Cyber Crime – Why “Prevent, Detect, React” Doesn’t Work

by Jim Noble, Director, TAC International

While I am accustomed to presenting to IT audiences and university students, last week I had a most unusual audience. The occasion was the annual conference of the New York Stock Exchange, and the audience consisted of 450 Directors of the Boards of NYSE member companies.

They are accustomed to thinking of business risk in terms of their familiar frame of reference. So cyber crime is just another business risk, comparable with physical crime. My message was rather stark – thinking in that frame of reference is a serious mistake, and contributes to much of the complacency we see in businesses everywhere. With physical crime, you lose something (e.g. an asset). You know that you have lost it, and you do something about it. So fraud, theft etc. are relatively easy to discover. But businesses are becoming increasingly digital, and with cyber crime nothing goes missing. Your assets (e.g. intellectual property) are still where you left them, and there is no evidence of compromise. Cyber criminals copy the asset, rather than taking it away. This contributes to the phenomenon “Its takes them minutes to break in, and it takes a company weeks or months to discover the incursion”.

Actually, it is worse than that. Most companies never discover that they have been compromised, and it is virtually impossible to block a determined, sophisticated attacker.

So the conventional wisdom in digital security of “Prevent, Detect, React” rarely applies – you can’t prevent, you probably won’t detect, and so how could you possibly react?

I don’t want to spread fear, uncertainty and doubt; but I was determined to shake these Board members out of their complacency! So I tried to balance the bad news with some good news – while it is impossible to defend all your petabytes of digital assets equally, it is possible to defend the crown jewels (the 5% or so that really matters, such as your Board meeting minutes, your M&A plans, your product R&D, your Q2 results due to be published tomorrow…). I asked how many companies had a data classification scheme, allocating (say) Unclassified, Restricted, Confidential and Secret categories to their data. You guessed – almost none of the companies did this. The usual rebuttal is that their company is not a bank, or a military contractor, or the White House… and so it not a target for cyber crime. But of course that is a popular misconception, and even if your company is not the primary target, you might be a supplier to another company that is, and your privileged access is what the bad guy wants.

So I rest my case with the famous quote from the Director of the US National Security Agency – “You don’t know when they were there, when they left, what they took, and what they left behind”. And until you acknowledge that, you will leave gaps in your defenses or your monitoring that the bad guys will easily exploit. The recent case of Edward Snowden was a good example of this. His employers thought that his government clearance of Secret and his exemplary record were sufficient controls for a Systems Administrator with proper access to highly sensitive data, but they could easily have implemented “a separation of duties” to block data access without at least two authorized people. Now that their awareness has been raised, I think security will be better in future.

Will it take an incident at your company before you take this seriously?

What is your company doing to deal with cyber crime?