"Business technology news for Europe's senior executives...."
New Account

The Magazine

Issue 11

How Europe’s business leaders and key decision-makers are weathering the economic storm in these uncertain times ahead.

E-magazine
  • Previous Issues

Blog

Spencer Green
Chairman, GDS International

Sales and the 'Talent Magnet'

A lot is written about being a ‘Talent Magnet’, either as a company, or as President. It’s all good practice – listen, mentor, reward, provide clear goals and career maps. Good practice for the employer, but what about the employee?
25 May 2011

Businesses under Cybercrime attack: how to protect your corporate network and data against its impact


A n analysis of the impact and business risks of cybercrime attacks by Finjan’s CTO Yuval Ben-Itzhak. He also explains the preferred security solution to effectively protect corporate networks and data.

In the last few years, we have seen that cybercrime has evolved into a booming global business. Viruses, malware and online crime have turned into a major shadow economy that successfully mimics the real business world. Money is the driving force behind the growth of targeted attacks against financial institutions, enterprises and governmental agencies, often carried out by organized cybercrime groups that closely resemble both in structure and operations the notorious “Cosa Nostra” crime organizations.

Crimeware infiltrating corporate networks, stealing business data and using or trading it for profit, poses a growing business problem for companies and their executive management. Executives, vice presidents of development and directors of engineering are therefore forced to address security issues. They need, directly or indirectly, to select the optimal security solution for protecting one of their main business assets – their data.

Successful data breaches can also impact management directly. Executives could find themselves being sued by victimized customers, employees or shareholders for not taking appropriate measures to prevent crimeware attacks such as hacking, or for failing to backup lost or compromised data. Senior management – from bank CEOs to governmental officials – needs to ensure and communicate internally and externally how well they protect their organization and its data against cybercrime attacks. As employers, they also need to take the necessary precautions to safeguard their employee information; they can be sued for confidentiality breaches by their employees in case of compromised personnel data and files.

Businesses and organizations are becoming more and more dependent on the Web for their daily business activities, including online business applications, accessing information, and communication with clients, customers and the public. Many companies also use Web 2.0 applications to enhance their business operations. To protect their corporate networks and data from crimeware and Web 2.0 attacks, they need to adopt a security strategy that provides optimal protection. Especially for executive management of public companies, being the victim of cybercrime can lead to lawsuits as well as other repercussions for non-compliance with various rules and regulations (SOX, PCI DSS, EU Directive 95/46/EC, The Thurnbull Report, etc.).


Cybercrime Operations

Cybercriminals operate similar to legitimate business owners, using business models and techniques that they copy from the real business world.

They deploy Criminal-to-Criminal (C2C) business models and scalable Crimeware that gives them maximum flexibility in terms of command and control for stealing and trading data. They also use the latest Trojan technologies, silent installations and drive-by downloads for their attacks.

By using $100-$200 of-the-shelf “Do It Yourself” toolkits, cybercriminals can easily gain access to the balance sheets of companies and manipulate stock behavior; locate payroll information; get hold of corporate bank statements and transfer money from that business or make transfers between accounts; gain access to company’s budgets and private financial statements; steal company’s product roadmap and R&D work-plan for industrial espionage; capture company’s credit card numbers for purposes of fraud;  or steal Intellectual Property (IP).

Crimeware toolkit creators also copy the SaaS (Software-as-a-Service) business model – often referred to as CaaS (Crimeware-as-a-Service). A notorious example is the NeoSploit Crimeware toolkit that contained a delivery system for its Trojan upon a successful exploitation. It could be configured to provide a different version of the Trojan according to the country where the victim was located, such as Germany.

The cybercriminal data supplier model allows criminals to log into their “data supplier” and download any information suitable for them to conduct their crime – being it financial fraud, industrial espionage or identity theft. Once the data is stolen, hackers use Crimeware servers as a command and control for the Crimeware that was executed on infected PCs. They also use these servers as “drop sites” for private information being harvested by that Crimeware.

Once a Trojan or other piece of crimeware is inside the system, it will look for valuable data and steal it. This can easily happen when an Internet user visits one of the legitimate websites containing malware – research shows that 75% of all legitimate websites currently contain some kind of crimeware. Once the stolen data is received by the attacker, he uses or trades it for profit. We have seen that the market for stolen data is rapidly expanding. Although attacks use security holes in Internet browsers, the problem has become a business one as well, as shown below.

The damage that successful Crimeware attacks inflict is widespread and long-lasting. Financial damages resulting from Cybercrime 2.0 will keep running into millions of dollars, and no organization, company, enterprise or business with Internet access is safe.

Successful data breaches can result in: loss of existing customers and difficulties in acquiring new ones; loss of intellectual property (IP); loss of R&D data, including product designs, road maps; brand name and corporate image damage; negative impact on competitive position; loss of market share; potential lawsuits and class actions; non-compliance with rules and regulations; loss of productivity due to downtime, investigations, damage control.

Financial Damage

The most prominent damage that cybercrime inflicts on business and organizations is – of course – financial damage. According to the “2007 Annual Survey: Cost of Data Breach”, by the Ponemon Institute, the average cost per data breach incident in 2007 amounted to $6.3M, while the cost of lost business per incident was estimated at $4.1million. The average cost of a data breach in the highly regulated financial sector is $239 per compromised record, while the average cost of a third-party breach (cybercrime attack) amount to $231 per compromised record.

Financial damage can also have an impact on the bottom line of the company and (if public) its share price. The cyberattack on the retailer Marshalls and TJ Maxx (part of the TJX Companies) that was disclosed in January 2007 resulted in the Company recording an after-tax cash charge of approximately $118 million, or $.25 per share. When we apply a US calculation model to estimate the financial damage of the HMRC data breach in the UK of November 2007 (Her Majesty's Revenue and Customs lost the data of 25 million of UK citizens), we see that this breach would have cost a private company at least £4Bn (or US $8Bn). These costs could have included offering customers online account monitoring service, having to notify customers, and (financial) compensation.

Legal Consequences

Data breaches also can have legal consequences for the affected organizations. Over the last few years, we have seen several lawsuits and class actions instigated by victimized customers and clients. This number is rising due to the increasing amount of successful cybercrime attacks and its financial consequences.

Companies and associations that lose the personal data of their customers, employees or members must adhere to new sets of compliance laws and regulations, including: the US Sarbanes Oxley, the international PCI DSS, the European EU Directive 95/46/EC, and the British Thurnbull Report standards. Enforcement of these laws, rules and regulations will become more prevalent in the coming years.

Brand Damage

Once a business or organization is exposed in the media for breaching data, it faces a high chance of brand damage – especially when the media coverage of the breach includes financial and legal details.

The Ponemon Institute mentions in its “2007 Annual Study: U.S. Enterprise Encryption Trends” that failure to protect customer data and proprietary business information can lead to serious consequences, including loss of customers or difficulty acquiring new ones as well as irreparable brand damage.

Reputational damage is also a major concern for information security executives. According to a global survey by researcher Frost & Sullivan of more than 7,500 security professionals, 71% of the respondents stated that avoiding harm to brand was their top priority, ahead of other hot topics they were asked about.

The Best Western hotel chain had a tough time exercising damage control after the Glasgow Sunday Herald reported that hackers had broken into its online reservation system stealing the data of 8 million guests who stayed at 1,312 European Best Western hotels in 2007 and 2008.

Stolen IP

Intellectual Property (IP) such as trademarks, patents, copyrights and trade secrets, are prime targets for cybercriminals. Especially high-tech companies must protect source code and engineering design documents, while bio-tech and pharmaceutical companies need to protect drug recipes and top-secret research. For financial service institutions, safeguarding confidential business processes or financial models is crucial. The total amount for stolen patents and trademarks was estimated by the Council of Europe in its report of 2002 at $250 billion a year or nearly 5% of the world trade.

Loss of Productivity

Crimeware infections often also result in productivity loss due to downtime, botnets and lower utilization of computer resources. The “ISSA / UCD Irish Cybercrime Survey 2006” research shows that loss of productivity was reported as the most common consequence of cybercrime and was experienced by 89% of respondents. The loss of productivity is estimated at $30 per lost record. The strain on IT departments and helpdesk resources for handling compromised data accumulates to the costs, as well as costs for investigation and damage control.

Personal Accountability

Last but not least, data breaches (whether unintentional or the result of cybercrime) impact executives personally. They are being held directly accountable for non-compliance of their company and can therefore face high fines or other costs as mandated by Sarbanes-Oxley (SOX) or Payment Card Industry (PCI). Data breaches can also impact their career, resulting in resignation, as illustrated in the case of Paul Gray, chairman of HMRC. He resigned after the admission that Her Majesty’s Revenue and Customs lost the confidential details of up to 25 million individuals from 7.5 million families claiming child benefits.

Solutions

We have seen that executives and managers not only face direct losses from technology abuses, but also need to relate how well they protect their company or organization and its data against cybercrime attacks. Successful data breaches will in many cases impact the performance and profitability of the company, business or organization.

They are therefore looking for a security solution that will prevent crimeware from entering their corporate networks and stealing their data. The technical arms race between cybercriminals and security professionals is heating up, and the security industry is under pressure to provide adequate protection to businesses and organizations around the world.

A proactive way for executives to protect their companies and themselves against cybercrime is to opt for a multi-layered security solution. These multi-layered security solutions, such as Finjan’s active real-time content inspection, provide protection against cybercrime and Web 2.0 attacks. This technology detects and blocks malicious inbound and outbound content based on the code’s intended criminal action. It therefore doesn’t rely on signatures, URLs or reputation attributes. With the use of real-time code inspection, businesses and organizations can be sure that no malicious content enters their networks and steals their valuable business data. (http://www.finjan.com/realtime)

Yuval Ben-Itzhak , Finjan's CTO, has over 15 years of high-level management experience, founder and CTO of KaVaDo Inc., CTO at Ness Technologies, and senior project manager at Intel Corp. Yuval has been selected as InfoWorld's "Top 25 Most Influential CTOs of 2004" and Computerworld’s "40 Innovative IT People To Watch, Under the Age of 40" for 2007. Yuval earned a BSc in Information Systems and Engineering, cum laude from Ben-Gurion University, Israel. He may be reached at +972-9-864 8200 or [email protected]