Cybercrime is so commonplace and sophisticated that many organizations don't know their networks are being attacked until a vendor or government agency comes knocking.
Case in point? My colleague recently attended a CIO event, where the CIO of a major technology vendor had no idea how vulnerable his company's network was due to outdated systems and security processes -- that is, until the FBI came knocking and informed him that the company's intellectual property (IP), including code, was being stolen by foreign entities.
The company has since hired its first-ever director of security.
Was the appointment long overdue? Maybe so, but what's even more unnerving is that despite having a security executive on board, companies are more vulnerable to cybercrime than they've ever been.
IP was the primary target for this particular vendor, but the motivations behind attacks run the gamut from financial to political. Add to that the speed with which these attacks occur and the inability to pinpoint who's behind them -- and data protection becomes almost impossible.
"[Attackers] are compressing what they do, which makes response difficult, because when you're being attacked, it's really important to know if it's just a guy or the government. And it's really hard to know when you've got 10 milliseconds to figure it out," said security expert and CTO of security startup Co3 Systems, Bruce Schneier, who was the keynote speaker at MassTLC's recent Security Conference this week in Boston.
Then there are the well-established criminal supply chains to contend with.
"As a cybercriminal, you can specialize. You can steal credit card numbers, you can monetize them, you can be a mule -- whatever you want do, there's a place for you," Schneier said. Because of this very efficient process, the time span from theft to profit has been significantly reduced.
And it's not just the breach-a-minute headlines that demonstrate this reality; the staggering figures tell the same story.
"We're in a day when a person can commit about 15,000 bank robberies sitting in their basement," said Robert Anderson, executive assistant director of Criminal Cyber Response and Services at the FBI, to a roomful of business leaders at a cybersecurity-themed Financial Services Roundtable on Monday.
He and other officials from the FBI and the U.S. Secret Service also cautioned businesses that in the past year alone, 500 million financial records have been stolen. It also turns out that 80% of victims in the business sector had no knowledge of being hacked until they were informed by the government, vendors or customers, according to a Verizon study cited by Financial Services Roundtable president Tim Pawlenty.
When in doubt, call in the Feds
Staples is another company that might soon join the ranks of retailers Home Depot, JPMorgan Chase, Target and countless others. Earlier this week, the office supply chain confirmed that it's probing a possible credit card breach, with the help of law enforcement, at a number of its U.S. locations. While Staples hasn't confirmed any details of the possible breach or where these locations are, renowned security journalist Brian Krebs reported that, according to his sources, hackers stole customer information from cards used at Staples stores located in Pennsylvania, New York City and New Jersey.
While it's doubtful anyone will bat an eye at yet another retail giant being hacked, what's noteworthy about this week's data breach headline is Staples' response -- it proactively sought help from law enforcement officials.
This tack is one that U.S. financial sector companies would do well to follow, according to the federal officials who spoke at Monday's roundtable.
"No one is going to solve this problem on their own. This is something we all need to work together on." said FBI Supervisory Special Agent Thomas Grasso.
And this is not just a one-sided partnership, Pawlenty said. Cybersecurity "needs to be met with action by Congress."
Scheier agrees. "This is an important area for the government to regulate," he said, noting that as the cyberarms race heats up, the government's involvement is only going to increase.
Beyond relying on regulations and government involvement, Scheier urged companies to invest more in security, particularly incident response.
"Security is a combination of protection, detection and response. I know that we need response because our protection and detection aren't great. In IT today, I think we need incident response more than ever," he said, referring to this decade as "the era of response."
The people part of the cybercrime equation
While we tend to think of good security as one that removes people from the equation and automates processes, that doesn't work quite as well when it comes to incident response, particularly because attacks are fundamentally performed by people, Sheier pointed out. Thus, it becomes difficult to automate response.
"All networks are different, all security environments are different, all organizations are different, all regulatory environments are different, all countries are different," he said. "Most of the time, those differences matter much more than the technological differences."
These variable factors make it difficult to eliminate people from the security loop completely, Scheier argues. As such, businesses should invest in technology that augments the people part of their security strategy, namely tools that better equip employees to do their jobs -- such as share, access and transfer data -- more securely. "If you can't remove people, make them effective," he urged.
Don't just take one security expert's word for it. Many of your fellow senior IT leaders, 333 of whom we surveyed, also understand how important it is to treat security as a serious business investment -- it was tied with cloud computing as the top IT priority for 2015.
One of these IT executives, CIO Judi Flournoy of law firm Kelley Drye & Warren LLP, is keenly aware of how important the people factor is in security.
"The first line of defense for us is the employees of the firm. That's oftentimes the infiltration point," she said. "We had to take a more active step in educating our user community around what the risks are and what the responsibilities are."
How about you? Have you prepared the people in your company to take responsibility for cybercrime?
CIO news roundup for week of Oct. 20
Here is more technology news from the past week:
- Robots now assist in rescue and disaster relief efforts -- can they help in the fight to contain Ebola? Scientists, with help from the White House Office of Science and Technology Policy, are preparing for brainstorming meetings to find that out.
- Apple reported quarterly earnings of $42.1 billion on Tuesday, about $2 billion more than analysts predicted. The iPhone 6 was the only product out of its new lineup that factored into this quarter, selling more than 10 million and accounting for 56% of that revenue.
- IBM is jumping the chip ship. In the wake of news of its falling stock prices, the tech giant is selling its unprofitable chip-manufacturing business to GlobalFoundries for $1.3 billion and is setting its sights solely on software and servers.
- Google revealed a new email app called, straightforwardly, Inbox, which "bundles" emails into categories such as travel itinerary, related receipts and notes. The free service is available by invite on Android, iOS and online.
- Be still my heart! Mark Zuckerberg speaks Chinese?! Facebook's founder blew everyone's mind Wednesday when he conducted a Q&A in a Beijing university -- entirely in Mandarin. Forget his grammar and pronunciation; could this be the first step to lift China's block on Western social media?
- In response to the world's increasing population of elderly drivers, Ford is taking the lead in equipping its seats with sensors that monitor the driver's heartbeat for irregularities; if a possible heart attack is imminent, the car's self-driving system will guide the vehicle to a safe stop.
Get more details on the potential Staples breach at sister-site SearchSecurity. Then, take a deeper look at our salary survey results and learn why security is among senior IT execs' top priorities for 2015. Plus, find out why, on top of newer technologies, old-school tech is still key in protecting your data.