IN COLLABORATION WITH DELOITTE
A detective hacks into the email accounts of coworkers; an Algerian national sells a computer virus known as SpyEye to multiple parties in the United States; a Texas man conspires to manipulate stock prices via a network of virus-controlled computers.
Those are just some of the cyber-crimes that made headlines during a mere three weeks in May, offering more proof that computer crime is as rampant as it is varied. That is particularly worrisome for midsized companies, because often they are large enough to be attractive targets yet lack the resources to mount state-of-the-art defenses against cyber-threats.
Companies can help themselves enormously, however, by rethinking their approach to computer security. “Because any breach could potentially have an impact on every part of the company’s cyber ecosystem,” says Lou DeSorbo, senior manager in the Cyber Threat Management Practice at Deloitte & Touche, “security needs to be addressed from an enterprise perspective, as part of an overall risk management program.”
In fact, DeSorbo suggests that responsibility for cyber-security not rest with the CIO — or, at least, not solely. “There is no such thing as ‘perfect’ security,” he says. “Every company will need to determine its appetite for accepting cyber risk just as it does in other areas of the business. Deciding which cyber risks you must mitigate and which you might accept requires a combination of people, processes and technology that goes beyond the domain of IT.”
Increasingly, infiltrations by actors DeSorbo terms “advanced persistent threats” are focusing their efforts on “maintaining a foothold with increasingly long dwell times,” resulting in extended access to, and theft of, information. These crimes can be both costly and difficult to detect. Standard security approaches tend to be technology-focused, relying on a mix of access controls, security patches, hardened firewalls, and after-the-fact identification of attacks.
Today what’s needed is a mix of proactive defensive capabilities as well as forensic and analytic techniques that help companies protect specific assets, identify likely adversaries, detect and isolate events when they do occur, and respond effectively to mitigate risk and enable the business. This will impact a company on many dimensions, making it imperative that all senior executives participate in the cyber risk management process.
As for whether your company may be at risk, as DeSorbo notes, “If your systems contain information that is valuable to you, then it is also very likely to be valuable to someone else.”
Companies increasingly connect to partners, customers, mobile workers, and cloud-based service providers. As Internet-connected devices proliferate thanks to the boom in biometrics, nanotechnologies, and other sensor-based objects, potential vulnerabilities will multiply. Senior management should assess the level of cyber-security expertise within the company and identify gaps, develop a framework and repeatable processes to evaluate risks as they evolve, and make sure supply-chain partners or other parties with access to the company’s systems do the same.
One security firm estimates that IP theft alone costs U.S. companies $250 billion a year.