter, maybe? Yeah, I like to use the word informed. People need to be informed of the risks and opportunities, right? There are opportunities with technology, too. I don't see it getting any better.
SA: I see it getting worse because AI is going to make it easier for the adversary. And at the same time, you know, with the broadband initiative, everybody's getting online. There are new technologies coming out that definitely help businesses and organizations, but it's moving so fast.
We just have to be smart about how we implement it. And then, are there any kind of big mistakes, like just boneheaded mistakes that you see people make all the time, that could really help us? Multi-factor authentication, right? So that can be set up on a lot of different system accesses that you use, including Facebook or social media sites you're on. I think you obviously have good passwords, so don't use the same password on all your systems.
And do some research, because everybody can take steps to be safer and more secure personally. And I think that will filter into professional.
Ozarks at Large transcripts are created on a deadline. This text may not be in its final form and may be updated or revised in the future. The authoritative record of KUAF programming is the audio record.
Support KUAF and Keep Public Radio Thriving
For more than 50 years, KUAF has been your source for reliable news, enriching music and community connection. Your support allows us to bring you trustworthy journalism through programs like Morning Edition, All Things Considered and Ozarks at Large. As we build for the next 50 years, we need your support for KUAF to ensure we continue to provide the news, music, and connections you value. Your support is not just appreciated; it's essential. Make your gift today here.
Thank you for supporting KUAF!
