The patchwork of jurisdictions and oversight that makes up the United States criminal justice system gets far more complicated than usual with cybercrimes. Attackers are hard to find, if they can be tracked at all, and are rarely within the same geographical region. When businesses find themselves the victim of a cyberattack, there is essentially one legal option: Report the incident to the police.
For these logistical reasons, much of the legal response to cyber threats has focused on prevention rather than prosecution.
This is clearest when looking at systems that could cause major economic fallout if they fail: ports, electricity grids and global financial institutions all report major threats to their networks. The response is to shore up defenses before an attack, but even then the government itself admits its limitations.
In late August 2021, President Biden urged technology companies to do more to take the onus of prevention off the individual, encouraging major private companies like Google to better protect data. Then, in July 2023, the Biden-Harris Administration released a cybersecurity certification program with support from manufacturers like Amazon, Google, Best Buy and Logitech. The program allows companies to label “smart” products that meet basic cybersecurity standards.
“What we’ve been doing for about 40 years is bolting cybersecurity onto all the stuff we’ve built … and bolting cyber on the back-end is, as we found out, not really the most efficient way to do cybersecurity," Acting Principal Deputy National Cyber Director Jake Braun said at an event in San Antonio.
Utah needs to pay particular attention to this problem. A 2023 report based on FBI data from consumer site VPNPro ranked the state the ninth most at-risk in the union. The report found that Utah residents lost $98,840,388 to scams in 2022.
State-wide efforts to track threats
In 2013, Utah launched its own task force to address cybercrime, with prevention as the main approach. Now the Utah Cyber Center, the program is a combined effort between the Department of Public Safety and the Department of Technology Services. A summary of Utah’s program published by the National Association of State Chief Information Officers (NASCIO) explains that the original task force’s goal was to create a system that could monitor threats, share information and connect government agencies in the event of an attack.
In particular, the task force was interested in addressing challenges related to ransomware, where attackers seize digital assets or lock out administrators until a ransom is paid. These attacks are now more easily thwarted by several backup copies of data stored in physically distinct locations.
By June 2018, the task force soft launched the Utah Cyber Center in the basement of Utah’s State Office Building. “The Cyber Center allows all known or suspected cyber security incidents to be reported to one single point of contact, disclosing all known information and interactions, immediately upon discovery,” the 2020 NASCIO summary read. “The Cyber Center is now the center point for election security coordination and monitoring.”
These days, the Center focuses on protecting governmental data and elections from attacks. But it doesn’t just cover state governments; according to its website, it also provides “coordination of local, state, federal, and private sector breaches.”
The significance of this approach can be felt particularly among Utah’s small business community, where resources for responding to a cyberattack may not exist.
Why prevention is key
Jarom Roney, CEO of Onward Technology in Draper, says prevention is the most important thing for his small business clients. But as most small businesses don’t have the resources to staff an entire department dedicated to cyber security, third-party vendors like Onward Technology are the first line of defense.
“For most, we are their IT departments. So we’re going in there, we’re setting up their networks, their computers, we’re doing help desk and troubleshooting when they have issues,” Roney says, pointing out an increase in phishing emails, emails that try to get employees to click on a link scam link, as a particular problem.
“That’s often one of the most common ways [cybercriminals] get into a business: social engineering,” he says. “You contact an employee, you’re impersonating someone else, you get some information from them. It doesn’t really matter at that point what security’s in place. Oftentimes, you can knowingly let them in. We hear about that a lot.”
Ransomware has been less of an issue for Roney’s clients because Onward Technology has strict backup policies where they store digital information so it can be accessed safely in the event of an attack. He also ensures that every client has “enterprise-grade antimalware” on devices.
However, in the event of a ransomware attack, Roney says he would urge businesses not to pay the ransom to regain stolen or blocked data as attackers cannot easily be found.
From an IT perspective, he says, resolving an attack after it has happened is far more complicated than just changing a password, as there may be lingering code and malware that can continue to impact a network. Especially with more sensitive data, like in medical or legal fields, the impact of exposed data can vary widely, so it really depends on the business’s focus and needs.
“Every business is going to see it and you have to be prepared for it,” Roney says. “Even us as an IT company, where all of our employees are in the field and are prepared for it, when we do our tests, we’ll always get a few clicks on [scam emails].”
Roney’s tips for avoiding cyberattacks as a small business:
- Create filters that will reduce spam.
- Train employees to recognize unusual requests and scam emails.
- Implement security exercises such as sending out phishing emails to employees to check if they can recognize a scam and helping employees improve their ability to differentiate between real and fake contacts.
- Have a firewall against subscriptions.
- Create backups of data with three copies of all data at any given time: two backups with one offsite.