How cyber attacks became more profitable than the drug trade

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://fortune.com/2015/05/01/how-cyber-attacks-became-more-profitable-than-the-drug-trade/

Chief Information Security Officers would do well to consider Benjamin
Franklin’s advice to his fellow signers of the Declaration of Independence,
“We must, indeed, all hang together, or most assuredly we shall all hang
separately.”

Those of us responsible for information security don’t face armed combat or
the literal prospect of being hanged, but today’s environment of security
risks make it necessary for different and competing players to stand united
against an organized, motivated enemy out to disrupt, steal or both. The
need to work together to protect company data, customer information and
corporate brand has never been greater. Business survival depends upon it.

Information security professionals, no matter how big the enterprise they
work for, are currently overwhelmingly outgunned by cybercrime. The threat
of these criminal enterprises is large and growing and if left unchecked
will have a disastrous impact on our economy in the near term. McKinsey &
Company estimates that cyber attacks will slow the pace of technology and
business innovation over the next few years and cost the economy as much as
$3 trillion annually. Data breaches have already taken a heavy toll and
costs are on the rise. An IBM-sponsored survey conducted by the Ponemon
Institute found that the average cost to the company of a corporate data
breach is now $5.9 million. Of this, the cost of lost business from a
breach averages $3.2 million. However, this average can be misleading
because some of the more widely publicized breaches in recent years have
cost the affected companies billions of dollars in revenue and shareholder
value.

Cyber criminals run highly organized and collaborative enterprises that
operate with troubling and destructive efficiency. Juniper Networks
conducted a study that found that global cybercrime takes in larger profits
than the illegal drug trade. “The cyber black market has evolved from a
varied landscape of discrete, ad hoc individuals into a network of highly
organized groups, often connected with traditional crime groups (e.g., drug
cartels, mafias, terrorist cells) and nation-states,” the report said. And
even when the goals of the attackers are not monetary gain, the costs can
be enormous. Though not a penny of its cash was stolen, the attack on Sony
last December cost the entertainment company billions of dollars through
the release of data. Types of data stolen can include financial data,
personal health information (PHI) and associated insurance information.

What’s more, cyber attackers have adopted the practice of gaining strength
in numbers. There is a network of collaboration these criminals easily tap
into to help them with their schemes. With these hackers constantly working
together to do damage to businesses, it only makes sense for businesses to
start working together on a large scale.

For a while, those attacked were somewhat limited in what they could do in
response. Anti-trust law prevented the kind of collaboration needed to
anticipate and fight these growing threats. Vibrant competition and the
need to protect corporate intellectual property worked against information
sharing about cyber attacks and data breaches. Corporate culture and
internal policies played a role too. Many enterprises would refrain from
disclosing the full extent of attacks to avoid inspiring others or exposing
too much about their security practices. Companies find themselves isolated
as they face the onslaught of attackers accustomed to working together.
This has to change.

Despite the increased visibility of the threat with high-profile data
breaches and attacks on well-known financial, retail and media companies,
many organizations don’t have the needed security staff in place. One large
healthcare company in a major metropolitan area managed a network of more
than 30,000 healthcare professionals and had only two employees dedicated
to information security. Those in tune with the business of IT security
know this is outrageously understaffed, but unfortunately this situation is
also common.

At last October’s Global CISO Executive Summit in New York, Malcolm
Harkins, vice president and former chief security and privacy officer for
Intel noted that, “No single person or company has all of the skills and
resources needed to address all of these security issues as fast as
required. The necessary level of security is only achievable in unison.” He
points out that a collaborative approach across sectors and verticals will
enable companies to benefit immediately, no matter what their current
security situation. And even highly profitable companies with
well-structured security systems can frequently find the challenges of
attacks overwhelming.

According to Harkins, the greatest systemic weakness facing organizations
today is the misperception of risk and defining each attack as isolated and
unique. The solution to this misperception is a diversity of perspective to
assess and diagnose the threats which, in turn, requires a diversity of
input. This can only be achieved by collaboration across industry sectors.

On the tactical side, collaboration is going to have to become a part of
daily life for companies. Day in and day out there’s blocking and tackling
in motion as new threats arise and are assessed and combated. Security
officers need to be able to tap into the experiences, knowledge and skill
sets of others who have “been there, stopped that” to help them deal with
threats in as close to real time as possible.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!