Week 2 Post – How long have the hackers been in my business?

When we think about crime, we often associate it as something that is violent and happens very suddenly and then the crime is over.  Take a typical bank robbery, for example.  The robbers might case the place for a while.  Sure, there might be some long thought out planning time for the “perfect job.”  Sometimes, it is a crime of opportunity with little planning.

The almost constant factor is that the commission of the crime typically takes less than a few minutes, then the bank robbers are fleeing as quickly as they can with their loot before law enforcement arrives and boxes them in.

Let’s look at the Target stores data breach.  According to various sources, about 40 million credit & debit card numbers were exposed and up to 70 million names, addresses and other personal information may have been taken (Bloomberg, 2014).  Sources familiar with the investigation said that the attackers first broke into Target’s network on Nov. 15th, 2013.  Krebs on Security first reported the breach on Dec. 18th with Target acknowledging it the next day on the 19th.

Charlie Osborne on ZDNet reports that “Most companies take over six months to detect data breaches.”  Osborn reports that a recent study pointed out that it takes an “average of 98 days for financial services companies to detect intrusion on their networks and 197 days in retail.”

These high-profile breaches get most of the media coverage and attention, but it makes one think about how often the small-to-medium sized organization is being hacked and how long the hackers are hanging around siphoning off data, especially since these organizations typically don’t have IT security staff that is looking for problems.  In many cases, these organizations don’t have any IT staff at all that would be looking for signs of a cybersecurity problem.

References:

Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. (n.d.). Retrieved March 27, 2016, from http://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data

Krebs on Security. (n.d.). Retrieved March 27, 2016, from http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

Osborne, C. (2015, May 19). Most companies take over six months to detect data breaches | ZDNet. Retrieved March 27, 2016, from http://www.zdnet.com/article/businesses-take-over-six-months-to-detect-data-breaches/

How do you convince small businesses to invest in Cybersecurity?

We’ve all seen the media coverage of big data breaches, yet they keep happening.  Big data breaches have occurred at Target, Home Depot, the U.S. Office of Personnel Management, Anthem Insurance, Sony Pictures, and more.  Investment in information security just doesn’t seem to be important as it should to many organizations.  Of course, this type of expenditure doesn’t produce revenue.  It is almost like buying insurance, expensive and boring.  Compliance with regulations often drives cybersecurity expenditures, but organizations really need to do serious thinking about what a data breach means to its operation and reputation.

What do these breaches cost?  Maybe not enough for big business.  Target estimated that its data breach cost $191 million of gross expense in 2014.  According to Fortune, “Sony estimates its breach’s financial impact has been just $15 million to date “in investigation and remediation costs.” That’s barely a blip on the radar.”

We know that enterprise IT departments all provide for some level of cybersecurity, but how much, and how much is enough?

Cybersecurity is getting more attention in some companies.  There is talk and activity about moving the infosec role out of the IT department and into general executive status, because cybersecurity is not all about technology.  It is about people, processes, compliance and technology.

Since big business is vulnerable given their big data stores and budgets, how vulnerable do you think small businesses are?  Why is that important?  Your lawyer or accountant is a small business.  You might bank at a credit union or small bank.  How do they protect your data (and do you really think they are protecting it)?  What would the impact cost to the reputation of a small accounting firm for losing its client’s financial information.

References

How much do data breaches cost big companies? Shockingly little. (2015). Retrieved March 19, 2016, from http://fortune.com/2015/03/27/how-much-do-data-breaches-actually-cost-big-companies-shockingly-little/

 

Hello world!

This site is for the discussion of Information Security or Cybersecurity and how it relates to small-to-medium sized businesses and organizations.  Welcome!