Data hacking: It’s not just angry teens
February 2, 2010 by Sam NarisiPosted in: Security, Special Report
Attacks on corporate data are getting more professional. The image of the lone hacker in his bathrobe playing gotcha is being superseded by one of dedicated, professional industrial espionage.
That’s according to a recent survey by the Center for Strategic and International Studies (CSIS).
The study, commissioned by computer security firm McAfee, interviewed over 600 IT managers in 14 countries and revealed a rapid growth in serious corporate and government espionage.
Almost 60% of the respondents said their networks were “under repeated cyber-attack, often by high-level adversaries such as nation-states, organized crime gangs or terror groups.” The attacks include such things as shutting down sites (denial of service attacks), malware and finding unprotected data on the site.
Only 57% of these companies installed security patches and updated security software on a regular basis. Scariest of all, some of the most vulnerable companies are utilities (electricity, water, sewage) that depend on Internet-connected systems management software to keep in operation.
Your company is probably not the target of interest for international cyber warriors or crime syndicates. Nevertheless, the techniques and tricks keep developing as fast as, or faster than, the technology to defend against them. If the largest global companies with serious IT budgets are having problems keeping the data safe, then smaller operations where the IT departments are being pulled in every direction to support daily operations are even more open to attack.
It’s a good idea for top management, IT staff and other concerned folks (HR, finance and others) to review the current state of the company’s defense strategy and the plans to upgrade it.
The biggest challenge: making the case for an increased security budget. Experts recommend IT explain security as a kind of insurance, with a detailed analysis of how attacks can lead to lost revenue.
Tags: Center for Strategic and International Studies, McAfee, security attacks
February 3rd, 2010 at 12:30 pm
The biggest mistake most companies make is that they don’t do a good job of risk analysis. Consequently, risk mitigation is often way out of proportion — either way too little, or way too much — of the risk of information being disclosed.
Any time a company handles consumer data, and especially types of data that could be exploited for ID theft, that company has the responsibility to implement the strongest security controls and practices, or look at opportunities to outsource that part of the business that’s “high risk / high cost”.
An example is payment processing. “Mom and Pop” websites that use off-the-shelf or open source e-Commerce packages and process their own credit card transactions potentially carry a huge liability. The Payment Card Industry (PCI) Data Security Standard is in place to try to ensure that sufficient controls exist around payment card data, and these controls might be quite expensive. A better alternative might be to outsource payment processing to Paypal, Google or Amazon. Although there are structured fees around outsourcing of payment processing, this might be much less expensive than a full-on implementation of a PCI compliance program, which could run in to the hundreds of thousands of dollars even for a relatively small deployment.
The best approach is to look at the risk, look at the cost, and make a determination to move the risk, accept the cost and mitigate the risk, or accept the risk as part of doing business.
Too often, businesses accept risks that they don’t understand, and there are no clear guidelines on how much risk should be able to be accepted vs. mitigated — a clear example of this was the housing bubble and credit meltdown caused by companies that aggregated too many high-risk investments.
Pulling in a consultant is often a good way to make sure residual risk is properly sized for the business. If your company is accepting too much risk, a good consultant can identify that, qualify the risk, and help formulate a cost-effective remediation strategy.