"Corporate Considerations: Dispelling the Myths of Cyber Security"
By Neil Jarvis, CIO, Fujitsu America, Inc
In the blockbuster hit, “Skyfall,” James Bond’s mission is to find and stop Raoul Silva, a former British agent who felt betrayed by “M” and his government. As it goes, he decides to take revenge by stealing critical information that could bring down MI6 and the world at large. Naturally, there were shaken martinis, explosions, shootouts and hand-to-hand combat, but the primary threat was not a physical one but rather a digital one; critical information stored on computer drives and servers that had the potential to usher in a world of chaos. "For companies to properly address cyber-security, it’s important to take a proactive approach and even get ahead of the curve"
The movie is classically Bond with its over-the-top storyline and risk of worldwide destruction. And while there are some similarities to the real world, I must admit that the reality of cyber-attacks is far less sensational and doesn’t have quite the glamour of a typical Hollywood blockbuster. To be sure, cyber security is an important issue that the world at large is dealing with today, where every day we hear of a new company that experiences a security or information breach. But the fact is, cyber security is a broad and often misunderstood topic, and there a few myths that are worth dispelling.
Myth 1: All hackers are looking to steal your identity
Take a second and think about how much of your life is stored digitally. If you really took the time to take stock of all your sensitive personal information, I would venture a guess that more than 90 percent of it is stored online. This isn’t a bad thing—it’s a convenient timesaver that makes life easier. Are there people out there looking to steal this information? Sure, but consider this: most hackers see themselves as intellectual elitists—people who would not waste their time stealing an individual’s identity when they can achieve far greater fame by gaining access to large, complex systems at well-known targets.
In this regard, corporate information is a highly sought after commodity, as it gives a hacker credibility and notoriety within their community and it can be financially beneficial in the long run; higher risk for higher reward. Let’s imagine that a hacker gains access to a discount retailer’s network by creating a backdoor on a compromised system and successfully installs malware to steal sensitive company information. Let’s now assume that this information was sold to an unscrupulous competitor seeking the inside scoop on internal business processes, customer information or sales data—information that would give them a competitive advantage and bolster their bottom line.
In this sense, you can see why a hacker would target corporate information vs. personal information. However, data by itself isn’t everything it’s cracked up to be as we see in the next myth.
Myth 2: Data is Valuable
One of the major misconceptions that people have of security breaches is that data is inherently valuable. The truth is, when a hacker gains access to a network, they target data with the hope that disparate items can be somehow organized to create meaningful, usable information. Data is just data; unless a hacker knows enough to make sense of it all, he or she is going to have a difficult time generating any insights from it.
In Skyfall, Raoul Silva was a formidable opponent because he was a mastermind at using raw government data to plot revenge on MI6. Admittedly, he had access to highly sensitive information such as employee records, safe-houses, structural vulnerabilities, etc. (it has to be somewhat challenging for 007, after all), but the way he was able to translate that data into a cohesive plan of action is what was interesting and scary at the same time. These are the skills that 21st century hackers need to have in order to make a hack worthwhile, but data analysis isn’t typically on a hacker’s resume.
When a hacker finally gains access to a compromised system, there isn’t a yellow brick road that says “click here for financial information” or “employee records this way!” Although hackers have a strong background in security and computer languages, not many know how to untangle a web of data and reorganize it. You’ve read about numerous security breaches on a range of companies, but how many times have you read about what hackers did with the information after the fact? I’ve never actually seen one. That is not to say that compromised data has never been used for nefarious purposes; I am just not convinced that it is widespread or that anyone has truly found a way to make tactical use of the information.
Myth 3: Security Breaches are Malicious in Nature
The term “security breach” usually comes with a negative connotation, which is understandable, since I’ve never known the word “breach” to ever be used in a positive sense. However, I don’t believe that it’s the intention of most hackers to cause digital mayhem. As I stated earlier, hackers consider themselves to be elitists and just perform security breaches to prove they can be done.
A recent Buzzfeed article notes that hackers want more credit and benefits for helping companies find vulnerabilities within their systems as opposed to wanting to sell the information on the black market. For example, one hacker found malware in Android’s system that could have affected more than 95 percent of phones on the market, but the discovery was reported to Google and not sold on the black market. Imagine what someone could have done with this information had it fallen into the wrong hands?
We are still in the early stages of cyber security, which is a good thing when you consider that data is still only data to most hackers. There is a steep learning curve that most hackers haven’t conquered yet. For companies to properly address cyber-security, it’s important to take a proactive approach and even get ahead of the curve. Companies with knowledgeable experts, a sound security strategy and a tightly run program fare the best and often have people that know more than hackers. Furthermore, executives need to get in the security game. They need to learn the lingo, get to know their security technicians and play an active role in the effort to keep corporate information safeguarded—not only for the company, but for employees as well. And perhaps most obvious—companies need to get in the habit of destroying records that are not critical to keep for the long term; just because there is the endless bandwidth and storage to house digital information, doesn’t mean you should keep it.
Just like James Bond will always have a villain to conquer, we will always be faced with hackers who are up to no good. But remember, there are lots of do-gooders out there. They far outnumber the bad guys and are usually smarter, too. The reality won’t make for a good James Bond film, but when it comes to cyber security, the less drama the better.