Businesses Can't Ignore Cyberthreats, Experts Warn

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govtech.com/security/Businesses-Cant-Ignore-Cyberthreats.html

Target’s infamous data breach is a textbook case of cybercrime: About 70
million records compromised after hackers reportedly entered the retailer’s
computer network using an outside service company’s limited access.

The retailer’s security team ignored warnings, not yet trusting a new
detection system, until federal officials finally alerted them. Once the
breach was revealed, Target’s quarterly profits dropped 46 percent, its CEO
resigned and the company promised to spend tens of millions of dollars
beefing up security.

At an Austin cybersecurity conference Thursday, experts cited the Target
example as they encouraged Austin businesses — large and small — to use
newly issued guidelines to protect themselves and their customers.

Target is a textbook case for another reason: Except for the size of the
breach, it’s not unique.

“It’s not if you become a victim of cybercrime,” said Mark Sletto, a
special agent in the Austin office of the U.S. Secret Service. “It’s when.”

The U.S. Chamber of Commerce, along with its local counterpart, invited
officials with the White House, Homeland Security, the FBI and Secret
Service to join business experts to discuss a voluntary “framework” for
cybersecurity. The industry-vetted guidelines are the result of a 2013
presidential directive that the chamber is supporting as an alternative to
government regulations.

It might be voluntary, but Matthew Scholl, a computer security expert with
the National Institute of Standards and Technology, warned, “If you don’t
do it, you are putting yourself at business risk.”

Alan Daines, chief information security officer for Round Rock-based Dell
Inc., said the best practices in the “framework” helps companies of all
sizes to assess where they are and where they need to be on the security
front.

“Since the Target breach, I can’t tell you the number of times I’ve been
asked, ‘Are we vulnerable?’” Daines said.

While large companies have more money and people to address the problem,
Daines said cybercrime is a challenge even for large firms.

“Large businesses become so large, it’s hard to get control of your
environment,” he said. “We struggled with, ‘How do we know we’re doing
everything right?’”

Jenny Menna with the U.S. Department of Homeland Security said the
guidelines should help company officials to discuss security issues with
everyone from the board room to a company’s supply-chain vendors.

“Adversaries are looking for the easiest way in,” she said.

Brian Engle, chief security information officer for the state of Texas,
said too many companies or agencies focus more on protection than detection
or response.

Citing the inevitability of attacks, Engle said it’s wrong to consider a
breach as the moment of failure. “The failure should be if we can’t
respond.”

Matthew Eggers, a security expert with the U.S. Chamber of Commerce, said
small firms shouldn’t assume they are too small to be targeted.

He said criminals might only be skimming a few hundred dollars each month
from a company’s payroll, but it’s a lucrative crime when spread across
thousands of small companies.

Eggers urged companies to keep it simple by focusing on data and devices.

“Think about the information you value and that your customers value,” he
said. “There is no silver bullet.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!