Mounting levels of cyber crime and industrial espionage are sounding a long-awaited and much- needed wake-up call in the ears of corporate executives.
Despite estimated global losses to cyber crime now being measured in trillions of dollars, chief executives and their boards have traditionally been reluctant to accept responsibility for data breaches, preferring to regard them as an Act of God or to lay the blame at the door of their IT departments.
But this head-in-the-sand approach has now become untenable in the wake of recent events at discount retailer Target. The company fired its CIO and forced the resignation of its chief executive and chairman Greg Steinhafel in May of this year in the wake of a data breach that compromised the accounts of 40 million customers.
Prior to the board- level departures at Target, most busy chief executives regarded cyber security as a back-room problem to be handled by an in-house IT department. But the CIO's limited budget and frequently extremely limited knowledge of security protocols in general has resulted in a massive intelligence gap, which organised cyber crime has been happy to take advantage of.
Part of the problem is that cyber security is no longer a question of building a firewall and installing anti-virus software. To begin with, KCS finds that roughly four-fifths of malicious cyber intrusions can be traced from within the organisation being hacked. The individual concerned could be a disgruntled employee or someone who is being blackmailed, bribed or otherwise coerced into helping cyber criminals or competitors find a hole in the company's defences.
In many cases, a member of staff can be an unknowing accessory to a cyber intrusion. Someone may have discovered their password or cloned their mobile phone. Alternatively, they might be tricked into inserting a device such as a USB stick carrying malware into a company terminal and opening 'a back door' into the corporate IT system.
USB scams currently in use include leaving a bunch of car keys in the target company car park. Also on the key together with what appear to be car and house keys is an inexpensive and apparently innocent memory stick. When someone finds the bunch of keys they generally assume it to have been dropped by a colleague or a visitor. Hoping to be helpful, they insert the USB into the nearest computer terminal in an attempt to discover the owner of the keys. When they open the files stored on the memory stick, they are greeted by with some apparently innocuous family pictures. What they do not seen is that the instant the USB stick is inserted, malware begins to infect the corporate IT system opening up a back door through which the cyber criminals can siphon and copy as much sensitive data as is needed to hold the company concerned to ransom.
At the recent Black Hat USA 2014 cyber hacking conference, it was reported that USB devices are also now being used to imitate other types of device to steal data. There is a device on the market, for example, called a USB Rubber Ducky. This uses simple, affordable and easily obtainable hardware to emulate a keyboard, generally the single device all computers will trust on their system.
Recent revelations regarding concerted cyber attacks on several US financial institutions including JPMorgan and subsequent investigations by the Federal Bureau of Investigation and the US secret service have highlighted the growing risk coming from organised international cyber crime. The number of cyber attacks aimed as the US-based cyber attacks has roughly tripled in the last year.
But there is also evidence that, as banks are forced to improve their security procedures, some cyber criminals have already started to widen their focus to included organisations such as insurance companies. The reasons for this also have as much to with the changing nature of cyber crime. While it is possible to steal money from insurance companies, it is their data which appeals to many cyber criminals. Personal information, names, addresses, account details, passwords, health and lifestyle information, payment-card information all have a very real and easily marketable value. They can be traded on the so-called 'dark web', where criminals trade everything from marijuana to murder, often using the virtual currency Bitcoin to effect payment. In the US, individual medical records are reported to be fetching as much as US$500 apiece.
Until now, most chief executives have assumed that, because they are not a bank or a big cash-rich multinational organisation, they would of limited or little interest to cyber criminals. This is not true. Even if a company has little data of its own to interest cyber criminals, it partners or its clients may have. For example, a European energy supply company was hacked without its knowledge by cyber hackers bent on stealing nuclear defence secrets from one of its companies, a major defence contractor. So, even in the unlikely situation that an organisation has no data or customer information worth stealing, it may find itself used as a backdoor to attack one of its more important clients.
Instead of trusting to outdated anti-virus software which only protects against known viruses, organisations now need to adopt truly 21st Century security procedures. In practice, this means keeping a close track of all documents and attachments passing through the company. The most effective approach is to tag incoming material such as documents and spreadsheets in order to identify not only their source but also their history once they pass through the company's external security to determine whether sensitive data has been copied or stolen.
But the most difficult challenge for corporates will be closing the current intelligence gap that exists between chief executives and their IT departments. Staff must be made to understand that leaked password or ' lost ' smartphones or laptops can result in a security breach costing the company millions In ransom cash or lost business.
Stuart Poole- Robb is chief executive of business intelligence and cyber security adviser KCS Group Europe.