Cyber Crime: You're the Mark
Pictures, PowerPoint slides, PDFs, even innocuous ads on legitimate sites can carry malware that will install itself on your PC by exploiting flaws in the browser you use. Undetected by anti-virus software, robot software can piggy-back on bank transactions, avoid anti-fraud detections systems, and send money to "mule" accounts operated by criminals in Eastern Europe. That's exactly what happened to 3000 bank customers in July, when online thieves stole $1 million dollars before they were caught by M86.
Unsuspecting customers visited legitimate-looking websites to download, say, a screen saver. Others received an email with pictures of cute animals or a PowerPoint presentation with a patriotic theme and, responding to heartfelt exhortations to forward it or risk a lifetime of bad luck, they obediently sent it to friends.
An isolated event?
No. A new industry is springing to life using clever business development practices for product diversification and market expansion. Financial specialists have been hired to deal with tricky financial issues, and technical expertise has been hired to help them effectively and efficiently operate in a trans-national marketplace.
The industry is cyber crime, and you're the mark.
According to a recent study by Ponemon Institute, the 45 financial and technology companies that were studied experienced 50 successful cyber attacks a week, and more than one per company per week.
"We found that the median annualized cost of cyber crime of the 45 organizations in our study is $3.8 million per year, but can range from $1 million to $52 million per year per company," the study reports.
Still not worried this could happen to you? Jeff Spivey told me in an interview recently, "I'm certain there will be a cyber catastrophe in the next 18 months that will cause government to become involved."
Who's Jeff Spivey? He's the former President and CEO of 35,000-member ASIS International, the preeminent organization for security professionals, and a trustee on the board of ISACA's IT Governance Institute — "a pace-setting global organization for information governance, control, security and audit professionals" with 95,000 members. He's CEO of RiskIQ now, and he knows what he's talking about.
His bigger concern is that companies don't understand how dependent they are on the Internet, and they don't understand that even if they 'get it', and have taken steps to secure their systems, their partners and vendors may not.
The problem is, the rules have changed. "A reset button has been pressed," Spivey says, "but large companies have an inability to adapt to change."
As a business owner, you have to decide how to manage change and determine what level of risk is acceptable. If you run a financial institution, or a health care facility, or if you just have a file of customer credit card number you've collected over the years, how do you know your systems are secure?
"You're going to have risk. Period, "says Spivey. "The issue is, is the level of risk acceptable to the enterprise?"
If you're a CIO, a CSIO, a CEO, or a board member, how do you know your enterprise is protected?
"Boards of Directors have no training in determining cost/benefit ratios for IT Security, and no stomach for asking tough IT Security questions of the CEO," said Brian Boake, a senior account executive with a Canadian firm Avient Solutions Group, Inc. "CEOs are willing to fund lines of business, profit centers, but they're reluctant to fund systems that will stop information leaks. But as BP found out, leaks can be very expensive."
Former FEMA Director John Copenhaver, now President and CEO of the Disaster Recovery Institute says, "Executives and middle managers need to understand that genuine risk assessment is a must. Companies will be taken to task. The nature of being a senior exec isn't just to chart direction, it being responsible for protecting assets too."
Part of corporate due diligence, as a matter of fiduciary responsibility, is to ensure cyber-security along with physical preparedness, business continuity, and emergency management procedures, he says.
"Some of us like to think we have [IT security] under control. But of all the hazards and risks we face — it's a long list and growing fast — security of information is one of the most critical because it's the most pervasive threat we face today."
How do you do that? My experience (from a previous incarnation as a Naval Officer teaching computer security and privacy at the Department of Defense Computer Institute and for the FBI) is third-party assessment of people, processes, and technologies, but you have to know what's important. A tiger team may find a weak spot in your access and authentication system, but do you care about that as much as the fact that you have data leaking to China?
Still, most cyber crime is committed not by organized crime but by what might be called 'disorganized crime.' Web attacks, denial of service threats, malicious code insertions, and disgruntled insiders and former employees account for more than 90 percent of the cyber crime costs.
You don't stop such attacks — you manage them.