Career criminal Willie Sutton is credited with saying that he robbed banks, “because that’s where the money is,” and while Sutton later claimed to have never uttered that infamous line, he did say in his autobiography that criminals “go where the money is … and go there often.”
Unfortunately for many businesses, today’s Internet criminals seem to be going where the money is and they are, indeed, going there often—as the recent hacking of Sony’s PlayStation Network has proven. Cyber crime experts say that virtually all businesses online are targets.
“Money attracts criminals,” says Melih Abdulhayoglu, CEO of Comodo, the maker of antivirus and firewall solutions for business. “The financial industry continues to suffer a lot from cyber crime attacks.”
Abdulhayoglu says that high-profile companies that rely on Internet for revenue are seeing an increase in attacks. One of the reasons this is happening is that there has been a shift from the lone hacker or specialized cyber criminal to criminal enterprises that are looking to make online attacks part of a new business model.
“Cyber crime has become a more lucrative industry than trying to smuggle drugs across the border,” says Abdulhayoglu, “and it is actually far less risky.”
Moreover, just as criminals in the off-line world have specialties and thus unique skill sets that target specific businesses, so too are there specialized cyber criminals, putting more businesses at risk.
“It isn’t so much that some industries are more susceptible,” says Mark Bell, Executive Vice President of Operations for Digital Defense, “but there are now different threats based on particular industries.”
Money remains a big target, putting banks, credit unions and other financial institutions that move money in the cyber crosshairs, but money isn’t the only target. Defense industries and governmental institutions are also being targeted by cyber criminals and terrorists looking to gain information and find other vulnerabilities.
"Ii has been said 'If you spend more money on coffee than security, you deserve to be hacked'"."
But regardless of whether money is the directly target, it is still all about the money in the end.
“There is the threat against intellectual property,” says John Kindervag, Senior Analyst at Forrester Research. “There are hackers who are looking to steal another companies R&D because they can sell the information to a company that has a small R&D budget. So it may be about intellectual capital or money, or just something you can turn into money.”
The threat is also increasing for smaller businesses and entities. While these had been largely ignored by cyber criminals, small and medium sized businesses have become the low hanging fruit for hackers.
“They don’t have the budget to be as diligent as larger companies,” says Kindervag, “But they still have data that can be monetized. It is like robbing a small bank or robbing a large bank. The smaller bank might have less guards and just as much money to steal.”
Doug Johnson, Vice President, Risk Management Policy, American Bankers Associationagrees that smaller banks are indeed targets, just as much as larger institutions.
“We’re accustomed to being a target,” says Johnson, who adds “you are only as secure as your weakest link. It is up to the institution to conduct risk assessment and to mitigate risks, along with transaction monitoring. What is important is that the financial institutions have multiple layers of security.”
Johnson says that while threats do run down hill, and that cyber criminals may target larger banks before moving to community banks, the protection is also passed down.
“We represent the entire industry, so while we represent the largest banks, we also work with community banks around the country. This ensures that the larger threats to the big institutions are known to community banks. That protects the entire environment.”
Regardless of the size of the institution, there is concern that handheld devices are now opening new holes. A recent study from Origin Storage found that 41 percent of what should be a security savvy audience are carrying sensitive data on mobile devices unprotected. The study also found that 19 percent of respondent organizations suffered a data breach following the loss of a portable device that contains unencrypted data.
“Mobile devices are opening new holes to networks, and the addition of apps means corporate data is being put at risk,” says Tom DeSot, Executive Vice President and Chief Information Officer for Digital Defense, noting this is increasing a problem with small and medium sized businesses. “Things that connect wirelessly or via a USB tether are further adding new issues. It is hard for a small business to stay on top of everything.”
Protecting from cyber crime is also unfortunately becoming ever more difficult, in part because too many people are far too trusting online.
“When is the last time you opened the door blindfolded to someone you don’t know,” asks Abdulhayoglu? “Most people would never do this at home or work, but we do it every day in the digital world.”
Biggest Threat is Human Error, not Software Error
In the past it had been Trojan Horse viruses that were worrisome—guised, much like the mythical Greek wooden horse—as something they weren’t. But now the sophisticated criminals are finding other ways into the most heavily protected networks, and much like a medieval fortress, it only takes one guard to let the barbarians through the gates.
“It comes down to finding an administrator and socially engineering them to load bad software,” says Alan Paller, Director Research at SANS Institute.
Paller says companies are responding not merely by using better software to protect themselves, but by using better programmers. He says the biggest threat is still one of human error, not software error.
“We’re still seeing that many companies are not testing their programmers. They are testing the software after the fact, but not testing those who write the software.” Pallers says that no company can plug all the vulnerabilities but that better coding is making companies safer. “The defense is making sure the programmers know how to write better code. The smart companies are hiring from colleges that teach secure code.”
DeSot says that the smart companies are also those that realize that being prepared and diligent is far more cost effective in the long run. “It is a hard pill to swallow for many companies, but if you have a breach you have the marketing costs and the good will costs not to mention the actual costs to recover from it.”
The numbers of being diligent show that it is actually just a small part of an annual operating budget.
“It has been said, ‘If you spend more money on coffee than security you deserve to be hacked,’” says Kindervag, “and if you get hacked and lose data you’ll spend more money on legal fees than you would have spent on security. The numbers are staggering.”
Kindeervag says that that even with so many threats there remains a sense of complacency, one he questions.
“We think no one wants to hack me, but when you live in a bad neighborhood you tend to have a bit of paranoia. We need to accept that and realize we all live in a bad neighborhood when we connect to the Internet.”
Watch the premiere of "Code Wars: America's Cyber Threat," Thursday, May 26, at 9pm, 10pm, 12am and 1am ET.