A year and a half ago, I reported that hackers and viruses outranked terrorism as the nation's No. 1 security threat. FBI Director Robert Mueller echoed that sentiment at a conference in August when he said, "I do believe that in the future, the cyber threat will equal or even eclipse the terrorist threat."
Read on, and I'll explain the growing problem, how you can protect yourself, and the new ways you can invest in the ecosystem of companies battling ever-expanding cybersecurity risks.
The huge rise of cyber attacks
It is no surprise Americans are scared. A year ago, a report was released that details the workings of a Chinese cyber espionage unit that operated against U.S. companies. Since then, Edward Snowden has exposed how far the U.S. has gone in its own cyber espionage. Throughout all of this, in the past year, we've seen numerous U.S. companies and individuals subjected to cyber attacks:
- On Jan. 11, Neiman Marcus announced that hackers had stolen some credit card information but has since said the attack was limited to fewer than 350,000 accounts.
- The attack was not limited at Target (NYSE:TGT). The retailer announced in December that user data, including credit card information, on 110 million individuals was stolen from the company. The cost of the breach is currently estimated to be a few billion dollars, not including the loss of customer trust.
- In October, it was revealed that a security vulnerability in popular online-forum software vBulletin, first discovered in August, enabled thousands of sites that didn't update their software to be hacked.
- On Oct. 3, Adobe (NASDAQ:ADBE) announced that its corporate network was hacked. Further investigation revealed Adobe had improperly stored its customers' passwords, exposing the passwords for 130 million current and past Adobe accounts.
- On Sept. 27, The Wall Street Journal reported that Iran had hacked unclassified Navy computers. Later reports revealed the intrusion to be more extensive than initially reported. In all, it took the Navy four months to rid the intruders from its systems.
- In September we saw the rise of CryptoLocker, a "ransomware" trojan that encrypts all the files on a PC with a unique key. The virus displays a message that offers to decrypt the data in exchange for a fee paid in Bitcoin by a certain deadline -- or a significantly higher price after the deadline.
- On Sept. 5, The Guardian, The New York Times, and ProPublica revealed that the NSA took steps to deliberately weaken National Institute of Standards and Technology encryption standards, providing the NSA and potentially anyone else a back door into all standard encryption systems, including SSL and VPN.
- In July, researchers demonstrated at the Defcon Hacker Conference how cars can be hacked. The researchers hacked a 2010 Toyota Prius and a 2010 Ford Escape and were able to control the car's brakes, acceleration, and steering wheel, among other things.
- In April, the Associated Press' Twitter account was hacked. The hacker sent out a tweet that said "Two Explosions in the White House and Barack Obama is injured," causing a mini-flash crash in the market.
- On March 20, a cyberattack in South Korea simultaneously wiped data from tens of thousands of South Korean computers of the military, banks, government agencies, and media networks. Later research revealed the the attack was part of a cyber espionage campaign that had been active since 2009 and was spread through a South Korean military social-networking site.
In just the past month, we've seen several incidents:
- Apple (NASDAQ:AAPL) announced a major security flaw in iOS and OS X called "Gotofail" that allows attackers to read and change encrypted communications. The company released an update for iOS on Feb. 24 but is still working on a fix for OS X. In the meantime, update your iPhone and avoid using public Wifi.
- Security researchers found private nursing-home data, passwords, and medical information on popular online storage sites. According to The Wall Street Journal, cybersecurity firm Norse said, "The networks of about 375 U.S.-based health-related institutions, including hospitals, physicians' offices, pharmaceutical companies and health-plan managers were compromised by hackers for various purposes from September through October of last year."
- The world's most popular sports team, Barcelona FC, had its Twitter account hacked.
- The crowd-funding site Kickstarter was hacked. The site's 5.6 million accounts had their usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords taken.
- "Careto," also known as "The Mask," was revealed. Researchers from Kaspersky Labs are calling it the most sophisticated cyber espionage campaign ever. The campaign targeted government institutions, diplomatic offices, oil and gas companies, research institutions, private-equity firms, and activists.
- A large-scale attack against Yahoo! Mail prompted Yahoo! to ask its users to reset their passwords.
The scary part is that these are just the attacks that have been noticed and reported on. The true number and scope of the attacks on companies will likely never be known. You can find a visualization of the biggest data breaches of the past 10 years here.
Nine simple tips to boost your cybersecurity
It's better to be safe than sorry. Here are some tips to boost your personal cyber security:
1. Use long, complex, passwords. By that, I mean at least 16 characters with numbers, symbols, uppercase letters, and lowercase letters. I also always advise people to read this brief article on passwords. It's frightening how many people use simple passwords such as "123456" or "password." A 10-character password with all the above would take one of the most powerful known brute-force password breakers 5.5 years to break, compared to 5.3 hours for an eight-character password.
2. Use two-step authentication wherever possible.
3. Don't reuse the same password across multiple websites.
5. Use antivirus software and set it to update automatically.
6. Set all software you use to update automatically.
7. Use BillGuard to monitor your credit card. BillGuard is a free monitor for your credit and debit cards (they use the crowdsourced data to create the most advanced fraud monitoring system, which they sell to credit card companies).
8. If you receive a suspicious email, do not open it. Further, especially do not open it if it has attachments.
9. If you receive a suspicious email from someone you know, especially if it has attachments or links that seem suspicious, call (do not email) the person to confirm he or she sent it.
Ways to profit from the war on hackers
A year ago, I highlighted Mandiant and the work it had done on the Chinese Military hacking companies around the world. Since then, cyber security firm FireEye (NASDAQ:FEYE), which debuted on the Nasdaq last September, acquired Mandiant for $1 billion, and the stock immediately jumped 24% on the news -- a rare jump after the announcement of an acquisition. FireEye and Mandiant are among the new breed of cyber security firms that, instead of focusing on keeping attackers out, monitor in real time when hackers get into a network and use the information to make defenses stronger.
FireEye has been on a tear since its IPO, up 112%. It enjoyed a 5% boost Monday when its competitor Palo Alto Networks (NYSE:PANW) reported record-breaking earnings, sending its own shares up 4%. Palo Alto Networks reported that its revenue for the quarter jumped 46% year over year to $141 million, beating analyst expectations of $136 million. While FireEye and Palo Alto Networks are growing fast, the cyber security market as a whole is expected to grow 30% by 2016 to more than $86 billion, according to technology research firm Gartner. Investors are paying a pretty penny for that growth. Palo Alto Networks trades at the high level of 10 times expected 2014 revenue, while FireEye trades at an even higher 23 times expected 2014 revenue.