Jeff Lanza left one front in the battle to fight fraud, retiring from the Federal Bureau of Investigation in 2008. Now, he’s on another: He’s an in-demand speaker for businesses large and small, detailing how malicious hackers are targeting poorly prepared companies and alerting them about how to avoid becoming a victim. Business writer Erin McDermott recently spoke with the former agent about the big picture on small business hacking, misconceptions about the aftermath, and ways to try to stay one step ahead of the bad guys.
EM: How did you come to work on computer crimes during your days at the FBI?
ML: I was working on various crimes with the FBI. I started out as a white-collar crime agent and investigator and I was also covering public corruption and fraud. I was on the White Collar Crime Squad, so from time to time we handled fraud cases, and that morphed into computer crime. Eventually, it got pushed into its own squad because it was so big. I didn’t work on the Computer Crime Squad, but I did a lot of public speaking about computer crimes as time went on, because of how I personally felt about how important prevention was. I went out to businesses and the community to talk to people about what the threats were, with the hope that they wouldn’t get victimized.
EM: Hacking attacks on businesses and identity thefts seem to be in the news almost daily. Why do you think we’ve turned a corner into such proliferation?
ML: The short answer is it’s easy to do and small to mid-size businesses make very good targets. They have enough money to go after, but often have less controls than large, Fortune 500 companies—and they may become much more vulnerable because of that. Companies are sometimes in denial that this could happen to them and they don’t take appropriate steps to protect themselves. All it takes is one weak link in the chain: an employee who clicks on an email that he or she thinks is coming from UPS ends up downloading a virus, and the next thing you know banking credentials are stolen and money is transferred out of the account. It is as simple and quick as that. The bad guys know there’s little risk because they’re often in foreign countries and out of the jurisdiction generally of the FBI. And they can do it to massive amounts of people and have just a few respond to get a big windfall.
EM: Aside from the basic protections that everyone should be doing—firewalls, VPNs, strong passwords, antivirus software, locking up your hardware—how should SMBs start thinking about staying safe going forward? How can they keep abreast of scams and online tricks?
ML: Staying abreast is easy—become members of groups in the community that work to fight these things. The No. 1 group to join, if you have a business, is InfraGard, which is an FBI-sponsored group. They have regular meetings and talk about these types of threats. Even if they’re in a city that doesn’t have a chapter, they can get the newsletter. Another: Read papers like The Wall Street Journal and the New York Times, where they have stories about these threats all of the time.
One of the most important things a company can do to stay safe is education—making sure your employees aren’t just taught about basic computer security on their first day on the job and then forget about it. There has to be refresher training all of the time and top-of-mind awareness. Always be talking about computer security and about not clicking on links from unknown senders or with unknown attachments, or on unknown emails seeking banking information.
EM: Symantec’s 2013 Threat Report showed 83 percent of SMBs surveyed told the security software maker and the National Cyber Security Alliance they weren’t concerned about the rise in hacking. Do you see any signs of progress—that the threat is starting to be taken seriously?
ML: No. To be honest, when I talk at these SMB sessions, to the audience this is new information. The reaction is “I had no idea.” You give them examples of the more recent events we’ve had, and they’re like “Oh my gosh, I can’t believe this is happening.”
This interview has been edited for length and clarity.
Disclaimer: The opinions expressed are solely those of the author and interviewees. You should consult a qualified computer and data security expert to assist you in developing and implementing sound technology-related policies and practices.