The facts are starting to surface regarding the recent attacks against Google, Yahoo! and Microsoft – all of which have been linked to Chinese interests. According to one recent report, the attackers selected employees with access to proprietary data, determined their social networking friends and then hacked into those accounts. Once in control of the friends’ accounts, the attackers (posing as friends) sent their actual targets instant messages with links to sites that installed spying software on their computers.
This sort of criminal strategy could be applied to any company – large or small. In fact, it is much easier to assume that the president of a large middle market firm has more valuable intelligence on his computer than a strategic employee at a larger company. Having knowledge of this sort of attack is important given the overall number of attacks against business has been increasing. According to a recent CSO Survey, 37% of businesses polled have seen an increase in attacks during the past 12 months.
One sure way to reduce the risk of a corporate attack is to limit social networking access to those individuals in marketing or sales who have a corporate reason to go to those sites. Even those individuals should have proper training so that they would know, for example, not to click on links that have strange URLs or link to content that does not serve a distinct corporate purpose. Also, try hard to avoid clicking on an image. It may be hard to do. Our propensity to click on whatever online content we see is a habit not easily kicked.
According to the latest Ponemon COB report, data breach attacks have doubled this past year while the average cost of a data breach has increased to $204 per compromised record. The Ponemon Institute looked at several variables when determining this $204 number, including: lost business; legal fees; disclosure expenses; consulting help, including forensics; and remediation expenses such as improved technology and training. Page 16 of the report indicates that lost business is the most significant component of this number – representing $135 of the $204 amount. In other words, those firms disclosing to the Ponemon Institute information regarding their breach have had a signficant documented loss of business. In addition to providing this valuable insight regarding brand damage caused by a breach, the report is also instructive given it offers information regarding the causes of 2009 breaches.
According to this Ponemon Insitute report, data breaches generally have three primary causes: third party negligence; malicious attacks such as coordinated botnet attacks; and negligent insider behavior. In fact, the Ponemon Institute points out that 42 percent of all cases in the study involved third-party negligence. Although this overall number (as well information in the report) is based on information provided by only 45 businesses willing to speak in detail with the Ponemon Institute, the number should not be taken lightly – especially since it is not that far off from numerous other studies and surveys done over the years.
The two lessons here – breaches lead to lost business and third-party negligence is a signficant cause of breaches – actually have more to do with marketing then with risk management. In a prolonged down economy, small and middle market companies need to differentiate by showcasing their network security and privacy strengths. Instead of shying away from the efforts needed to improve your network risk profile, embrace the endeavor by realizing it will only be a matter of time before you are required to do what you are voluntarily doing now. As with most corporate best practices, being one step ahead of your competition when it comes to network security and privacy can turn into a significant marketing advantage. Depending on your business goals and what you do to generate revenue, this advantage can easily turn into a sustained competitive edge.
As pointed out by this article, when it comes to network security, small business owners are often “hampered by a lack of resources, fewer qualified security personnel, less money to buy necessary products, and more difficulties complying with regulations that often were written without companies of their size in mind.” And, as pointed out in this article, a small business can be more of an attractive target for “spammers, botnet operators, and other attackers than a home user mainly because it has a treasure trove of valuable data without the sufficient IT and security resources to protect it.” In fact, as reported by Business Week, some small businesses can even become victims of identity theft.
Unfortunately, given the increase in sophisticated attacks made against small business owners, it is becoming more and more difficult for these owners to deploy suitable resources. One available option today to smaller companies is the “outsourcing” of security to a managed service provider. MSPs who are focused on security and IT management for small business owners have network security resources and expertise built as their core competency. Although it may seem to be the last thing a company would want to do, i.e., have another company take ownership over its network security, so long as the MSP is properly vetted and has clear staying power, there is little difference between using a MSP for data security or using a bank for financial security.
Although law firms have been hit with network security attacks over the years and sustained significant losses in the process, it has never been the case that they were targeted simply because they chose the wrong side in a litigation. That is until now. According to this report, an exploit took place weeks after “filtering software firm CYBERsitter announced that it had retained Gipson Hoffman & Pancione to sue the Chinese government, two Chinese software developers and seven PC makers for allegedly distributing its software code as part of the Chinese state-sponsored filtering and monitoring program known as Green Dam Youth Escort.”
There are reports of other attacks that were recently launched against Google and Yahoo! in order to retrieve account information regarding Chinese dissidents. According to a report in The Economic Times, McAfee has stated that the Google attack exploited an Explorer flaw. It will be interesting to see how these “China” exploits pan out in the coming weeks.
With unemployment now stretching past 10%, the Ponemon Institute “Data Loss Risks During Downsizing” survey conducted last year is more relevant than ever. This survey found that 59% of employees who leave or are asked to leave a company are stealing proprietary or sensitive corporate data. Moreover, 79% of these respondents admit that their former employer did not permit them to leave with company data. Not surprisingly, 67% of respondents used their former company’s proprietary information to leverage a new job.
If you are a larger middle-market company, another “below the radar” IT risk factor that may be impacting you may be driven by the cost savings inherent in using virtualized servers and desktops. A security breach in a virtualized environment can have greater consequences than the same breach in a traditional IT environment because it is much more difficult to localize or isolate a virtualized IT environment. This report gives further detail regarding the security threat and astutely points out that no one really understands where the real security problems can be found; and therefore, is the real problem.