control, and governance
Back With a Vengeance
Highly organized and innovative attackers are targeting corporate networks and data — and rapidly outpacing once-successful information security methods.
Internet search titan Google made headlines earlier this year when it accused hackers working for the Chinese government of breaking into its computer systems. China swiftly denied the allegations, leading to tensions between the country and Google that threaten the company’s operations in the fast-growing Chinese market. But the incident also demonstrates that the stakes are getting higher for information security as attacks become more sophisticated and better organized.
Internal auditors, IT professionals, and their organizations need to raise their game as well. Just when organizations thought they were getting information security under control, the number of incidents has exploded. Information Security Breaches Survey 2010, released by PricewaterhouseCoopers LLP (PwC) in April at the Infosecurity Europe conference in London, found that 90 percent of large UK organizations (more than 250 employees) and 74 percent of small organizations (25 or fewer employees) suffered a malicious security breach within the past 12 months. That’s up from 35 percent of organizations overall in PwC’s previous survey in 2008 — reversing a four-year decline in incidents. The online survey was completed by 539 organizations.
Even worse, the financial cost of these incidents has tripled since 2008. The average cost of a large organization’s worst security incident ranged from £280,000 to £690,000 (US $422,000–$1.04 million). For small organizations, the cost was £27,500–£55,000 (US $40,200–$80,400). The number of security breaches “has reached record levels for all sizes of organization,” says Chris Potter, a partner with PwC’s OneSecurity unit, which produced the Information Security Breaches Survey. “All types of breach were on the increase, and a conservative estimate is that the total cost of breaches to UK business in billions of pounds is now well into double figures.”
HOLDING VICTIMS ACCOUNTABLE
It’s not just the incidents themselves that are costly to organizations. Increasingly, governments around the world are holding the organizations that suffer attacks responsible for not protecting their customers’ personally identifiable information. The United Kingdom recently revised the 1998 Data Protection Act to give the country’s Information Commissioner’s Office the power to impose fines up to £500,000 (US $754,000) on companies that experience serious data breaches. The revisions make companies directly responsible for complying with data security principles. Fines will be based on the seriousness of a contravention of data protection principles, the nature of personal data involved, the duration and extent of the breach, the number of individuals impacted by it, and its public importance.
It’s not just potential fines that make incidents more costly. More than 40 percent of the cost from compromised records stems from lost business as a result of an incident, according to the Poneman Institute’s 2009 Annual Study: Global Cost of Data Breach (PDF, registration required), which examined the financial costs from 130 data breaches in five countries. That’s particularly true in countries with laws requiring companies to publicly disclose security breaches involving customer data. For example, per-record costs were nearly twice as high in the United States (US $204), where many states have strong public notification laws, than in less-regulated nations like France (US $119).
Faced with such potential costs, organizations have invested heavily in information security in recent years. Even during the recession, the PwC UK study notes that 90 percent of surveyed organizations maintained or increased their security expenditure in the past year. Nearly half of large organizations increased security spending. Almost half of large organizations and 27 percent of small organizations plan to increase security spending next year.
Moreover, 82 percent of large organizations and 75 percent of small organizations assess information security risks, up from 48 percent overall in the 2008 survey. “Organizations are getting better at understanding security risks in a changing business environment,” Potter says.
RISK ENVIRONMENT IS CHANGING
So, if organizations are spending more on security and are assessing IT risks, why have breaches taken a turn for the worse? After all, such measures were supposed to protect networks. The short answer: change. Organizations use their computer networks much differently than in the past — providing remote access to employees and storing more data and applications in the “cloud.” This makes their systems and information more vulnerable.
The threats are changing too. Attackers are using more sophisticated malware, viruses, and other techniques, according to a recent Deloitte report, Cyber Crime: A Clear and Present Danger, Combating the Fastest Growing Cybersecurity Threat (PDF). The report analyzes the results of the 2010 Cyber Security Watch Survey conducted by CSO Magazine, the U.S. Secret Service, and the CERT-CC at Carnegie-Mellon University. Although Deloitte sponsored the survey, its analysis concludes that cyber crime is “a significantly more common and larger threat than respondents recognize” and the criminals’ techniques have outpaced current security models and methods.
Deloitte argues that survey respondents have a false sense of security that is leading them to allocate resources to “lesser threats” such as foiling hackers or blocking pornography, rather than on criminal activity that may be taking place on their systems. “Today’s cyber criminals are increasingly adept at gaining undetected access and maintaining a persistent, low-profile, long-term presence in IT environments,” the report states. Specific trends include:
In addition to circumventing security technologies, criminals typically go after end users via online social engineering techniques, Deloitte notes. For example, the attacks on Google were made possible by an e-mail “phishing” scam that targeted users with privileged access such as network administrators and executives. Such scams are intended to dupe recipients into giving up passwords or opening an attachment that installs spyware programs on their system. Criminals with knowledge of an organization can even target messages to a specific person. Moreover, the rise of social networking and online transactions provides more opportunities for organized criminals.
Organizations typically protect their systems through a combination of policies and perimeter defenses. Information security experts advise organizations to make a strong security policy the centerpiece of their security efforts. The good news is that most organizations have a policy in place; the bad news is these policies aren’t well-understood by employees in most organizations, according to PwC’s UK study. Worst still, employees under pressure to be more and more productive often don’t follow such policies or adhere to security controls, a recent Microsoft Research paper reports (PDF).
The Deloitte report advocates taking a risk-based approach that “assumes an unauthorized user can gain access to the system.” In this approach, organizations allocate security resources based on the value of specific data, the likelihood and impact of a breach, and potential interactions with other risks. Specifically, organizations should monitor their most valuable information so that the business “knows where it is, where it is going, where it has gone, and on whose authority.”
Addressing information security risks should be part of the organization’s overall risk management process, with commitment from the board and senior management, the Deloitte report states. An organization’s enterprise risk assessment may identify critical processes, activities, and data that practitioners can incorporate into their security risk assessment.
From there, organizations should gather and analyze intelligence on cyber threats and assess their risks, Deloitte advises. In addition to prioritizing data that needs to be protected, this approach can enable an organization to identify network devices used for criminal activities; identify customers, suppliers, and others with compromised devices; and monitor transactions and track compromised data. Intelligence gathering includes both external sources (e.g., publications, law enforcement, and security vendors) and internal sources (e.g., fraud investigations, security incident data, and vulnerability data). The analysis should incorporate defined risk identification, prevention, and mitigation activities and should be driven by considerations such as improving visibility into the IT environment, identifying new attack technologies, evaluating technologies and data that are vulnerable, and assessing how much protection existing controls provide.
Rethinking once-successful information security methods and assumptions won’t come easy for many auditors and IT practitioners, but it’s clear the attackers aren’t standing still. Failing to keep up with them could be costly.
To comment on this article, e-mail the author at firstname.lastname@example.org.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.