Shoring up cybersecurity tied to bottom-line losses

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.contracostatimes.com/business/ci_25818380/shoring-up-cyber-security-tied-bottom-line-losses

Despite a torrent of high-profile data breaches -- most recently at eBay --
many security experts fear businesses and consumers will continue doing
little to bolster their protections against cybercrooks until they feel it
in their pocketbooks.

This week, the San Jose e-commerce company revealed that a database
containing customers' names, passwords, phone numbers, dates of birth,
email and home addresses was compromised. But as with most other recent
hacks, eBay said it had no evidence anyone's money was stolen. And that --
ironically -- is the problem.

Unless such attacks result in widespread financial losses, experts say, the
threat won't be taken seriously.

"Until it hits them at home, it won't matter much," said Scott Goldman, CEO
of security firm TextPower, based in San Juan Capistrano. "The very fact
that people are becoming numb to the constant stream of breaches indicates
the pathetic level of security provided by most online services."

Like many individuals, businesses often balk at the cost of cybersecurity,
figuring it's not worth the benefit.

"Most companies are focused on revenues and profits; unfortunately,
security doesn't drive either of those two priorities," said Eric Chiu,
president of Mountain View security company HyTrust. "Instead, they view
investment in security as insurance which they can put off until something
bad happens, which is too late."

The problem with that approach, he added, is that it can wind up backfiring.

"As we have seen from Target," he said, referring to the retailer's
disclosure in January that thieves stole payment card and other information
from at least 40 million of its customers, "the potential costs of not
putting customer data as a top priority are brand damage, loss of customer
trust and ultimately major business impact."

Target's breach reportedly has cost it close to $1 billion and prompted the
May 5 resignation of its CEO.

To bolster customer security, Target has said it plans to spend $100
million to adopt so-called chip-and-PIN payment cards that are harder for
crooks to counterfeit and use. Other retailers reportedly are considering
doing the same, though researchers warn that the advanced cards also have
vulnerabilities.

"Less than halfway through 2014 and we're already beginning to lose count
of the number of big-name companies fallen victim to attacks like this,"
said Alan Keller, CEO of San Jose security company Vormetric.

Besides Target, U.S. authorities on Monday charged five Chinese military
officials with hacking into U.S. corporations to steal trade secrets.

And in April they said they were investigating the criminal sale of Social
Security numbers, bank account data and other personal information for up
to 200 million U.S. citizens, after a breach at Court Ventures, a Southern
California subsidiary of credit-reporting giant Experian. Moreover, the
recently discovered Heartbleed bug has endangered data on innumerable
websites.

Given such revelations, some companies are taking steps to shore up their
security, though experts say it's not enough.

"The recent uptick in data breaches is helping shift companies from a 'it
will never happen to us' mentality to a 'we now have to budget for better
security' one," added Jean Taggart of San Jose-based Malwarebytes.
Nonetheless, he said, "there are of course still many examples of startups
that simply don't factor in security in the rush to build a user base."

Mark Bower of Cupertino-based Voltage Security added that "what's missing
in this data-driven business trend is consideration for data security and
privacy from the beginning -- and it should not be an afterthought, given
the massive risks to business and consumers alike."

Among other safeguards, experts say companies should require two means of
identification for accessing their websites and case-sensitive passwords
that have no fewer than eight characters, including numbers or punctuation
marks. They also recommend limiting the number of employees who can see
sensitive data, encrypting the information and putting it on separate
computer networks that aren't linked to the Internet.

In addition, because many experts say it's impossible to keep hackers from
infiltrating a company, firms are often advised to at least keep an eye on
what the bad guys are doing by luring them with attractive but fake data to
so-called "honey pots," where they can be monitored.

Consumers also need to stop using passwords like "password" or "12345,"
which hackers find easy to guess.

But convincing everyone the threat is real isn't easy.

"Nobody cares about things that are somebody else's problem," said Jonathan
Sander of Stealthbits Technologies, a security company in Hawthorne, New
Jersey. "And the breaches hitting the news all feel like they happen to
other people."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!