Unsecure Economies

By Greg Day, principal security analyst at McAfee

Businesses today are facing a maelstrom of security battles. They are being attacked from all angles; the increase in cyber crime to correlate with businesses’ increasing dependence on technology, the current global recession, the risk of working with and relying on third parties in different geographies. It seems even the humble employee may, at times, not be so humble any more.

McAfee's recent report "Unsecured Economies: Protecting Vital Information" highlighted that, last year alone, companies across the globe lost $1 trillion in intellectual property (IP) due to data theft and cybercrime. This unnecessary expense is draining money from the bottom line, putting businesses' and their employees' futures at risk.

The root of the problem

The security landscape is always shifting and changing. As soon as a new type of threat is identified, another emerges. Because of this, perceptions of the landscape can become dated and security strategies vulnerable. Organisations must constantly strive to stay ahead of the criminals. In order to achieve this, they must be thinking ahead to what the next threat might be, not what their perception of it is.

Once, a company's value was based on its physical assets and product. Today, information is being traded in the criminal underground as currency. In some cases, there is more earnings potential from the data than in the company's own bank account.  As a result, criminals stand to find more value in the data an organisation stores than if they raided its warehouse and safe. For the criminals, data is not only of value but is more within their reach.

Compounding the situation is the pressure that the economic downturn is placing on organisations to cut spending and reduce staffing levels. Though seen as actions to safeguard the company, these moves may leave its security defences porous and open doors for cybercriminals.

The HR issue

Businesses know there is always the possibility of a less than conscientious employee who would steal or misuse corporate data, just as they might employ a careless individual who would leave their laptop on a train. But now, current staff-cutting exercises are increasing the number of disgruntled employees who were once loyal. Whether it is due to malicious intent or financial desperation, the level of insider threat is growing (see Figure 1).

Figure 1.

Independent research[i] into security threats for large multinationals shows that laid-off employees are the biggest threat resulting from the downturn (42 percent). Outside data thieves and financially compromised employees are also rated highly at 39 and 36 percent respectively (see Figure 2).

For those that are losing their jobs, the impetus for stealing data might not necessarily be to sell it to cybercriminals. Rather, they are just as likely to take it to give themselves a competitive edge when applying for a new job. They may plan to entice their potential new employer with existing knowledge - and even data - from their current employer. They may also start companies of their own with the insight they gain.

Some companies are responding to the increased insider threat by locking down USB ports and CDROM drives on employees' computers. This technique is used by many Indian IT companies. Other extreme measures include requiring managers to be copied on all emails sent outside the organisation and monitoring print queues for potential leaks by employees.

Such drastic measures often reduce productivity and can actually cost companies more in resources than simply imposing the right policies, enforcing those policies and using the right protection security solutions.

Efficiencies causing problems

Cost-cutting measures are often described as 'efficiency drives'. However, this can be misleading. Restricting unnecessary travel and turning off the office lights at night is efficiency, but when it comes to your company's IP and security arrangements, caution is required. An alternative service may appear cheaper, but the quality may be compromised so these consequences must be considered before costs are cut.

The average company now has $12 million worth of sensitive information residing abroad - outsourced and offshored. The UK is at the top of the league with $15.2 million. A number of factors are influencing the trend for storing vital information offshore. A quarter of companies (26 percent) cite cost reduction as a key driver. Labour is substantially cheaper in countries such as India[r1] , compared to western Europe. Other drivers for storing and processing sensitive information outside of the home country are supply chain partner efficiency (33 percent) and superior expertise (30 percent). Interestingly, there are some companies who view it as safer to store data outside of their own country, for example, 60 percent of Chinese companies.

Can you judge a book...?

Geopolitical perceptions provide a dilemma for many organisations wishing to outsource their data. The intrinsic benefit of using cheaper labour is opposed by the concern over second and third world countries' attitude towards IP and data security. In the research, 26 percent of respondents avoided offsourcing to China because of its lack of IP protection. A quarter avoided Pakistan because it is viewed as home to some extreme fundamentalists and a hacker heaven. Its neighbour, India, is suffering from previous bad press over data breaches (39 percent) and Russia is still viewed as a risk because of the control the Russian mafia holds (19 percent).

Aware of the risks they are exposed to and the effect of negative publicity, some countries are devoting a high proportion of their overall IT budgets to security. India is the highest in this category, with 35 percent, closely followed by China at 33 percent. The UK average was four percent. But perceptions can be misleading, and although China looks to be more concerned than the UK over IP security, it also had the highest average loss of IP per company, at $7.2 million. The UK has the lowest figure at $375,000.

Legal considerations

Compounding the problem with identifying a safe country and company with which to outsource data is that there is a minority of companies who do not report or pursue security incidents. Among Chinese firms, for instance, 28 percent do not follow security incidences to their finish because of the costs involved, another 35 percent avoid them because of the bad publicity associated. Interestingly, just under a quarter (24 and 22 percent respectively) of Dubai and Indian firms do not investigate such occurrences due to a lack of "cooperation". This resistance could exist at the firm, local, government or international level, but indicates that problems are not being addressed somewhere along the chain, as is necessary.

The seemingly cheaper price of storing assets abroad must be tallied against the increased complexity that holding data in another country brings. In many countries, data protection and disclosure laws focus on the premise of protecting individuals' data. Businesses may be subject to local legislation based on the geography of the person whose data they are retaining, not just the countries in which they have a business presence.

Staying secure

What can start as a cost-cutting exercise can easily deteriorate into a money pit, if security measures implemented by suppliers do not meet standards. When considering the efficiencies brought about by offshoring (and there are many), businesses must also consider the costs if a data breach was to happen. Among the expenses to be incurred are the costs of data recovery, notification of individuals affected, litigation, analysis and remediation. This is before the potential fines the business will incur and calculating the irreparable damage to the brand. Cost-cutting measures should only cut costs, not reduce the effectiveness of vital business processes. If a data breach is incurred, it will only cost the business more, at a time when it can ill afford it.

 

---

[i] All statistics referenced are sourced from Unsecured Economies: Protecting Vital Information, a global study by Vanson Bourne, including collaboration with academic experts, commissioned by McAfee. The full report can be viewed at http://resources.mcafee.com/content/NAUnsecuredEconomiesReport

---

 [r1] Can you give me another example, please?