April 24, 2012 11:56 pm

Security tops boardroom agendas

Password picking©Pedro Nunes

Ask company IT chiefs what keeps them awake at night and most will mention security. Securing corporate intellectual property assets, customer data and other information in the face of an onslaught of attacks from cyber thieves, spies and “hactivists” is now a top priority for most chief information officers and – increasingly – for the corporate boardroom.

“It is definitely something I think about all the time,” says the chief information officer of a US-based consumer goods multinational that, like many other companies, particularly those in the financial services sector, now has an IT security team led by a chief information security officer (CISO.)

But IT experts emphasise that security issues – once the esoteric domain of technology geeks – have moved into the business mainstream. “I am spending much more time talking to company boards these days,” says Mark Lobel, principal with PwC and an internationally recognised security professional with more than 14 years experience in information security and controls.

“The attack methods continue to get better, unfortunately,” says Mr Lobel, who adds, “I wouldn’t say I have seen a shift in the number of attacks, but I would say the pie has got larger.” And, he adds, the targets have become more diverse. No one, it seems, is immune.

Companies, ranging from defence contractors such as Lockheed Martin to financial services firms including Citigroup – which admitted hackers had accessing the data of roughly 360,000 bank card holders – have been the subjects of large security breaches in the past year.

The annual Data Breach Investigations Report, published last month by Verizon, tracked 855 security breaches last year and estimated that 174m records were compromised as a result – “the second-highest data loss total since we started keeping track in 2004”.

Among the latest breaches in the financial services sector, Global Payments, the US seventh-largest payment card processor in the US, reported last month that as many as 1.5m Visa and MasterCard credit card numbers may have been exposed after it detected “unauthorised access’ in its computer systems.

“Our companies are targeted for insider information and our universities and national laboratories are targeted for their research and development,” Robert Mueller, Federal Bureau of Investigations director told a US congressional panel last year.

A study released last autumn by US-based non-profit GROUP the Intelligence and National Security Alliance noted: “The threats to our national security and economic interests in the cyber arena vary in identity, objectives, assets, and capabilities. Their range can stretch from disruption, to simple theft, to taking down critical infrastructure, to disrupting government functions. The advantage almost always lies with the threat. INSA noted that “the impact on business, government, and individuals from cyber attacks has progressed significantly from distraction and moderate disruption to an inability to operate or communicate for days ... ” and warned: “it is not yet clear that the business community understands or accepts this increase in risk”.

Often the full cost of such attacks – especially the reputational damage they can cause – remains unknown. But Sony, which suffered a security breach last year when hackers attacked the company’s PlayStation Network and obtained the credit card information of more than 12m account holders, estimated that the breach cost the Japanese consumer electronics group $170m.

While Sony’s loss was significant, it represents only a small fraction of the total losses caused by security breaches. A 2010 study conducted by the FBI and McAfee, the software company, estimated that cyber crime costs the US alone $400bn annually – much more than the combined global market for illegal drugs.

The 2011 Cost of Data Breach Study for the US, published last month by Symantec and the Ponemon Institute, contains equally daunting figures. The study, based on data breach experiences of 49 US companies from 14 different industry sectors, estimated the organisational cost of a data breach was $5.5m last year.

The study said negligent insiders are the top cause of data breaches and noted that malicious attacks are 25 per cent more costly than other types. The study also found organisations that employ a CISO with enterprise-wide responsibility for data protection can reduce the cost of a data breach by 35 per cent per compromised record.

Even government agencies and law enforcement organisations have become targets. Last July, as it announced a comprehensive cyber security strategy, the US Pentagon acknowledged it had been hacked earlier in the year by a “foreign intelligence service” that came away with 24,000 sensitive files related to missile tracking systems and unmanned aerial vehicles.

Seth Berman, executive managing director and head of UK-based Stroz Friedberg, a global digital risk management and investigations firm, says: “Organisations today face the threat of data theft from three specific groups: criminals out to secure financial information from which they can profit; hackers looking to obtain company secrets, either for competitors or to embarrass or harass the company; and insiders who steal information to bring to future employers or sell to others.”

Government officials and private sector experts characterise the landscape of security threats as a series of waves, beginning in mid-to late 1990 with the what Mr Lobel describes as “basic nuisance website defacement”, typically involving teenage hackers undertaking their exploits for fun.

Since then, however, they say the motives behind hacking attacks, including so called “advanced persistent threats”, have changed dramatically. PwC and other consultants identify a second wave of cyber attacks launched by criminal groups that realised they could steal information – be it intellectual property, identity data or credit card information – and make money out of it. Some of these groups have become so brazen they openly trade hacking tools and post videos on YouTube, notes PwC’s Mr Lobel.

Most security experts identify “state-sponsored” or “nation state espionage” as the third wave of hacking attacks. “This has been happening as long as [there has been a] criminal ecosystem, but it was much better done, so we were necessarily aware of it at the time,” says Mr Lobel. “The defence industry became aware of it first, but now the public is becoming aware that anyone with intellectual property is a target.”

While some of these attacks, like the attack on Lockheed Martin, a leading US defence contractor, become public, security experts say many more are never disclosed and some, typically carried out by three teams of hackers each responsible for a different phase of the attack, may last for years. “The average ‘nation state’ espionage attack that we see has been ongoing for 12 to 24 months or longer,” says Mr Lobel.

It is these attacks – and the potential for nation states to use hacking as a cyber warfare or cyber terrorism tool – that has intelligence agencies, the military and politicians most exercised, and has led to proposed legislation in the US and elsewhere designed to buttress the defence of vital infrastructure such as power grids and transportation systems.

Alongside these fears, the wave of politically motivated “hacktivism” attacks and the activities of loosely knit groups such as Anonymous and LuzSec have captured the headlines over the past 18 months, prompting a well-publicised response from law enforcement agencies across the globe.

Meanwhile companies and other organisations have begun to spend more on identifying and protecting their key data using multiple layers of defence and, perhaps most importantly, monitoring and detection systems that can identify security breaches quickly and efficiently.

Steve Durbin, global vice-president of the Information Security Forum, an independent not-for-profit with a membership comprising many of the world’s leading companies, says: “To prepare for a security breach, we recommend that IT security specialists conduct a fairly formalised scenario planning exercise, a strategy plan with the business users.”

Seth Berman of Stroz Friedberg agrees. “Even the best IT security policy cannot offer a guarantee against data breaches,” he says. “It is not a matter of if, it is a question of when. Therefore a crucial part of any data security policy is a plan to deal with data breaches after they occur. Thinking through the types of breaches a company may be facing, and how those might impact finances, reputation and relationship with regulators, is critical. Company boards and C-suite executives ignore this at their peril.”

Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.