Alex O’Donnell and the 40 CyberThieves
sfchronicle.com by Marcus Chan
Social Security numbers and other personal information have been popular targets by cyber crooks. But a new report says thieves have shifted their focus to corporate data such as trade secrets and marketing plans, making it the “new currency” of the underworld economy.
The report, based on a global survey of more than 1,000 senior IT workers, follows recent headlines of hacker attacks on Nasdaq OMX Group, RSA Security and energy companies.
When it comes to these targeted attacks, many companies have taken the approach that “it won’t happen to us, and if it does, we’ll just pay for it then,” said Simon Hunt, a vice president and chief technology officer at McAfee, which is based in Santa Clara. “What’s become evident over the past year is that it’s happening more than people expected.”
McAfee, which sells cyber security products and services, authored the study with SAIC, a scientific and engineering company that works with national security agencies.
The potentially bigger payday from selling stolen proprietary data, along with the trend of businesses putting more of their information in the cloud, have made intellectual capital a bigger target, the report said.
To illustrate the impact of these targeted attacks, the report noted how a quarter of the companies said a data breach – or the serious threat of one – caused them to either stop or delay a merger and acquisition or a new product rollout.
The survey also found that when an organization suffers a data breach or loss, only 3 out of 10 report all such instances to government agencies or authorities, or stockholders. About 6 out of 10 “pick and choose” the incidents they report.
“Companies certainly aren’t doing all the reporting they should or that I think most people would like them to,” said Scott Aken, vice president for cyber operations at SAIC.
Businesses are also “generally trying to store their data in locations where they’re offered the best ability to pick and choose whether they have to notify (about) a breach or not,” he added. “Some countries’ laws are set up in such a way that maybe they don’t have to report.”
Further obscuring the full picture of data theft is the fact that many companies may not even realize they’ve been breached.
“Malware is really clever, hides itself well and is hard to detect,” said Fred Rica, a security expert and principal at PricewaterhouseCoopers. “We still see a lot of clients where we find evidence of a breach on their network, but they just didn’t know.”
Rica also said that amid cyber criminals’ efforts to steal intellectual capital, he’s still seeing a huge amount of personally identifiable information, such as credit card numbers, being stolen.
Among the report’s other findings:
— Lost or breached data cost companies more than $1.2 million on average. That compares to less than $700,000 in 2008, when a similar study was done.
— In the United States, China and India, organizations are spending more than $1 million a week on protecting sensitive data abroad.
— Employees’ lack of compliance with internal security policies was considered the greatest challenge to securing information.
As for the outlook, Aken of SAIC expects to see more of these sophisticated attacks.
“We’ll continue to see very well-coordinated attacks against big companies that have good security postures in place,” he said.
