Jeffrey Bedser, COO of infosec threat-management company ICG, answers readers' cybersecurity questions.
Q: What approaches do you recommend for cost-justifying anticybercrime measures in the corporate world?
A: I have found that many boards tend to react more favorably to data that demonstrates the whole picture in terms of cyberloss. Take a look into what areas the company does business, and where they are impacted by connectivity to the cyberworld. Are there Internet gray market losses? Any losses to credit card fraud? Public relations damage? Internet stock manipulation? Loss of proprietary data? Pending litigation? Who in the Internet community -- activists, hactivists, competitors, former employees, employees, identity thieves, geopolitical entities, foreign governments, terrorists -- has any interest in causing you cyberharm? (You can always add the cost of any known cybersecurity breaches at this point.) Ranking those threats and putting dollar signs to them will show the impact on company revenue.
I do see many companies outsourcing this process to consultants. That happens for three reasons: limited time and labor resources, limited domain knowledge and less exposure to the impact of bad news.
Q: In what case is my company legally obligated to report a security incident to the authorities?
A: My best answer would be that when you know a crime has been committed you are ethically obligated to report it. The real question is to what legal authority should it be reported.
A major facet of cybercrime is that in most cases it transcends geopolitical boundaries. Thus, making the call on my jurisdiction can be a tough one. It can also be complicated by the nuances of which law enforcement entity is chartered to deal with this particular infraction.
I have had the best success within the boundaries of the American justice system by going straight to the U.S. Attorney's Office for referral of criminal matters. While not all crimes fall into this jurisdiction, the U.S. Attorney's Office in each state maintains a cybercrime contact. It will put you in touch with the right law enforcement organization.
Q: Given all the investment in defensive measures, are companies generally less prone to serious cybercrime than they were, say, two years ago? If no, why not?
A: Most investments during the past two years (according to most surveys I keep up with and have seen) indicate that the spending on cybercrime prevention has been through technology that faces outward. This means technologies that protect the organization from the threats that lie outside of the firewall. While this is a good practice and a necessary measure, it is the tip of the iceberg.
The majority of studies into the damages that organizations have had from cybercrime incidents show that anywhere from 70 percent to 90 percent of incidents originated internally. This may be an employee, or a former employee with active root-access privileges to his former employer's network. The financial impact is directly tied to a failure to implement internal controls and a security policy that could have prevented the damages from ever happening.
In direct answer to your question, companies are more prone to cybercrime incidents now than they were two years ago for the following reasons: the security measures that have been implemented are not designed to protect against the highest threat level, and the threats that target organizations are dynamic and in real-time. Do not for a moment believe that you can rest on your laurels.
Cybersecurity is a task that requires constant vigilance. Every new security measure has two to three exploits being developed (not to the specific security measure, but to the network as a whole).
The only measure that will truly reduce your exposure to cybercrime losses is constant vigilance, and a holistic approach to your organization's vulnerabilities.