Imagine for a moment that a gang of bank robbers decided to target the big guys — Citi, JPMorgan Chase, Bank of America, Wells Fargo — you know, the ones where a billion dollars is petty cash.
The robberies always use the same basic techniques, and the amounts stolen are starting to add up.
Plus, it’s embarrassing. But so far nobody has managed to catch the culprits.
Do you think these companies would have the wherewithal to take care of the problem?
Listen to the apostles of capitalism and you might think so. And yet, in the contest between world corporatism and cybercriminals, the cybercriminals aren’t just winning. They’re winning with impunity, so much so that InfoWorld’s Roger Grimes — not the kind of person you’d call a hysteric – is using words like “crisis” and “catastrophe” to describe the situation.
Now I ain’t no expert. And as regular readers know I try to avoid the grand American inverse correlation between knowledge and strength of opinion, so I’m not claiming to have the solution, or even a solution.
Just some notions. Like these two for all corporations:
- Spend more. No, you can’t solve problems by throwing money at them. You also can’t solve them by refusing to spend money on them.
Target, for example, expects its data breach will cost it something like a billion dollars in direct costs, and that doesn’t include damage to its brand and lost customer loyalty. And Target’s cybersecurity wasn’t all that much worse than average.
Its cybersecurity budget? Do some Googling and back-of-the-envelope scratching (I couldn’t track down the number) and you’ll probably arrive a number along the lines of $125 million. Do the math.
- Practice identity management 101: I don’t have a statistically valid sample; I am invited into enough companies to think this conclusion is reliable: Way too many companies are way too sloppy about identity management.
We’re talking about the basics, not anything fancy. Lots of companies provision new employees by “making her like him” instead of by defining access rights and restrictions by role. Way too many add rights as employees take on new responsibilities without removing the ones they don’t need anymore.
This isn’t complicated. Just time consuming. Also, silo-busting, because HR should be the hub, not IT. After all, every hire, transfer, promotion and termination flows through HR, and these are the exact events that should trigger changes in rights and restrictions.
Corporations can certainly do better when it comes to protecting their cyber assets. The cyberprotection industry worries me more. In the aggregate they (truth in advertising: I’m a Dell employee. Elsewhere at Dell we have information security products and consultants, so in a sense “they” is “we”) … in the aggregate the cyberprotection industry has more money to spend on defense than the bad guys have to spend on offense.
Yes, offense is easier. And yet, if everyone involved pooled their knowledge and resources …
Phishing attacks are the biggest source of security breaches. Couldn’t, for example, IBM put Watson on the hunt? It’s a classic big-data-analytics problem. Even without creating a public repository for everyone in the world to send phishing emails they receive, IBM employs enough people to get this started.
If Watson-style technology can spot credit card fraud, surely its analytics can spot phishing attacks as well.
Here’s another: Stop with signatures already and deal with behavior. As in, the problem with computer viruses is that they make computers do things the computers’ owners don’t want them to do.
I know I’m going out on a limb here on the strongly-held-opinion-correlated-with-ignorance front. Still, bear with me.
What does malware do? It: wipes hard drives; sends out data without a triggering keyboard or mouse command; updates files and databases without a triggering keystroke or mouse command; sends out massive amounts of email without a triggering keystroke or mouse command …
How hard can it be to write features into the OS kernel that monitor for these sorts of malware tells? Pop a big message onto the screen warning users in plain English about what their computer has been instructed to do and ask if it’s something the user wants it to do.
These are probably naïve and simple-minded suggestions. I’m not, after all, an expert in the field and besides, I’m giving these ideas away for free.
Unlike yours truly, the cyberprotection industry has all the expertise it needs. It has, in the aggregate, big R&D budgets. How about coupling these resources with the same level of innovative thinking cybercriminals put into their attacks?
What’s clear: Our current strategy … identifying the next threat and responding to it … guarantees we’ll always be a step behind.