Why can’t my information technology staff or security consultants just handle the problem?
- You monitor and manage the continuing volatility in the global capital and credit markets.
- You closely watch the development of a competitor’s product that could result in a blow to your sales.
- Yet a cyber breach could result in the loss of information that would cause you to lose a bid on a contract, lose key intellectual property, or lose millions of dollars because of an operational shutdown…and you are not paying attention?
Cyber risk is like any other major corporate risk; it must be managed from the top. With the frequency and severity of cybersecurity incidents involving business on the rise, it is an especially critical time for CEOs and boards to focus on understanding and proactively managing cyber risk.
Consider some examples of cyber incidents:
- Operation Shady Rat - For at least five years starting in 2006, hackers infiltrated the computer systems of more than 70 national governments, global corporations and nonprofits in 14 countries. The hackers stole sensitive property including government secrets, email archives, contracts and intellectual property. This hacking campaign, dubbed Operation Shady Rat by McAfee, is widely assumed to have been perpetrated by, or to have been funded by, the People’s Republic of China. Click here for more information. (Alperovitch, Dimitri, McAfee. Revealed: Operation Shady RAT. August 2011.)
- Citibank - In 2011, Citibank revealed that it detected a data breach that exposed 1% of its North American credit card customers’ account details. About 360,000 North American credit card holders have had their account numbers, names and email addresses stolen. According to Bloomberg Businessweek, $2.7 million was lost, affecting about 3,400 people, and the bank reimbursed customers for their loss.
- Sony - In the spring of 2011, hackers compromised the accounts of over 77 million members of the PlayStation Network and credit and debit card information was stolen. Sony was offline for 24 days, costing the company an estimated $171 million. British regulators fined Sony 250,000 pounds ($396,100) for failing to prevent the 2011 cyberattack, and the intrusion spawned numerous class action lawsuits and other regulatory inquiries.
As highlighted by the examples above, consequences of a cyber incident can include:
- Financial loss due to operational shutdowns, loss of customers and sales, loss of financing or lawsuits.
- Long-term loss of competitive position because of the loss of intellectual property, business plans or brand damage and loss of trust.
Internal Cybersecurity Threat
Quite often, we think of a cybersecurity threat as a hacker or adversary attempting to penetrate our computer systems from outside our network; these threats do exist, but what about the internal cybersecurity threat?
In many data breach instances, the breach of data happens inside the network and inside the company’s four walls. For example, say an employee unknowingly brings in a USB memory stick that has malware on it. When the employee plugs the USB stick into their corporate computer, the malware is transferred, resulting in data being gathered and then being sent outside the corporate network. Many employees’ home networks are not secure. This increases the possibility of malware being transferred from home network to corporate network via laptops, tablets and other electronic devices.
Another example could be an employee losing his or her laptop during the security screening process at the airport. Most laptops do not have full-disk encryption enabled or remote wipe configured, so an enormous amount sensitive data is lost every day as hundreds of computers are stolen.
Many companies are now using cloud-based services such as Dropbox to store sensitive data. Unfortunately, these consumer-based services typically do not have the kind of security controls and protocols that a corporate environment would have.
Whether users have weak passwords or the settings aren’t configured properly, corporate data can be at risk with these types of services.
Another potential internal cyber risk is a disgruntled employee. It is not uncommon for someone who is disgruntled with an organization to transfer sensitive information to a USB memory stick and walk out the front door.
Another potential risk is if an employee sets up his or her own WiFi router on the corporate network for convenience. With a weak password or no password enabled, this type of device can have serious security consequences.
Finally, security experts are seeing a rapid increase of extremely sophisticated socially-engineered attacks in which hackers gain access by using other methods of intelligence. For example, there have been many cases in which hackers have called IT help desks and impersonated employees. With social media and the resources available on the Internet, it is not difficult to gain enough knowledge on an individual to be able to convince an IT department to reset a password over the phone.
There is no question that the external cybersecurity threat is of great magnitude. But we also must pay attention to the internal threat. Good, solid technology, training, policies and procedures can greatly reduce businesses' internal threats (see the section on Creating a Culture of Cybersecurity Awareness).
For more information on threat trends and data on cybercrime and espionage, please see:
- Verizon RISK Team. 2013 Data Breach Investigations Report (DBIR). 2013. http://www.verizonenterprise.com/DBIR/2013/
- Mandiant Intelligence Center. APT1: Exposing One of China's Cyber Espionage Units. February 2013. http://intelreport.mandiant.com/
- Symantec Security Response. 2013 Internet Security Threat Report, Volume 18. April 2013. http://www.symantec.com/security_response/publications/threatreport.jsp
- FireEye. FireEye Advanced Threat Report – 2H 2012. 2012. http://www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-2h2012.pdf.
- Ponemon Institute (sponsored by HP Enterprise Security). 2012 Cost of Cyber Crime Study: United States. October 2012. http://www.ponemon.org/local/upload/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf
- Office of the National Counterintelligence Executive. Foreign Spies Stealing US Economic Secrets in Cyberspace. October 2011. http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf
- Dimitri Aplerovitch. Revealed: Operation Shady RAT. August 2011. http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf