Almost 40% of business professionals polled by Deloitte during a recent cyber crime prevention webcast were “not confident” that private enterprises have sufficient controls in place to minimize the occurrence of cyber crime.
In fact, the poll showed a fairly even split among respondents belief that their regarding organization was likely to experience an electronic security breach in the next 12 months. According to the results, 41.7% believed it was “likely” or “extremely likely” that an electronic security breach would occur in this time frame, while 38.4% indicated it was “unlikely” or “extremely unlikely.”
“Based on the results of this poll, it appears that many organizations are leaving themselves vulnerable to cyber crime because there might be a false sense of security, or perhaps even complacency,” said John Kula, director in the forensic & dispute services practice of Deloitte Financial Advisory Services LLP. “Many organizations are failing to recognize the prevalence of cyber crimes in their IT environments and consequently could be misallocating limited resources to lesser threats.”
As sobering as these views are, they appear to be quite accurate.
In a study by Verizon and the Secret Service released in August, investigative experts found, as they did in the company’s prior data breach reports, that most breaches were avoidable if security basics had been followed. Only 4% of breaches assessed required difficult and expensive protective measures.
The 2010 report concluded that being prepared remains the best defense against security breaches. For the most part, organizations still remain sluggish in detecting and responding to incidents. Most breaches (60 percent) continue to be discovered by external parties and then only after a considerable amount of time. And while most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes.
“Cyber crime innovation and techniques have outpaced traditional security models. That’s what makes it so important to gather intelligence data internally and externally to understand the threats, and then to act on that intelligence”, said John Clark, partner in the security & privacy services practice of Deloitte & Touche LLP. “If companies don’t have the tools in place to be informed and to prevent breaches, it could lead to significant risks, potentially leading to financial losses, regulatory issues, and a loss of client and public confidence.”
Where legislation can help
Consumers have little influence on whether companies step up to basic security precautions, so in spite of my reluctance to suggest legislative solutions, this may be one area that could benefit by new regulations. These regulations need to hold companies clearly accountable to better protect the consumers they serve by strengthening their technical security, implementing training and procedures to reduce the risk of breaches, effectively testing their systems for potential risks in an ongoing manner, and swiftly reporting breaches that do occur. Legislation could also provide a watchdog service that identified for consumers how various companies and services ranked to facilitate informed consumer decision making.
As consumers, we need to remove our business – and our information – from sites with poor safety, privacy and security track records and shift to companies that maintain appropriate security hygiene.
Cyber Security isn’t just a Corporate issue
Every consumer has a role to play in their own cyber security, and in the cyber security of the larger internet ecosystem. Every time a user fails to install adequate security software, or fails to update that software, they invite criminals to use their machine. They may use your computer to harm you, and/or they may use your computer as part of a botnet to spam others, spread malware, crash servers through denial of service attacks, or steal your contacts lists to help socially engineer scams against others.
To do your part as a digital citizen, it is essential that you ensure your computers and internet connections are secure with proactive protection software that automatically updates; that you use strong, unique passwords and you keep them private; and that you learn to avoid socially engineered exploits. It also means that every family member and/or anyone else who uses your computer(s) follow the same security rigor.
- Secure your computer. If your computer isn’t protected from Trojans, viruses and other malware your financial information and passwords and identity will be stolen. This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, there are several free services.
- Secure your Internet connection – make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. If you need a free firewall, click here.
- Use strong passwords. A weak password is all it takes for someone to steal it. If you use the same password on multiple sites (or everywhere) you are asking for real trouble. Passwords do not have to be hard to remember, just hard to guess.
- When searching, Do NOT assume sponsored sites are safe. Because I use McAfee Site Advisor (it’s free), I see a warning notifying me of the risk. Without a tool like this, you have no way of judging if the site is legitimate or going to give you malware, spam, etc… There are other companies offer similar services; pick one and use it!
- Trust is Key. Know the Site. Know the User. Know the Company. Misplaced trust will land you in a world of trouble.
- You can no longer assume that links within trusted sites are safe. IBM’s research highlights the increase in malicious content placed on trusted sites.
- Be cautious and stay in the driver’s seat. Instead of clicking on a link, copy the URL into a search engine query and look at the results. Does the site have a positive safety rating? Don’t be pulled by links that may or may not take you where you want to go. This is particularly true with ‘shortened’ or ‘mini’ links used on sites like Twitter. If you do now have 100% confidence that the link is going to take you to a legitimate site, look up the material yourself.
There is a battle being waged for control online. Criminals want the status quo, we need to drive for change.