December 17, 2020
Staying one step ahead of cyberattacks
Ahmed Sadiq thought he understood the extent of data breaches at big companies like Facebook. Then he started researching.
"If you're on Facebook there's a 50% chance you've been affected," said Sadiq. "Your name, address, birthday, education and job history—most people leave that kind of information open to anybody."
Sadiq was one of eight students to enroll in FIN 282f From Cyber to COVID: Shocks, Risks and Opportunities in Finance, a new course at Brandeis International Business School taught by Prof. Anna Scherbina, a cybersecurity expert and former senior economist on the White House's Council of Economic Advisers.
As part of the class, Sadiq researched Facebook data breaches over the last decade and presented his findings. He focused on a particular breach in 2018 that impacted the data of between 50 million and 90 million users.
"I chose Facebook because it is the biggest social media platform in the world," said Sadiq. "It's also one of the oldest. The audience includes all ages. Both my dad and my little sister are on Facebook. Many businesses and politicians have pages."
Scherbina designed the class to get students thinking about a broad range of companies and their cybersecurity vulnerabilities. She said it's important for up-and-coming business executives to understand that cybersecurity is a business and management problem, not just an information technology problem.
"I designed this course to bring cybersecurity from the realm of computer science into business," said Scherbina. "Our students are the next generation of business leaders and they need to understand this threat. It's not going away."
The consequences extend beyond just identity theft or financial fraud. Foreign governments also hack into businesses to track private citizens and American officials.
That's what Jalal Rahmati discovered when he researched a data breach at the Marriott International hotel chain.
"You may not expect that a hotel is a target for cybercriminals," said Rahmati. "I wanted to know what the motives were and what the criminals could gain from it."
It turns out the perpetrator was a foreign government, not individual hackers looking for credit card or Social Security numbers. And the threat was far greater than a drained bank account.
"Marriott said the attacker wanted to track the movement of U.S. officials," said Rahmati. "The CIA was involved in the investigation."
Scherbina said the damage from a cyberattack typically spreads beyond the targeted company or the individuals whose personal information is compromised.
"People now talk more about spillover effects," said Scherbina. "If one company suffers an attack, the damage is not localized to that company. Other companies are affected as well because the U.S. economy is so integrated."
Often a hacked company will lose customers (and therefore revenue) and investors will consider selling its stock. Now in a weaker financial position, that company may cut back purchases from its suppliers, hurting those smaller companies as well.
The total cost of data breaches to the American economy in 2016 ranged from $57 billion to $109 billion, according to Scherbina's most recent evaluation. That figure is almost certainly higher because not all data breaches are reported publicly, she said.
"Good security makes companies more competitive," said Scherbina. "Getting where we need to be starts now with our students."