New technologies have upended the way law enforcement, businesses and individuals have to think about protecting themselves.
Crime is "going exponential," said cybersecurity expert Marc Goodman, who has advised Interpol, the United Nations, NATO and the Los Angeles Police Department, among others. He spoke at the Exponential Finance conference in New York City on Wednesday, "You can scale, you can rob a lot more people."
Among the myriad ways criminals can hack devices for their own ends, Goodman said that the massive 2013 data breach at mass-merchant Target affected about 100 million people.
"We have never been able to steal 100 million of anything in the past," he said.
Sixty percent of attacks on businesses hit small companies, Goodman said. And 70 percent of small businesses attacked fail within a few months. Business owners need to treat cybercrime not merely as a possible nuisance, but as an existential threat.
Attaining perfect security is nigh impossible, but there are a number of steps citizens and small-business owners can take to protect themselves. Goodman gave his top six suggestions for how businesses of every size should protect themselves.
1. Classify, encrypt and protect 'high-value targets'
This is what the government already does. Businesses need to encrypt safe data, decide who needs access to what information and build its strongest walls around individuals or information that might be most appealing to cybercriminals.
2. Have a plan
Don't wait until there is a breach to do something about it. Chances are, by the time you recognize something is wrong, criminals have already done a lot of damage.
"The average time to discover a breach is 211 days," Goodman said. "For seven months, the bad guys are in your system and taking what they want."
3. Create a united front
"Most companies say, 'Oh, I have a CIO, they will take care of it,'" Goodman said. "That's bull."
Top executives in every department of a business need to be involved and working together to ensure security remains a priority, he said.
4. Not everything needs to go on a computer
Create "air gaps" by leaving some information on computers that are not (preferably cannot be) connected to the Internet, or leave some of the most precious information offline entirely.
5. Test assumptions
Don't let criminals be your security testing team. Work with security experts who can break into your systems as criminals would and identify holes or ineffective measures.
6. To defend, attack
Trying to keep cybercriminals out with measures like firewalls is no longer enough, Goodman said. Many can get past them. Instead, hunt down criminals who may be in your networks.
"The barbarians have overrun the gates," he said.