Original Article by: Marc Goodman
Hackers and organized crime groups have a business model—and it’s kicking your butt. Sony, Target, Home Depot and JP Morgan Chase have all been pwned, hacker-speak for being “owned” or roundly defeated by the competition. No, I’m not talking about the competition across town or your longtime corporate rival. These are the hidden, silent competitors you mostly don’t think until it’s too late: international organized crime, hacktivists and even foreign nation states, and they’re all gunning for you. They are well-resourced, motivated and poised to take you down. And most of all, they are organized, more organized that you ever imagined, as the 80 million patients insured by Anthem Blue Cross can now attest.
These are not the lone teenage hackers of yesteryear banging away at keyboards in their mom’s basement. Today 40% of cybercriminals are over the age of 35 and 80% are now working with organized crime groups, according to a 2014 study by the RAND Institute. These groups have created vast networks of front companies whose sole purpose is to penetrate your information systems and steal all the corporate, client, financial and intellectual property data that they can.
Organized crime “companies,” such as Innovative Marketing Solutions of Ukraine, are housed in multi-story office buildings with receptionists who greet clients and a corporate hierarchy that could come straight out of a Harvard Business School case-study. Just as Facebook employees go to work to write their code, organized crime teams clock in every day creating software, or rather “crimeware”, to rip you off, and crime-bosses even incentivize their most productive cyber foot-soldiers with “employee of the month” prizes like Ferraris or a briefcase full of cash.
The problem for legitimate businesses, and even individuals, is that they usually have no idea that they have been hacked. Unlike car theft when you go to the garage and discover your vehicle missing, the overwhelming majority of those businesses who have been successfully penetrated have no idea it’s even happened—for a really, really long time. According to a study by Trustwave Holdings the average time from the initial breach of a company’s network until discovery of the intrusion was an alarming 210 days. That’s nearly 7 months for an attacker, whether organized crime, the competition or a foreign government, to creep around unfettered in a corporate network stealing secrets, gaining competitive intelligence, breaching financial systems and pilfering customer’s personally identifiable information, such as their credit cards.
When businesses do eventually notice that they have a digital spy in their midst and that their vital information systems had been compromised, an appalling 92% of the time, it is not the company’s Chief Information Officer, security team or system administrator who discovers the breach. Rather it is law enforcement, an angry customer or a contractor who notifies the victim of the problem. According to the Gartner group, businesses are on track to spend $100 billion on cyber security and defense in the coming year and yet most companies have proven simply incapable of detecting when a hacker has breached their information systems.
Whether or not you realize it there’s a war afoot, between those who want to leverage our technological tools for good and those who wish them to exploit them by lying, cheating stealing, harming others—including you and your business. These are the 5 Steps Every Business Leader Must Take to Fight Back:
- Create a United Front: Too many companies segment security responsibilities in ways that no longer make sense in today’s modern world. Chief Information Officers (CIOs) deal with information security and computer systems. The head of corporate security (usually a retired FBI or police official) protects facilities, issues ID cards, hires guards and handles video cameras and alarms. Yet another person, the head of Human Resources, manages personnel security, conducting background investigations on new employees. Unfortunately, in most companies this segmentation allows too much to fall through the cracks and results in finger-pointing when something goes wrong. There needs to be a single “adult” in charge of corporate risk in the cyber age—a person with a 35,000 foot view of the rapidly emerging threats modern businesses face and the full backing and authority of the CEO and the board to own the problem set.
- Go Hunting: The old model of cyber security was to build the equivalent of tall fences with tools such as antivirus software, firewalls and intrusion detection systems to keep the bad guys out. Those days are over as evidenced not only by the explosive growth in data breaches but by the inability of most companies to even tell that their systems have been penetrated. Indeed, the Barbarians are no longer just at the gate—they in your laptop, network operations center, in your lunch room and wandering your virtual corridors, unnoticed for months at a time. In order to survive today’s modern cyber attacks, companies must go on the offense—proactively hunting down the bad guys that are almost certainly within your systems already.
- Test Your Assumptions: You think you’re safe, but how do you know? To answer this question, the military long ago implemented “red-team” exercises to try to break their own security. Specially trained personnel played the role of the “red team” during war-game exercises, so named-after the Soviet “reds” with the intent of breaking the military’s security. You too can red-team your own company, whether using internal or external resources and consultants. The fact of the matter is every day hackers and organized crime groups are trying to break into your networks. Shouldn’t you be doing the same to try to detect and respond to problems before your opponents do?
- Encrypt What You Want to Keep : Data leaks abound. The only hope you have of keeping your data in your hands is to make it useless in somebody else’s. Encryption does this by using large prime numbers to scramble your data so that only those with the secret key can read it. Given the obvious cyber threats, it is no longer tenable to keep any form of sensitive data in plain text. Sadly, foolish mistakes abound. During the Sony Pictures attack, hackers gained access to 140 plain-text files containing tens of thousands of passwords incredulously stored unencrypted in Microsoft office files labeled “Passwords.doc” and Password.xls. Oh, and those 80 million patient records and social security numbers stolen from Anthem Blue Cross—also entirely unencrypted. In today’s world, storing sensitive data in an unencrypted format is ridiculous, inexcusable and tantamount to corporate negligence.
- Have a plan: Former FBI Director Robert Mueller famously noted that there are only two types of companies—those that have been hacked and those that will be. You’ve likely already been hacked and just don’t know it yet. Cyber attacks are the “new normal,” and Sony Pictures’ deer-in-the-headlights response to their latest hack was pathetic, particularly in light of the 2011 breach of the Sony PlayStation network in which over 100 million accounts were previously compromised. “I didn’t know” is no longer a tenable excuse, and companies must develop plans that transcend just the I.T. team and include the Board, C-Suite, general counsel, customer service, marketing and public relations, because when the data breach inevitably occurs, it’s going to be “all hands on deck.” The time to develop a disaster response plan is now–not during the disaster.