Published in Australian Anthill Magazine, Dec 2008/Jan 2009
You probably cannot remember the last time you awoke to an inbox filled with messages titled, “I love you.” Emails that, when opened, sent copies of themselves to everyone in your address book. The last mass virus outbreak to affect your system is probably nothing more than a distant memory. Yet threats to digital information security have never been so severe.
Remember when antivirus companies would go to “Red Alert” and the media would be flooded with warnings of what not to click on? A virus or worm would be making its way around the world, leaving in its wake network after network crippled by the sheer traffic volumes it consumed throughout its journey. These resultant outbreaks were the handy work of ad hoc amateur programmers chasing nothing more than notoriety or their dream security firm job once their infinite cleverness was proven to the world.
Today there is none of that. Today there is silence. On the surface it would appear that the good guys have won, defeating the evil virus writers. This, in fact, could not be further from the truth. All that this lack of visible activity serves to achieve is to lull computer users into a dangerously false sense of security. The harsh reality is that information assets are under siege from well-organised, well-funded groups of individuals who have the mechanisms to make substantial profits from your data.
Yesterday’s annoying virus outbreaks have evolved into sophisticated mechanisms designed to circumvent the best defences and infiltrate the most secure networks. No longer do you need to be tricked into clicking on a cool sounding email attachment for your computer to become infected with an unauthorised piece of software. The very act of surfing to your favourite website may be all that it takes to turn your computer into your business’s worst nightmare.
Just imagine that your computer, with all the data that it stores and all the access to your network that it has, was under the total control of an unknown party outside your organisation. Unfortunately, there is no need to imagine too hard. The scenario I just described is typical of modern security breaches. If you are lucky, your computer, along with the internet bandwidth it has at its disposal, will only be used to pump out countless quantities of email proclaiming miraculous breakthroughs in the field of bodypart enhancement. Those less fortunate find that the contents of their networks are now being sold off to the highest bidder on the black market.
Information is only confidential until it is not. There are no second chances. There is no upgrading security and trying again.
Virus outbreaks of yesteryear saw IT staff endure one or two sleepless nights unclogging email servers and deleting infected files. Business quickly returned to normal and the disruption was relegated to a water-cooler anecdote. Try returning to normal following the financial impact of a lawsuit filed by a credit card issuer reclaiming fraud damages caused by disclosure of credit card information stolen from your servers. Try returning to normal from the leak of a pre-patented innovation on which the future of your business hinges. The risks of today’s security threats are just too serious to ignore. The financial impact alone of a significant breach can see a business sent to the wall, with years of research and your life savings evaporating instantly. Lives may even be at stake if the information lost is of a sensitive personal nature or critical infrastructure is under computer control.
Your business will most likely never be the focus of a targeted attack. Modern breaches are opportunistic and are based on sophisticated technologies. A wide net is generally cast and if you become a victim, you may not find out for a significant period of time. Today’s ‘Trojan Horse’ applications lay silent within computer systems, awaiting commands from their controllers. They can operate independently, siphoning information out of your network, or in teams called ‘botnets’, which can be used to perpetrate other criminal activity, such as hacking other networks. Cyber warfare has been known to involve botnets of several hundred thousand computers, sometimes disconnecting whole countries from the internet. If traced, this activity will lead authorities back to your network.
While I have painted quite a dark picture, there is light at the end of the tunnel. My advice to businesses is to look at the information that is stored within their systems and take time to understand its true value. Information is power, but it is also a double-edged sword. All too often, information is collected just because it is possible and easy to do so. Accessible collection technology and cheap storage serve to create a culture of “hoard now and find a use later” when it comes to data. To businesses, the asset value of large pools of information is widely known. However, the liability of its safe custody is seldom taken into account. If you are the custodian of private information, let’s not mince words now. You have a responsibility to protect it, whether you know how or not.
Every additional byte of information in your custody, above and beyond that which is required for business operation, is a liability. It is something of value that needs to be secured. Just ask yourself, would you happily store a valuable piece of equipment in a warehouse that has no benefit to your business, knowing that if it were stolen you would be held responsible? Of course not. Then why would you do so with information? Some examples that immediately spring to mind: A sporting club that stores an image of each patron’s driver’s licence as they enter, or a retail outlet that has staff swipe their client’s credit card through their point-of-sale terminal as well as the bank-issued EFTPOS machine. When capturing information, consider first whether it will add to business value or serve only to paint a target on your systems.
Small businesses thrive on close-knit teams of people, which breeds familiarity. This, in turn, often encourages a cavalier approach to the use of technology. While this may seem to be contributing to an open and relaxed workplace, the door may be opening for a data breach to take place. Seldom do small companies have the expertise of specialist security personnel on hand. The growth in the use of technology is often dynamic and fuelled by the necessity to provide services, ensuring that security often takes a back seat. Take the time to seek professional advice and set up a framework that will see the risk to your hard-earned business assets properly mitigated.
The information age has allowed us to communicate and do business in ways that were unimaginable thirty years ago. With consideration for the true power at our finger tips, and by valuing the privilege entrusted to us, we can all work together and create a world safe for exchanging digital information.
Adam Biviano is Key Partner and Alliance Manager at Trend Micro. He has spent the past 15 years advising clients on how to secure their assets from cyber attack.