Jeffrey Bedser, COO of infosec threat-management company ICG, answers readers' cybersecurity questions.
Q: What approaches do you recommend for cost-justifying anti-cybercrime measures in the corporate world?
A: I have found that many boards tend to react more favourably to data that demonstrates the whole picture in terms of cyberloss. Take a look into what areas the company does business, and where they are impacted by connectivity to the cyberworld. Are there Internet gray market losses? Any losses to credit card fraud? Public relations damage? Internet stock manipulation? Loss of proprietary data? Pending litigation? Who in the Internet community — activists, hactivists, competitors, former employees, employees, identity thieves, geopolitical entities, foreign governments, terrorists — has any interest in causing you cyberharm? (You can always add the cost of any known cybersecurity breaches at this point.) Ranking those threats and putting dollar signs to them will show the impact on company revenue.
I do see many companies outsourcing this process to consultants. That happens for three reasons: limited time and labour resources, limited domain knowledge and less exposure to the impact of bad news.
Q: In what case is my company legally obligated to report a security incident to the authorities?
A: My best answer would be that when you know a crime has been committed you are ethically obligated to report it. The real question is to what legal authority should it be reported.
A major facet of cybercrime is that in most cases it transcends geopolitical boundaries. Thus, making the call on my jurisdiction can be a tough one. It can also be complicated by the nuances of which law enforcement entity is chartered to deal with this particular infraction.
Q: Given all the investment in defensive measures, are companies generally less prone to serious cybercrime than they were, say, two years ago? If no, why not?
A: Most investments during the past two years (according to most surveys I keep up with and have seen) indicate that the spending on cybercrime prevention has been through technology that faces outward. This means technologies that protect the organisation from the threats that lie outside of the firewall. While this is a good practice and a necessary measure, it is the tip of the iceberg.
The majority of studies into the damages that organisations have had from cybercrime incidents show that anywhere from 70 per cent to 90 per cent of incidents originated internally. This may be an employee, or a former employee with active root-access privileges to his former employer's network. The financial impact is directly tied to a failure to implement internal controls and a security policy that could have prevented the damages from ever happening.
In direct answer to your question, companies are more prone to cybercrime incidents now than they were two years ago for the following reasons: the security measures that have been implemented are not designed to protect against the highest threat level, and the threats that target organisations are dynamic and in real-time. Do not for a moment believe that you can rest on your laurels.
Cybersecurity is a task that requires constant vigilance. Every new security measure has two to three exploits being developed (not to the specific security measure, but to the network as a whole).
The only measure that will truly reduce your exposure to cybercrime losses is constant vigilance, and a holistic approach to your organisation's vulnerabilities.