Biometrics

Despite billions spent on cybersecurity, companies still aren’t truly safe

Pro
Image: Stockfresh

23 August 2016

Gold said his research has shown that companies tend to fall six months behind, on average, in providing security patch updates. “That’s like leaving the front door unlocked when you know burglars are in the neighbourhood.”

Gold said his impression is that enterprises are “probably” doing better than they did on security than a decade ago, but there are now more attacks than ever.

Unfolding attack
Litan described one example of how a hack works. Foreign states, including China, are able to target human resources data at a private defence contractor’s manufacturing plant to get information on all the Americans working there.

“They can find out where all the workers’ kids go to school, then email one of the engineer’s teachers to say one kid’s been acting up, so please come to school as soon as possible,” Litan said. “That engineer’s likely to open that email and, then, get infected with some kind of malware.”

A foreign state, or even a criminal gang, also might try to recruit the engineer to share design secrets for a new manufactured product, even one under contract with the US Defence Department. Or, the malware could sit inside a system for a long time, grabbing up bits and bytes of passwords stored in memory that eventually allow the hackers to gain access to more secure portions of a corporate network.

“Some workstations in companies have administrative rights, and that’s where an admin’s password could be hacked,” Litan added. Or, a hacker might find out a service contractor worked for the manufacturer on a point-of-sale system (PoS) and could be hacked for that contractor’s passwords to gain entry to the PoS.

“There are so many hacks now,” Litan said. “Compared to 10 years ago, systems are more connected than ever.” A decade earlier, in the 1990s, the use of the Internet by the private sector was only just beginning and has since grown exponentially.

Reported and unreported hacks
A factor complicating the private sector’s cybersecurity dilemma is that companies do not want to talk publicly about having been hacked, for fear of losing customers or investors. Analysts believe there are many more hacks against enterprises than are being publicly reported.

Companies that are doing better with the newer cybersecurity systems, especially financial services and telecommunications, don’t want to brag about their achievements out of concern they will only invite attacks.

Some attacks are widely discussed with a lot of wisdom after the fact. They include the Sony Pictures hack in 2014 and the data breach of retailer Target in late 2013, where PoS malware stole credit and debit card information on more than 70 million customers.

Many hacks of private sector companies are not detailed in public, as indicated by the admissions of employees in anonymous surveys. A new survey of 3,027 IT workers and end users at US and European organisations found 76% had been hit by the loss or theft of important data over the past two years, a sharp increase from 67% in a similar survey done in 2014.

The survey was conducted by the Ponemon Institute, an independent research and education group focused on information and privacy management. Of the 1,371 end users in the survey, 62% said they had access to company data that they probably shouldn’t see. IT workers in the survey said negligence by insiders was more than twice as likely to cause the compromise of insider accounts as compared to other factors like external attacks, or actions by disgruntled workers or contractors.

The institute concluded that data loss and theft was due largely to compromises in insider accounts exacerbated by far wider employee and third-party access to information than is necessary. The institute also said companies continue to fail to monitor and access activity around email and file systems where most of the sensitive data lives.

Industry variation
The level of security varies by industry segment. Healthcare institutions, specifically hospitals, almost always get a bad mark. IDC said in a recent report that hospitals, universities and public utilities rank worst in their security capabilities and practices.

A recent survey showed a significant number of health care IT pros reported their systems are not encrypting patient data, as recommended, and they feel hampered by a lack of manpower and money.

Not surprisingly, ransomware attacks were named by 69% of the 150 respondents as the top concern.

There is some good news, however, on the front to thwart cyberattacks from nations competing with the US Analysts and companies, such as Duke Energy and Verizon, were encouraged recently when US intelligence officials said they would soon share supply chain threat reports to critical US industries in telecommunications, energy and financial businesses.

Those threat reports will go beyond some of the conventional software means of tracking existing hacks into other companies and locations and hopefully will reveal information about human actors and their potential targets, Litan said.

Even so, keeping up with cybersecurity will be an evolving, constantly changing process for the private sector.

“For companies, it’s a matter of paying attention,” Litan said. “Companies don’t spend enough time and money on the problem. They don’t think they need to. It’s a matter of priorities.”

Attacks will surely get worse, even as cybersecurity software improves,” Litan said. “There’s a hotbed of innovation, even though people don’t focus enough on security. Basic technology must be put in place. We all really live in a bad neighbourhood and we all need locks on the doors.”

 

 

IDG News Service

Read More:


Back to Top ↑

TechCentral.ie