Listen to this article
Companies may not know it, but it is highly likely they have already been hacked. Hardly a day goes by without a security breach being reported by a retailer. As of early November, the Identity Theft Resource Center in the US had confirmed of 644 breaches for the year to date, a 25.3 per cent increase over the same time period last year (514 breaches).
Yet most organisations still fail to recognise the reality of their situation, best described in a speech by Robert Mueller, who retired as director of the US’s Federal Bureau of Investigation in September. As Mr Mueller said: “There are only two types of companies: those that have been hacked, and those that will be.”
The stark reality is organisations need to wake up and recognise that, no matter how much time, effort and resources they put into defending their infrastructure, the bad guys will always find a way in. Attacks may occur through holes in core software that have not been patched by vendors because they are not yet aware of the defects, or by malicious insiders who make use of and abuse their privileged status. Failure by employees to follow corporate best security practices may also have led to a breach.
Businesses need to recognise there is no such thing as perfect security and stop looking for an ideal solution. They should, instead, focus on adopting a risk management approach to protect their business assets. For example, retailers have video surveillance cameras, loss prevention officers, and theft insurance to deter crooks and mitigate against criminal losses. In other words, they already accept the fact that criminals will steal from them, and so they put systems in place to help limit the damage. An organisation’s attitude to cyber security should be no different.
With cyber crime, however, the scale of the losses can be staggeringly different. A case in point is Sony, which in May 2011 publicly reported that cyber attacks cost it $171m. The company also recently offered to pay an additional $15m to settle a class-action lawsuit.
Other high-profile examples of data breaches from the retail world, include Target Stores, a US retailer that reported up to 70m customers had been affected following a cyber hack last December, and Home Depot, which is reported to have had the accounts of 56m credit card holders compromised in an attack discovered in September.
However, what is perhaps most frightening, from an international perspective, is that state actors are increasingly recognising the value that can be taken from cyber space. For instance, for countries that have significant manufacturing and industrial economies, but have made little headway in terms of innovation, stealing the design documents for a patented process can save hundreds of million of research and development dollars.
This helps keep thousands of citizens employed and means products for export can be produced at a fraction of the usual price. These costs are borne by victim companies and countries. A prime example of this is the theft of a paint manufacturing process from DuPont, the US chemical company, by an insider working in collusion with companies controlled by the Government of the People’s Republic of China.
It is not only nation states or big brands that are targeted. Small companies can also become victims. Although many SMEs may feel they are unlikely targets because of their small customer base, relatively low revenue or the niche services they provide, they are just as likely to be the stalked by cyber criminals. It is very hard to predict an attack and there is no telling where the next one will come from, what will trigger it or who the victim will be.
To mitigate the risks of such an event, companies must acknowledge it is more than likely their security will be breached, then allocate funding based on the potential damage that is likely to caused by an attack.
They also need to make their organisations as unappealing a target as possible, reducing the criminals’ return on their investment by raising the costs of an attack with strong encryption, distributed data sources, and by compartmentalising customer data. This approach is the same as in the physical world, where alarms, locks, cameras and guards persuade criminals to look for easier targets.
Crucially, they should ensure there are measures and systems in place to detect a breach swiftly.
Responses to a breach should be rehearsed in advance. Have your public statements for customers, employees, regulators and the press prepared, appropriate website messages ready, and alternative payment methods in place to reduce losses.
Finally, make sure you test your emergency procedures. A speedy recognition of – and a quick response to – a breach will help to lessen the damage.
The writer is senior vice-president and fellow at IT security company Neustar, and in 2013 he received the FBI Director’s Award for outstanding cyber investigation for his part in uncovering and dismantling the “butterfly” botnet