In 2012, General Keith Alexander, Director of the U.S. National Security Agency and Commander of the United States Cyber Command, said cyberattacks are causing “the greatest transfer of wealth in history”, and went on to cite an estimate from computer security firm McAfee that the global cost of cybercrime is $1 trillion.
Many analysts have derided that figure as wildly exaggerated, but certainly the cost to businesses is in the tens of billions of dollars. “Nobody can really assess the true impact of cybercrime,” said Franz-Stefan Gady, an analyst at a security-focused think tank called the EastWest Institute, in a report published by non-profit investigative news agency ProPublica. “It’s really the self-reporting — because we can’t verify it.”
Numbers are hard to come by because many organizations are reluctant to admit their networks and systems have been compromised, if they’re aware of the breaches at all. Banks especially dislike headlines that involve the words “customers’ money stolen” and “customers’ personal details compromised”.
And while the U.S. Congress is considering legislation that would require companies to disclose breaches of their information systems, attacks aimed at stealing intellectual property (such as equipment designs and scientific data) can – and often certainly do – go undetected because the data remains in place on company servers, with little to no indication it has been viewed and/or copied.
Although banks and other financial institutions spend billions on computer network and systems security in an effort to thwart hacking and fraud, many of the security measures these companies implement are relevant for small- and medium-sized organizations, even if they don’t have hundreds of millions of dollars in customer assets to protect.
You say you’re a non-profit, with nothing worth stealing? Human rights organizations must carefully protect the identities of sources and partners, and every organization has in its offices computers worth something to ordinary thieves.
Phil Kennington, Regional Risk Manager at Amazon Web Services, has spent his career preventing and responding to security threats, not only in the cyberworld but also in the physical world. I asked Phil, whom I’ve known for years, to speak as not as a representative of his current employer, but as a longtime security consultant who has worked in the financial and telecoms sectors, as well as for a security and risk management consultancy.
“Not including instances of computer hacking, I see fewer cases of high-tech espionage now than I did in the 1990s,” Kennington says. “Most leaks of information come from your own staff”, or from vendors or contractors that share your business’s physical premises. That’s not to say there isn’t a technological risk, because there is, but many of the cases I have investigated in the past involve the human element, people you’ve brought inside your organization.”
Kennington explains that maintaining “access control” is a critical failing of many organizations that have spent millions on network security measures. “It’s very easy to ‘tailgate’ legitimate employees into secure facilities,” he says. “I’ve seen security video of someone tailgating his way into an office, and walking out later with two bags containing half a dozen laptops.
The real damage from the theft, of course, comes not from the replacement cost of the computers, but from the loss of confidential data contained on them. Theft by outsiders is a minor problem, however, compared to theft by disgruntled employees or contractors, Kennington says.
Kennington urges employers to conduct background checks, noting that in developed countries, an Internet search will turn up a great deal of information. “Very few employers do a thorough job of screening employees,” he says. “You’re inviting these people into your organization and giving them ‘trusted insider’ status. Once they’re inside, they’re much less likely to be questioned. But what do you really know about most of them?”
While Kennington emphasizes the importance of educating employees in security awareness and procedures, American cryptographer and security guru Bruce Schneier has wondered if educating employees isn’t simply a waste of time. Schneier notes that society spends enormous resources trying to train people to maintain healthier lifestyles, mostly in vain.
“Computer security is often only as strong as the weakest link,” Schneier wrote last year in an essay published on Dark Reading, an IT security-focused news portal. “If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in.”
Schneier argues it is the computer industry’s responsibility to design systems that don’t allow users to choose passwords such as “password” or “123456” (the two most popular passwords among American computer users in 2012). “We just aren’t very good at trading off immediate gratification for long-term benefit,” Schneier writes. “Computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a lot of bother right now and I have more fun things to think about.”
Kennington says he’s seen many cases of compromised security resulting from “social engineering”. In the security context, social engineering involves manipulating people into providing access to networks or facilities, or directly delivering confidential information into the hands of unauthorized parties. “Social networks have made things even easier for the people who engage in this sort of activity,” Kennington says. “I’ve seen cases in which IT workers have uploaded confidential documents in exchange for social networking site badges or prizes, and I’ve confirmed some of these cases as having been state-sponsored. Although China is the focus of a lot of attention, these sorts of attacks can originate in Japan, Australia, the U.K., anywhere.”
Kennington relates a story about “pretexters” who engage IT workers via social networks and pretend to be recruiting for attractive jobs. The scammers say they need to see examples of their targets’ work in order to evaluate their skills, and because the targets have been specifically selected, the scammers know exactly what to ask for.
He also cites an instance of a fight having been staged in a restaurant where a gathering of IT engineers was known to have been scheduled (thanks to the online posting of the event details), during which several engineers’ laptops went missing. In that case, it’s likely the computers were specifically identified as having likely contained confidential data.
In his most recent book, Liars and Outliers, Schneier writes, “More security isn’t necessarily better. First, security is always a trade-off, and sometimes additional security costs more than it’s worth. For example, it’s not worth spending $100,000 to protect a donut. Yes, the donut would be more secure, but it would make more sense to simply risk the donut. There will always be a point where more security isn’t worth it. And as a corollary, absolute security is not achievable.”
Kennington believes human resources departments have an important role to play. “Human resources must take action if they discover something suspicious,” he says. “Very often, laws are weighted in favor of employees and you may end up having to pay people to leave. The cost of not doing that, though, can be far higher.
“Companies need to remember that corporate email systems and networks are company property and that employees – on the whole or in certain vital areas of the business – should have no expectation of privacy and they should sign up to those controls if they want to work there,” Kennington continues. “Labor law and local regulations aside, vital systems and the email of those working in those vital areas should be monitored and violations of a policy be dealt with using existing laws and regulations. Yes, you can trust your employees, but trust is something that should be earned and verified at regular intervals.”
Schneier offers several tips that cover both the technological and human aspects of data security for end users. “For a lot of people, an attack means they lost their stuff,” he says. “So good backups are essential.” He also suggests installing a good anti-virus program. More important, though, he believes, is “paying attention”. “The better bullshit detector you have, the better you’ll do,” he says.
Roberto De Vido is a communications consultant who has lived and worked in Asia for 25 years. He is the editor of Aidpreneur.com and producer of the Terms of Reference podcast.