Friday, March 16, 2007

Why your data is more likely to be stolen than your car

If you decided to shed your morals and take up a life of crime, how would you do it? Would you rob banks? Would you steal cars? If you're a reasonably intelligent crook, you're going to carefully consider all of the risk vs. reward data that you can find. If you are a computer-literate crook, I'll give you one guess where you'll find the greatest reward and the lowest risk of being caught.

Cybercrime.

It's just a fact. Last night, I attended a lecture given by George Kurtz, co-author of the book, Hacking Exposed, and currently SVP at McAfee, Inc. According to George, McAfee and the hundreds of researches they employ, cybercrime is now a $105 BILLION industry. And it makes absolute sense. The criminals have become so technically innovative in the way they launch attacks that it becomes nearly impossible to track them down and arrest them.

Countries like Russia, China, India and many others with lax industrial espionage and intellectual property laws also have large numbers of impoverished people. With little law enforcement, access to the world's networks via the internet, and a glut of how-to information freely available, organized crime is training cyber-criminals by the hundreds and making millions and millions of dollars every month.

When you combine high reward, low risk and abundant opportunity, you get a form of crime that is far safer, and more profitable, than traditional crime.

Why does this matter to you? Are you thinking, "OK, but I'm just a nobody" or "My 200 person company isn't big enough to attack" or "With all the computers on the web, what is the likelihood they're going to find me?" If you are, consider this:

Gartner research indicates that between 2007 and 2010, mid-market American companies will become the primary targets of a large percentage of cybercrime.

Again, the reasons are simple:

  1. Most network attacks are not targetted attacks against a particular business. Rather, they operate like a fishing net, thrown into the ocean to see what it catches.
  2. Enterprise-level organizations, generally, have spent the last several years improving their security infrastructure so that they don't get caught in these nets.
  3. The SMB sector lacks the resources and expertise to defend themselves. You may have an IT team, but unless you have at least one resource dedicated to security, I will guarantee you that your IT team is not adequately protecting you. They're just too overloaded and don't have the depth of security knowledge.
  4. Here's the clincher: The crooks know all these things. So if you're a crook and you know it will take you a lifetime to penetrate a Fortune 500 network, but you can breach 100 SMBs every WEEK, where is the quickest return on your investment?

That's why you should be concerned. Security threats are real. And if you aren't a target today, you'll be one soon. You need to be prepared.

One quick story - among other things, my company performs security assessments. In one such assessment at a mid-size hospital, our ethical hacking team was able to penetrate the network and access actual patient care devices in the infant ICU. These devices were keeping babies alive. And yet, our team COULD have crashed those machines with one keystroke. Had that been a real hacker ... as a father of three, I don't want to think about it.

Security is about more than protecting data. No matter what business you're in, you have information and systems whose breach could materially impact the lives and livelihoods of you, your employees and your clients. I encourage you to make certain you're doing everything you can to protect them.

Josh

1 comment:

David said...

As The Register once wrote, "ten well placed bullets could put an end to the spam problem." Ten spammers are responsible for 80% of the world's spam.
http://www.spamhaus.org/statistics/spammers.lasso