Denys Rudyi - Fotolia
In April 2019, during a session at the Cyber Madness – Case Studies in Cybersecurity conference in Boston, American Superconductor Corp. president and CEO at Daniel McGahn said he had a simple reason for sharing the company's experiences attendees.
"I don't want anybody to go through what we went through," McGahn said.
Ayer, Mass.-based American Superconductor cut hundreds of jobs and lost more than $1 billion in shareholder equity after a 2011 theft of software. American Superconductor used that software to regulate the power flowing from wind turbines.
Sinovel Wind Group Co. -- a Chinese wind turbine manufacturer -- was found guilty of orchestrating the theft, according to a court filing. The breach ultimately led to a complete revamp of American Superconductor's IT controls and protection processes, McGahn said, but more importantly made company leaders aware of the endless cybersecurity vulnerabilities that come with operating a modern business.
Nation-state attacks like the one on American Superconductor are on the rise as countries seek U.S. companies' intellectual property. McGahn noted that companies should prepare for these threats, but risk management is a constant struggle when the majority of business processes take place in the Wild West of e-commerce.
"You don't go in a bad neighborhood with a lot of money," McGahn said. "[But] when I talk to FBI agents I say, 'you have to realize that all of our e-commerce takes place in the worst neighborhood in the world: It's called the internet.'"
Legal firms -- and their clients -- vulnerable
Law firms are a particularly enticing target for attackers, said presenters at the Cyber Madness conference. Firms with a large client base have to be on the alert for not just commodity attacks but also nation-state threats and hacktivism, said Amanda Fennell, CSO at e-discovery software developer Relativity.
Legal firms are also the perfect supply chain target: One law firm could have 1000 clients to go after, creating a target-rich environment for hackers, she added.
"Think about mergers and acquisitions, intellectual property -- if you want to go after something where there's a lot of money involved, you want to influence decisions, coerce people, then law firms and legal tech is probably a good place for you to be taking a look at," Fennell said.
Daniel McGahnpresident and CEO, American Superconductor Corp.
But while it may seem that hacker tactics would get more complicated, methods like poisoned documents and phishing are still common. For example, an employee could update their social media when checking into a hotel, then receive an email asking to click on a message about their hotel invoice. If that employee does click, hackers could gain access to their device.
"That really targeted attacking, that's happening based on the information that we are just so loquacious about getting out there, is definitely coming back to bite a lot of people," Fennell said.
This makes companies very vulnerable, she added, because all it takes is one person to make a mistake.
"There's somebody at your company, there's somebody at your law firm that is going to post something in Google Docs, or leave something on their phone," Fennell said.
'Home edge' cybersecurity vulnerabilities
Another huge vulnerability for companies comes from an unexpected source: The security of Wi-Fi and the devices in people's home. The flood of IoT and other internet-connected devices are convenient for modern consumers, but also come with huge risks, said Jeremy Hitchcock, founder of IoT security platform Minim.
"Corporations are really secure in comparison to the home edge," Hitchcock said at the Cyber Madness conference. "How many of you know if all the devices in your home are updated to the most recent version?"
Devices are often built with function and being fast to market as top priorities, said Emily Frye, director of cyber integration at MITRE Corporation. Meanwhile, security is often a minor concern for these devices, which sometimes even come with built-in cybersecurity vulnerabilities like backdoors that provide easy access for hackers.
"There's not an incentive built in there for function, fast to market, securely," Frye said. "You have very little control over the quality of the software on the expanded attack space that has come into your living space."
Numerous presenters at the Cyber Madness conference echoed McGahn's remarks about the importance of sharing cybersecurity experiences -- good and bad -- in order to improve risk management processes in the future.
Visibility into and information sharing about attacks and their fallout is key to prevention, speakers said, along with the development of quality metrics and investment in cybersecurity talent.
"It's about getting in front of things, tracking things and learning from adversaries," Fennell said.