Why do companies keep getting hacked?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cbsnews.com/news/why-do-companies-keep-getting-hacked/

Hackers again showed how powerful electronic attacks can be when they
forced Sony's PlayStation Network and Blizzard's Battle.net offline over
the weekend. The same group responsible for shutting down the gaming
platforms, which call itself the Lizard Squad, also claimed credit for
sending a bomb threat via Twitter that grounded a plane carrying Sony
Online Entertainment president John Smedley.

Blizzard said on Sunday that it had returned its network to service. Sony
finally announced at 11:33 pm on Sunday through Twitter that the
PlayStation network was also up again. After the first set of attacks,
Lizard Squad indicated that it was targeting Microsoft's Xbox Live network,
and some users have experienced login difficulties.

The attacks are the latest in what has become a wave of actions targeting
websites and companies. Earlier this month, the computer systems at 51 UPS
stores were found to have been infected with malware that could potentially
allow criminals to gain access to consumer data. The FBI has said that up
to 1,000 retailers could have malicious software on their sales systems,
potentially exposing reams of sensitive information to identity theft and
financial fraud.

The onslaught comes as businesses are moving to collect more and more
information about their customers. The theory is that using data on a
person's interactions with a business, along with other commercially
available information, can help companies better understand consumers and
better target their marketing. But that means corporations keep
increasingly sophisticated and detailed stores of data.

That expanding storehouse of private data in corporate hands also provides
a growing target for hackers. Some might look to disrupt activities of a
business for a variety of reasons, including making a name for themselves,
a dislike of a particular company, a political motive, or an interest in
obtaining personal information to use or sell illegally.

But why do companies keep getting hacked? After all, security software is
plentiful, and businesses would seem to have ample incentives to protect
themselves. In fact, however, companies routinely ignore such threats for a
variety of reasons:

- Corporate executives often won't spend sufficient money on security
because they see it as a pure cost that doesn't offer a financial benefit
- It takes a major breach to wake executives up, but they rarely understand
the technical issues, so assume once something is fixed, it is invulnerable
- High corporate turnover means corporate leaders tend to forget the
lessons they just learned
- Keeping systems safe is arduous, requiring some companies to tend to
thousands computer servers and the ever-changing software they run
- Changes in systems and software means ever newer security flaws that
hackers can exploit

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!