10 Apr. 2013 | Comments (0)
With China hacking the US, the US hacking China, and LinkedIn and Facebook and credit card companies and Google and who knows who else all vomiting our data all over the web, I was intrigued when a new report on data loss ran across my desk from auditing firm KPMG.
I spoke with Greg Bell, the firm's information protection lead, to parse the data on who loses their information, and how.
How are you getting this data?
Bell: First, we're only able to use information that's made public. We looked at U.S. and non-U.S.-based sources that registered data-loss. Whether it is a state with a notification requirement, an SEC filing or an FTC filing, some of these are self-reported. So while this provides a tremendous amount of directional information, there may be inaccuracies, or there may be an active breach going that's on still under investigation [and not reported yet]. Second, it might be that in a certain country or certain location, there's not an imperative or pressure to release that information.
And third, we believe that some organizations have had a data breach and may not be aware of it yet. So this is not 100% accurate, but we believe this provides directional information. That's why we've gone with percentages and not with total numbers.
How is the threat evolving?
There are organizations or groups causing these external factors — groups of organized criminal elements looking to rapidly monetize information; there are groups that have a social or other agendas — the term du jour is hactivist — and then we're seeing an increase in foreign national threats.
These groups are all targeting specific organizations. Organizations have gone from being a target of opportunity to a target of choice. What used to happen was the equivalent of walking through parking lot trying every car door. [A bad guy] would scan every company's Internet presence. But what we're seeing today is a target of choice — specific industries, specific companies, specific purposes. And they will use multifaceted types of attacks to gain the information they want. It changes the game.
What industries are most at risk?
What we see increasingly are three key industries. Obviously, governments are huge targets of choice. Financial services — that's where the money is. And the technology industry, for a couple of key reasons: one, there's intellectual property there, and two, these companies may provide pathways to other [targets]. Those are the three places we're seeing the focused targets of choice, but we have seen targeted attacks across all industries, from the Fortune 500 to very small businesses.
Selfishly, I have to ask: why are so many hackers interested in the media industry?
It's the nature of the information, the desire for monetization. The information has value. Whether that be, I want to download and distribute the latest version of a movie, or —
Wait, you mean that level of hacking is so high because of all the people illegally downloading movies and music?
Yes, piracy. That's most of those targets.
Eek, so we're all hackers...not that I've ever illegally downloaded a song. [Nervous laughter. Awkward pause.] So what's the lesson here for business leaders?
The key is not to take an "Oh no, the sky is falling" approach, but to factor it into their consideration of risk. It means understanding how valuable your information is: the IP that makes them unique, the operational data they rely on every day, the information that may be entrusted to them by their employees or business partners. That value is being sought after by many other organizations. Think about, "What would happen to my business if my unique manufacturing technique was stolen by a foreign government? What would happen if the operational data I use every day to make decisions got compromised, and someone was changing that data to make it look worse or better than it actually is?" Organizations just need to realize that's a risk.
For most organizations, that discussion has been very IT-centric. But increasingly, it's an executive management discussion and a board discussion.
Let's talk about the global trends. One of your surprising findings is just how much the US is decreasing as a percentage of total hacking incidents. Do you think that gives credence to other governments' assertions that they've been subjected to hacking attacks?
Well, the US has always tended to be a little more transparent. So while the chart might show that five years ago the U.S. was 75% of the global total, it might just be easier to gather that information. What we're seeing now is that all major foreign entities are very focused on the situation. More governments are getting involved, for the purposes of intelligence, economic development, and cyber offense and cyber defense as part of the next generation of warfare. Every major country is developing that kind of capability.
So incidents [of data loss] everywhere are increasing, and people are more comfortable reporting incidents. Awareness is increasing. We're also solving the easier problems; the low-hanging fruit, the easy security holes have been shored up. All the easy information has already been dealt with. Now they're looking for very complicated information. Not just breaking into your website, but going after your business partners, your employees, your email account, even targeting former employees. It's much more insidious.
So is this something you see as requiring national policies, government intervention? Or is this something individual firms will have to grapple with on their own?
I think you're going to see an increase in national policy [in the United States] and elsewhere. That alone is not going to solve the issue. For companies that operate globally, across many borders, one country's policy will not protect them. It's still going to be up to the corporation to take prudent care.
So it's sort of like how the government may provide a police force, but banks and stores still have a security guard.
Exactly. I like that metaphor.
This blog first appeared on Harvard Business Review on 03/12/2013.