Large organizations should prepare themselves for more-clever and more-targeted attacks against their security infrastructures this year. That's the one thing law-enforcement officials, security experts, and industry executives agree on. Everything else — from the proper way to assess damages after a security breach to whether or not companies should report these breaches to the Federal Bureau of Investigation — seems to be up for debate.
"We are currently seeing attacks like we have never seen before," says Bruce Helman, unit chief overseeing technology issues for the FBI's Counterintelligence division. "Many are coming from Eastern Europe and are more sophisticated and more difficult to detect." Increasingly, Helman says, these attacks are perpetrated for money rather than hacker thrills and boasting rights as was the case in years past. Hacker groups have added financial savvy to their technical skills and have become masters of blackmail, and of negotiating with companies to extort the maximum amount of cash from them.
Until recently, Helman says, many of these groups didn't know how to calculate their demands and asked for absurdly small amounts of money for either returning sensitive data or stopping automated attacks. Now, he says, they routinely demand $10,000 to $50,000, and many companies are more than willing to pay up in order to hush up the security breach. As in all forms of blackmail, a one-time payment is no guarantee against future demands, nor does it ensure that hackers won't sell the data anyway. In addition, reluctance to bring authorities into the picture leaves those same hackers free to try their schemes over and over again. The FBI has run an information-sharing program called Infragard since 1996, and while 68 of the country's 100 largest companies have participated, insiders acknowledge that there is plenty of hesitation about admitting to weakness or breaches.
Analysts say companies have understandable motives for keeping things quiet. First, given new regulatory requirements to protect data, admitting to a breach could lead to fines, lawsuits, and government investigation. Second, companies that deal in sensitive customer data know public knowledge of such security leaks could damage their business. The San Diego–based consumer-rights group Privacy Rights Clearinghouse says that more than 51 million Americans have had their personal data, including financial account numbers, Social Security numbers, and driver's license information, breached in more than 95 separate incidents since February 2005. These incidents have involved large organizations such as ChoicePoint, Wachovia, Bank of America, CardSystems, Northwestern University, and even the Department of Justice and the Federal Deposit Insurance Corp.
But the "keep it under your hat" approach to security breaches may soon be impossible. Many companies, particularly in the health-care and financial-services arenas, now operate under strict regulations that require them to report such attacks without delay. California's data security notification law, one of the toughest in the nation, has inspired more than a dozen bills in Congress in an effort to take such regulations nationwide. If companies find the current climate onerous, they aren't saying so. "We are obligated to report any [security breaches] under Sarbanes-Oxley," says David Valcik, vice president of technology services at Fort Smith, Arkansas- based Beverly Enterprises Inc., a nationwide provider of long-term care and assisted living to the elderly and disabled. "But we also want to assist in tracking down these types of threats" to keep them from happening again, he says.
With good reason. While computer viruses, which are broad-based and largely senseless attacks, are still common, many hacker groups now zero in on particular companies or types of data. "They are going after companies or even specific individuals within those companies," says Toby Weiss, general manager and senior vice president of security management at Islandia, New York–based CA. "It's kind of like going from phishing to what you might call 'spear-phishing.'"
"They are going after a particular company for a specific purpose, and they are being paid to do it," agrees Gartner Inc. analyst Peter Firstbrook. "The motivation is now profit, and we are seeing a merging of commercial interests and the underworld of hacking." Sometimes hackers are hired by shady firms that resell the data, essentially laundering it until a company may buy it without understanding that it has been stolen. As one example of the increasing sophistication of attacks, in November the Securities and Exchange Commission brought charges against a company in Estonia for joining Business Wire, a service that disseminates press releases and regulatory filings, and then hacking the company's computers to gain early access to data that influenced its buying and selling of stocks. The SEC said it believed the firm had made at least $7.8 million in profits as a result.
Putting a Price Tag on Security
For companies that have been the victims of attacks, assessing the damage is not easy. "I don't think anyone has a good way of finding the cost of an event," says Firstbrook. "Most companies don't really do the proper postmortem, or, if they do, they have no idea what to include in the analysis." One company, he says, may include everything from the soft cost of diverting its IT department from a strategic project to an estimate of the effect on lost sales and the company's reputation. Another may lowball it, looking only at, say, the costs directly tied to the response.
For businesses that have taken a stab at estimating the damage wrought by security breaches, losses per company averaged about $203,606 in 2005, according to the most recent Computer Security Institute/FBI computer crime and security survey (of 639 respondents). The top three causes of losses in the study were viruses, unauthorized access, and theft of proprietary data. In a bit of good news, the study found that the fastest-growing category of breach — Website defacement — was responsible for the least amount of losses.
If assessing the cost of an incident is tough, so is calculating the cost/benefit of security expenditure. While more than 87 percent of respondents said they conducted some sort of companywide security audit in the past year, there is substantial disagreement about which metrics are best applied to the ever-growing universe of security software and services. Return on investment is the most popular, at 38 percent, while 18 percent said they use net present value and 19 percent use internal rate of return. All of these percentages are actually down from the year before, suggesting either a general dissatisfaction with these metrics or, says the Computer Security Institute (CSI), a feeling that IT security has become a "must-do" and metrics are pretty much beside the point.
"There are some specific calculations that can be made, but it's still a very subjective area," says Dennis Peasley, Beverly Enterprises's senior director of information security. "The whole thing is more of a black art than we might want it to be." For Peasley, everything boils down to three questions that all organizations need to ask: What data are you trying to protect, who might want to get to that data, and what paths would they use to get there? Many firms, he says, concentrate on the wrong questions and end up throwing a great deal of money and time at minimal security risks while ignoring major vulnerabilities.
This year expect a continuation of last year's merger mania, as security companies try to offer corporate customers a broader set of products. Also expect vendors to build in more automation and usability. In November, NetIQ introduced its Risk and Compliance Center, a Web-based dashboardlike solution that can monitor security issues across the enterprise and create risk assessments that calculate vulnerabilities in various departments. CA also offers tools that can monitor the millions of security events that occur in big companies every day and help them focus on the serious ones while ignoring the minor ones, such as someone typing in the wrong password.
Beverly Enterprises has been testing NetIQ's suite of tools to help its more than 35,000 users at 345 nursing homes and 84 other facilities nationwide. One concern is the company's reliance on offshoring its help-desk function. "Without NetIQ, there's no way we could check to make sure we are being compliant halfway around the world," says Peasley. The software provides an audit trail for all user accounts and helps control who has access to which systems.
The CSI/FBI survey found virtually no change in security spending between 2004 and 2005 (as measured by IT budget percentage), no change in outsourcing (63 percent don't outsource any aspect of security, 26 percent outsource a small fraction, and the remainder outsource between 21 percent and 80 percent of the function) and no change in the use of cyber-risk insurance (three-quarters of respondents have none). These results suggest either that companies have solidified their strategies or, more likely, they are waiting for new best practices to emerge.
John McPartlin is a freelance writer and editor based in New York.
In [Your Name Here] We Trust
Consumers respond well to good security policies.
In a survey drawing on more than 31,000 consumer responses, the Ponemon Institute found that companies that take data security and customer privacy seriously are more likely to earn the trust — and business — of consumers. "There is a value proposition to protecting information and doing it right," said Larry Ponemon, who heads up the Elk Rapids, Michigan-based research firm. Strong consumer-privacy and data-protection policies contribute to consumer trust, which, says Ponemon, makes customers more receptive to a company's marketing messages and products.
Ponemon studied 129 companies that ranked highest and lowest in consumer trust, and found several major differences in their privacy policies. Most important, he says, is to provide the consumer with a way to lodge a complaint regarding privacy issues, ideally via a phone representative. Privacy policies that are easy to understand, limit the sharing of data, and enable customers to opt out of such sharing are also key.
Good data-security and privacy policies can provide a marketing edge, according to consultant Martha Rogers. Unfortunately, she says, many companies see privacy as a "compliance issue," a fact reflected in the turgid, largely incomprehensible legalese of most privacy statements. Lawyers generally write up the privacy statements, but Rogers says "relationship" people should take charge. "Make it something you can read," she advises. "The proper mind-set is not just compliance, but relationship opportunities." — Norm Alster