Yesterday’s hackers, whose exploits were often designed to earn bragging rights within the hacker community, have given way to far more sophisticated cyber criminals in pursuit of cold, hard cash. Some penetrate databases to steal the personally identifiable information (PID) of employees and customers. Others steal intellectual property and business data. Some use it, while others sell it to other criminals.
Which companies are hackers targeting? “The main focus of hackers seeking PID is midsize companies,” says Paul Viollis, CEO of Risk Control Strategies (RCS), a security and investigative firm. Why? “They’re perceived as the path of least resistance.”
Midsize organizations with up to 100 employees and $100 million a year in revenue “lack the security budgets of their big-business peers,” explains Tim Matthews, director of product marketing at Symantec, a leading security systems provider.
A recent Symantec survey of more than 2,000 small and midsize enterprises found that 73% had been victimized by cyber attacks, and the cost cannot be measured by dollars alone. “There’s always the risk of customers no longer conducting business with you,” Matthews says. “Once your reputation is tarnished, shutting down becomes a very real possibility.”
Breaking and Entering
Midsize enterprises are vulnerable to a variety of exploits, including “phishing,” in which employees are lured to phony Websites through e-mail or IM; SQL injection attacks that invade operating systems to gut the contents of poorly designed websites; bots that take over machines, turning them into “zombies” that criminals can control — the list is long. Legacy systems that haven’t been diligently patched or upgraded to guard against new threats are particularly vulnerable.
Social engineering — the art of tricking people — has caused more security breaches than all external attacks combined, according to 403 Web Security, a web-application development company.
Social engineering was behind a March 2011 data breach at security firm RSA. Employees received an e-mail and an attached spreadsheet with the subject line, “2011 Recruitment Plan.xls.” Once opened, the spreadsheet installed a backdoor in RSA’s system that compromised the code of RSA’s SecurID token. Estimates of what RSA’s parent, EMC, spent to clean up the fallout have run north of $66 million.
“We’ve estimated that a data breach costs companies an average of $214 per compromised record, and this excludes litigation and reputation-related issues that are difficult to measure,” says Larry Ponemon, founder of the Ponemon Institute, which focuses on data-protection practices.
Ponemon agrees that today midsize enterprises are in the crosshairs. “Why hack into a major retail bank that has topnotch security when you can hack into a much smaller enterprise that has access to the bank’s data?” Ponemon asks. “It’s easier to break into the side door than the front door.”
And those side doors aren’t locked at many midsize organizations. Of the 761 data breaches investigated in 2010 by the U.S. Secret Service and Verizon Communications’s forensics analysis unit, 63% occurred at companies with 100 or fewer employees.
Most of those breaches were not as sophisticated as the RSA hack. A recent Ponemon survey cites lost or stolen mobile devices as the greatest trending security risk. The risk doesn’t necessarily decline when the focus shifts. “Companies think because they outsource services or security they also outsource liability,” says Toby Merrill, vice president at insurer ACE Professional Risk. “They’re wrong.”
“You Will Be Sued”
Forty-six states have data-breach laws that require organizations to notify anyone whose personal data may have been compromised. Massachusetts’s is the toughest, stipulating penalties of up to $5,000 per violation. Multiply that by thousands of affected customers, and the potential cost to the enterprise is staggering. These laws make it clear that responsibility lies with the company that collected and stored the data. “That's who will be sued,” Merrill says.
But many midsize businesses believe the cloud offers greater security Boloco, a $20 million chain of 18 burrito restaurants stores customer information in the cloud via NetPOS, a point-of-sale systems provider. “No credit-card swipe lives in our system,” says Boloco CFO Patrick Renna. “Our philosophy is to leverage the security expertise of much larger companies that have resources we don’t.”
Boloco requires its various software-as-a-service providers to comply with the payment-card industry’s data-security standard and with the SAS 70 auditing standard, which permits an independent auditor to evaluate and issue an opinion on the provider’s security controls. Boloco also assesses its providers’ finances. That’s smart, says Tracey Vispoli, global cyber solutions manager for the Chubb Group of Insurance Cos. If you’re suing, you want your provider to be solvent.
What else can midsize companies do? If they had the cash, they could hire a security guru, and implement encryption, firewalls, intrusion detection, and other security tools. But today, as RCS’s Viollis notes, “how many midsize enterprises have cash to spare?”
There are, however, measures that won’t break the bank, notes Alan Wlasuk, CEO of 403 Web Security. He suggests starting with a relatively inexpensive scan of your IT system to determine its vulnerabilities, educating your staff about the threat of social engineering, and keeping up with security fixes.
And, since hackers aren’t the only ones breaking into databases (disgruntled employees and those experiencing tough financial times are other threats), it’s smart for CFOs to insist upon background checks for new employees and the implementation of strict data-access rules, such as making sure HR can’t access customer data and sales can’t access employee data.
Other relatively low-cost measures include mandating strong passwords (at least eight characters, a mix of numerals and upper- and lower-case letters). Customer data should be kept off of laptops, smart phones, and USB drives unless encrypted or, at least, password protected. Also, it’s not smart to store unneeded data; erase it.
Finally, consider buying cyber insurance. The cost has come down by more than 20% from five years ago, according to Robert Parisi, senior vice president of insurance broker Marsh. Plus, he says, insurers are tossing in freebies such as security assessments, victim breach notification, and credit monitoring.
“In an era where a lot of companies have cut into IT resources, insurance can be as important as the firewall,” Ponemon says. “With cyber insurance,” ACE’s Merrill adds, sounding like a salesman, “you’re buying more than coverage; you’re buying peace of mind.”
Russ Banham is a contributing editor of CFO.