Posts Tagged ‘cyber-security’

October in the technology world is “cyber-security awareness month” (can’t believe I just wrote that).  Yet, with all the awareness that popular media outlets like The Wall Street Journal, The New York Times, 60 Minutes, et al, bring, little in the way of solutions is being offered – which goes to the extent of how serious this issue is for many businesses.  Recently, when a huge cyber-attack was launched against JPMorgan Chase and nine other financial institutions, the White House received periodic briefings of the attack in real-time.  The problem was, no senior White House official could tell the President of the United States “why” the attacks were occurring.  According to a report from The New York Times, the answer simply came back as – “We don’t know for sure [why the cyber-attacks are occurring].”

The answer is quite simple, “because the can.”  Such news is not advisable to mention when you are the one who has to deliver it to the President of the United States.  In an interview with 60 Minutes a few Sunday’s ago, FBI Director, Mr. James Comey, said there are two kinds of “big” companies in America, “those who have been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”  Large corporations have a vast repository of information related to company data, customer data, and customers customer data.  However, to date, the risk implications associated with a cyber-attack, both monetarily and non-monetarily, create little incentive for the large companies to respond proactively.  Consider the amount of fines, penalties, and associated expenses Target, Corp., had to pay when it was victimized by a cyber-attack – $148 million dollars.  That’s a ton of money, but the data breach did not prevent customers from shopping at Target.  Post-breach, Target customers paid for their purchases either using cash or pre-paid cards.  The recouping of the costs related to the cyber-attack took little time and likely was minimal to the company’s bottom line.

As an advisor to startups and small businesses, most entrepreneurs do not consider cyber-security in developing their business plans.  This is mainly due to some naïve notion that the Chinese (or Russians for that matter) are only out to get the “big” corporations.  That could not be further from the truth.  Many times, the advice I give to entrepreneurs is that if the business idea is too good, consider that your competitor is paying a third-party to find out the recipe for your secret sauce.  From there, anything and everything is possible, starting with reverse engineering the ingredients to make a better sauce.

The U.S. governments public response on cyber-security is a mass hysterical game of shadows, whereby companies need to look over its shoulder to see who may be watching them.  A different response should be to fight back.  Build up defenses within your business, regardless of size, that allow you to take the fight to the criminals, or deter it.  Know where the weaknesses in the organization lie, and address it accordingly.  Make the time it takes for a criminal to hack into your business unappealing so that they will move on to easier targets.  Large organizations are easy targets, because they are bureaucratically driven by leaders at the top who are chiefly concerned about exceeding shareholder expectations – which has more to do with profits and loss than cyber-security.


Read Full Post »

Verizon recently released its 2013 Data Breach Investigations Report, and the outlook for organizations trying to protect their intellectual property is dire.  Cyber-based corporate and industrial espionage has risen so dramatically in the last year that intelligence officials are asking boardrooms across the U.S. to be more vigilant against cyber-criminals who are motivated by financial gain to steal intellectual property and trade secrets.  Former U.S. intelligence chief, John “Mike” McConnell stated that “unless urgent action is taken, the U.S. faces a ‘cyber’ equivalent of the World Trade Center attack.”

The Chinese and U.S. economies are so inextricably linked that China naturally is the main culprit for targeted theft of confidential business information and proprietary technologies.  However, there are many other state-sponsored and political “hacktivist” groups that are actively stealing corporate digital assets.  The proliferation of employee-owned mobile devices in the workplace, along with antiquated network systems, has allowed cyber-criminals to access corporate databases at unprecedented levels.  Saudi Arabian oil producer, Aramco, was recently a victim of a massive cyber-attack where 30,000 desktop PCs were wiped in what some can only presume was designed to disrupt oil production.  Additionally, JP Morgan Chase, Wells Fargo, and Bank of America were victims of a sustained distributed denial of service (DDoS) attack that appears to have been commenced overseas.

What frustrates investigators most when a breach of corporate data occurs is the lack of internal and external controls within the organization.  While readily available technology allows organizations to address security issues, it is often a failure to properly train and educate employees that makes theft of intellectual property so easy for cyber-criminals to obtain.  Technology alone will not prevent the theft of intellectual property.  Organizations must have a tone at the top mentality when it comes to awareness training and policy creation around cyber-security.

Read Full Post »

The U.S. government’s top information technology provider, Lockheed Martin, Corp., cited on Monday the dramatic increase in cyber-attacks against its IT infrastructure.  A majority of the “advanced persistent threats” (APTs) were either generated from organized groups or state-sponsored actors, but Lockheed failed to name any specific countries or groups.  According to Lockheed, the cyber-attacks are targeting the defense contractor’s business partners within its supply chain in order to gain unauthorized access to U.S. top-secret information.  The reason for targeting the supply chain is quite simple – there are a large number of products and components that make its IT infrastructure vulnerable to APTs and other vulnerabilities.   

A majority of corporate and government data center’s resemble a Dr. Seuss-like gadget of hardware and software that will allow for access points to be discovered by cyber-theives tenacious enough to seek them out.  The takeaway from the Lockheed warning’s should be that simple reliance on technology to secure mission-critical information is much like a dog chasing its tail – while it may be fun, you don’t go anywhere.  Businesses must have a comprehensive internal, and external, data governance program in order to lessen the risk of mission-critical data being compromised.

Read Full Post »

In The New York Times today, Ms. Nicole Perlroth, started her column with “LinkedIn is a data company that did not protect its data.”  This is a very powerful statement coming on the heals of a cyber-attack that posted the usernames and passwords of over 6 million LinkedIn users on a Russian Internet forum.  Has the collective conscience of Internet users become so numb to the daily occurrence of data breaches, that they simply dismiss the necessity for protecting their privacy?  Does privacy have a value any more?

Ms. Perlroth’s beginning statement is not as profound as what followed later in her article: “[a] company that collects and profits from vast amounts of data had taken a bare-bones approach to protecting it. The breach highlights a disturbing truth about LinkedIn’s computer security: there isn’t much. Companies with customer data continue to gamble on their own computer security, even as the break-ins increase.”  As a publicly traded company, who is subject to the recently released “guidelines” on computer security by the Securities and Exchange Commission, are the corporate officers and board members liable to the shareholders for a lack of due diligence in safeguarding their most critical asset?  Do the shareholder’s even care about the data leakage?

The article rightfully points out that because the legal consequences are minimal at best, and that the harm caused as a result of the breach is negligible (they didn’t lose any customers), the ability for shareholders to make a claim against the board of directors or corporate officers is a tough standard to overcome (the stock price went up after the data breach announcement).  So where does the necessity to secure mission-critical data begin and end?  Have we become immune to our private information being stolen?  Is having my information stolen, really my problem?

“Computer security is not regulated and even as loads of sensitive personal, corporate and financial data gets uploaded daily, companies continue to skimp on basic protections. If 5 percent of airplanes in the United States crashed tomorrow, there would be investigations, lawsuits, a cutback in air travel and airlines’ stock prices would most likely suffer.” – The New York Times, June 11, 2012

Read Full Post »