No matter how worried the top management team is about information security, it isn’t worried enough. The team should, in fact, be terrified, for two main reasons. One is that any system connected to the Internet can be breached by attackers who devote enough time and resources to the project.
It happened to Sony Corp., resulting in an estimated loss of $1.25 billion. Amazon Inc., eBay Inc. and Zappos Inc. each had the data of tens of millions of customers stolen. A major health-services company found all its information encrypted, and the attacker offered to reveal the decryption code, for a price. Stratfor Forecasting Inc., a global intelligence and forecasting company, had its website plundered of credit card numbers, its servers destroyed, its website down for two weeks. Another company saw research worth $1 billion destroyed. Somebody even swiped $1.2 million from Microsoft Corp.
The second reason is that the threat is existential. It could very well destroy the company, be it a Fortune 50 with mainframes and multiple backups or a mom-and-pop operation with a Mac laptop on a kitchen table.
In fact, the larger the company, the more it’s worth the time and resources needed to crack it. Its information may include a goldmine of in-house data, from research results to product designs to banking information to personnel files. Its external data may include client credit cards, passwords, sales records, vendor lists, emails. Virtually all information is valuable to somebody besides its owner.
It’s a crime unique to the times. The thieves may never leave their far-flung corners of the world, and the victims may never know they’ve been plundered. Vandals may have the best of intentions. It’s so new and amorphous that the law isn’t always sure what to do about it. Jurisdictions are antiquated notions of nationality. Liability is anybody’s guess. If the attack doesn’t kill a victim, litigation can.
Repercussions of Attacks on the Rise
Cyberattacks come in many styles and flavors. It could be a random virus wandering around the Internet, infecting any system that lets it in.
It could be malware inserted into a specific system just to wreck it, destroying data or maybe just corrupting enough of it that the owner doesn’t know which data to trust. It could be an “advanced persistent threat,” aimed at a specific target for purposes of profit — the theft of information, the transfer of funds, the extortion of C-suite officers or the staffers with access to them. It could be a not-for-profit “hacktivist” seeking revenge or publicity.
It used to be just a kid hacking around, impressed with his or her own power. These days, it’s more likely to be a criminal ring of highly-skilled professionals working in transnational teams, applying months of creative problem-solving to get into a victim’s computer.
Ensconced in Chechnya, China, Chile or anywhere else in the world, these teams operate effectively beyond the arm of the law — and help themselves to whatever they find. One Eastern European group was harvesting an easy $750,000 a week.
It could be a company that wants to know what its competitors are doing. Or maybe a company that wants to cause a competitor some embarrassment, something to smack down its share price. Perhaps it’s a disgruntled employee. Or a diligent employee trying to get some work done at a wireless hotspot at an airport, unaware it’s a trap operating out of a suitcase just to see how he or she logs in to the cloud.
It could be a hacktivist vandalizing a company in the name of world peace, fair wages, the environment or some other issue. Wikileaks did it to the U.S. Department of State. Then the hacker group LulzSec hit the Public Broadcasting System for its coverage of Wikileaks and “Anonymous” did it to the U.S. Department of Justice for shutting down Megaupload Ltd., a Hong Kong-based online provider of data storage and other services.
Anonymous activists in Brazil, miffed over “corruption and inequality,” denied service to the sites of Banco do Brasil and the country’s two largest private banks. Somebody revealed Symantec code pilfered from India’s intelligence service. Having been hacked a few times, Facebook had to list “malicious cyberactivity” under “Risks Related to our Business and Industry” in the documentation for its initial public offering.
The cyberassailant could be a foreign government conducting espionage in search of military secrets, industrial vulnerabilities, economic advantages, back doors into strategic infrastructure or a route into vendor computer systems. It might be looking for names, dates, plans, addresses, passwords — data that may seem far removed from national security but which an intelligence agency can fit together in unforeseeable ways. In this time of cyberactivity, loose lips aren’t all that can sink ships.
The number of attackers is increasing quickly, and the losses due to attack are soaring. The 2011 Norton Cybercrime Report estimated global losses of $400 billion a year and one million victims a day. When the Ponemon Institute surveyed 50 companies in 2011, it found at least one successful attack on each per week and a total of 74 successful attacks, an increase of 44 percent over the previous year.
Generally, the larger the company, the larger the loss, with a median annualized cost of $5.9 million and a high of $36.5 million. Losses increased with the time before discovery.
Wade Baker, Verizon Communications Inc.’s investigative response team director of risk intelligence, says that victims usually have no idea that they’ve suffered a security breach.
“When we discover they were a victim, it’s five or six months after they were first hacked,” Baker says. “It’s almost never the victim that discovers it. We find that 80 percent of cyberattacks were discovered by someone other than the victim.”
Verizon offers corporate information security services for a good reason: 70 percent of all Internet traffic crosses a Verizon network at some point.
Baker says that something like 90 percent of security failures are due to a lack of simple controls that could have been easily installed. And therein lies the security of other companies. Imagine a school of a thousand fish where the survivability of any one fish depends on the weakness of those around it.
Much in the way of sharks, cyberattackers look for the easy hits. The companies with robust defenses often aren’t worth the trouble. The cybercrooks poke around but soon move on in search of easier prey.
Defensive Actions
Putting up that basic defense shield isn’t all that hard. “Don’t buy a new product that promises to rid your network of anything bad,” Baker advises. “Take your policy document that says ‘We will do X-Y-Z,’ then start a program to check that you are doing that across your whole business. You will find business units that are not adhering to those guidelines. It just doesn’t get done 100 percent everywhere. We trace most security incidents to some failure to do what the company said it should be doing.”
After you’ve done that, Baker says, do it again.
But if the assailants really want to get in, they can eventually find a way. They may have teams of specialists. They can buy access information on the black market. They can use “social engineering” to somehow get an employee to reveal a key bit of data that’s needed to crack the combination of the corporate safe. It might be through Facebook research, an email pretending to be from a colleague, an intercepted smartphone login or a hacked laptop with malware just waiting for an employee to sign in from home.
Security breaches are so common and so inevitable that a major part of any company’s defense has to be a plan for reacting after the breach — a plan for detecting the breach as soon as possible, for containing the damage and stemming the loss of data, recovering full information capability and for protecting backup data.
The company must also prepare for meeting legal requirements to announce breaches (required in 46 states and many countries), coordinated response from across the company (management, legal, financial, personnel, marketing, communication and of course information technology), training programs, preserving evidence and testing the entire process to ensure everyone knows what to do.
One reason for the continuing increase in breaches is the exponentially expanding number of points of entry. Laptops, tablets and smartphones rarely have full anti-virus capabilities. They go into and out of offices constantly. They use hotspots in hotels, coffee shops, bars. They roam the world. They get lost in luggage or are stolen. How many lost laptops does it take to bring a multinational corporation to its knees? To clean out a bank account? To shut down a power grid? Just one.
How safe is the cloud? No safer than the vendor offering cloud services. In some cases, the vendor’s defenses might exceed those of an individual or company. In some cases it might not. Some basic protective measure will help: Encrypt all data. Control levels of authorization. Monitor usage constantly to confirm that policies are being followed. Keep track of information in the cloud so that when it’s deleted, all of it is deleted everywhere. Have a plan for getting everything out of the cloud immediately. Make sure the company and the vendor understand who’s responsible for what.
The shift to cloud computing was about the only good news in Booz & Co.’s Top 10 Financial Services Cyber Security Trends for 2012. The report notes that with proper architecture and planning, use of the cloud may reduce risk. But it sees increased vulnerabilities through mobile devices, more targeting of top managers, their staffs and families, more scrutiny of social media for information about individuals with access to information systems and more hardcopy documents going digital and escaping into cyberspace.
Additionally, as systems go more global, the risk of increased malware, insider threats and more regulatory scrutiny exposing defenses to illicit scrutiny tends to rise. David Roath, risk assessment partner in PwC’s IT risk & security assurance practice, agrees that hackers can break into any company if they try hard enough.
“If you have a company with 10,000 people, in one way or another you have 10,000 people with access to your
system internally,” Roath says. “Externally, you have many threats, such as social engineering and different attack and penetration techniques. So the question companies should be asking isn’t ‘Are we secure,’ but ‘How are we secure and what are the controls and processes we have in place to be sure we are doing everything we can to be as secure as possible?’ ”
Roath says information security is a board-level issue, that boards must have assurance not only from chief information and information security officers but from chief financial officers, internal auditors and, crucially, third-party consultants. Too often, he says, the biggest risks are the ones that no one is assessing.
“Boards need to be asking the right questions of internal auditors, external auditors, security officers, the CIO — all the stakeholders are responsible for this, not just any particular one,” he says. “The whole C-suite is responsible.”
Scott McCallum, manager of communications at The Institute of Internal Auditors, says that cybersecurity is often overlooked in the internal audit function though it should rank in the top 20 priorities. He, too, suggests the use of outside expertise.
“Depending on the likelihood and potential impact,” McCallum says, “companies with the resources to do so find it a valuable investment to co-source an audit engagement to a firm specializing in techniques such as conducting a penetration study. In these studies, an organization’s IT systems are bombarded with hacker-like activities to identify where any weaknesses might exist. It can be expensive, but certainly worthwhile. It provides a roadmap of where to strengthen controls within the IT environment.”
In the final analysis, the threat of cyberattack puts every company in a position that is unprecedented in corporate history. Never before have organizations been so vulnerable, and never has the vulnerability depended on something so essential and intangible — the information that connects the gears of industry.
The global economy itself is at risk, and technology has yet to solve the problem that it has created.
Glenn Alan Cheney ([email protected]) is a freelance writer in Hanover, Conn., who contributes to Financial Executive on subjects relating to business, financial reporting and accounting.
This article first appeared in Financial Executive magazine.