The UK Department of Trade and Industry’s bi-annual Information Security Breaches Survey will provide little comfort for security managers – malicious attacks remain a common feature of IT operations. But there are signs that business leaders are becoming more willing to co-operate in an effort to fight back against the hackers.
The reasons for this apparent sea-change are easy to see: The survey of 1,000 UK companies, conducted by consultants at PricewaterhouseCoopers, found that 87% of large businesses suffered a security incident in the last year, at an average of 19 per year. Security incidents are a weekly occurrence for most large companies, said PwC’s information security advisory director, Andrew Beard.
The overall cost to businesses remains hard to calculate, as many business leaders remain fearful that revelations about breaches could destabilise stock prices. However, in the worst instances, large businesses lost between £65,000 and £130,000 reports PwC.
One security professional willing to share his experiences was Leo Cronin, senior director of information security at information service LexisNexis. Cronin told delegates at the packed-to-capacity debate on e-crime at the Infosecurity conference, that openness was a crucial component of minimising the damage caused by security breaches.
LexisNexis’s databases were breached 59 times by hackers in early 2005, some 300,000 customer records were stolen – including drivers licence numbers, passwords and social security numbers. “I would have liked to have secured our infrastructure more effectively than we have done in the past,” admitted Cronin. “At the end of the day, with so many resources, we tried to do the best job we could.”
The breach occurred in a company acquired by LexisNexis, Seisint, and was initially thought to affect “only” 32,000 people. A month later, Reed Elsevier announced the total number was 10 times that.
Stephen Bonner, director of technical security at Barclays Capital
But company leaders were keen not to suffer the same humiliation as ChoicePoint – a data collection company which suffered an almost identical sequence of events only weeks before. “Our mantra from day one was to be transparent – and that came directly from the CEO,” said Cronin. “He took ownership of the problem which is why were successful in getting things done.” The company engaged with local law enforcement and the FBI, in spite of the risk of prosecution.
The company also had a duty under California law – Senate Bill 1386 (SB1386) – to inform individuals if their private information could have been compromised.
Cronin admitted that with the scale of the damage hard to measure, he judged the success of his transparency campaign by how LexisNexis was viewed in the media and how its share price was affected.
Stephen Bonner, director of technical security at Barclays Capital, the investment banking division of the UK-based financial group, had no such breaches to share, but agreed that transparent organisations “seem to be rewarded. Those who try to hide a breach get caught out”.
Bonner has seen email attacks trying to lure his customers into giving away passwords almost double in the last year, with information stolen from ecommerce sites used to launch more targeted and personal “phishing” messages that contain names, addresses and recent transactions to appear genuine. But he accepts it as an inevitable trade-off for the convenience of online banking.
“Phishing is incredibly difficult to avoid,” he told the Infosec audience of IT and security specialists. “These criminal groups can know more about you than the bank, and it is sometimes easier for them to prove they are us than we can ourselves.” He added that his biggest concern was the ability of criminals to persuade users to circumvent even the most sophisticated security mechanisms, and that they might aim even higher in future than simple balance transfers, for example opening mortgages.
The change to more targeted attacks also threatens the signature-based model of anti-virus (AV) software, he said. “We all buy our AV hoping some other organisation is hit first and then we can download the patch, which works fine if everyone is hit at once but not if only your organisation is hit.”
Sharing and caring
Such candour will have reassured many in the audience that even large and well-funded organisations struggle with security, not least as Bonner admits that the targeting of financial services companies left some breathing space for other businesses and industries.
But how much value is all this security information sharing to those officers charged with drawing up risk assessments and security policies? Most of the panel said they would be keen for more UK legislation demanding companies to report breaches. Peter Pedersen, CTO of online gambling company Blue Square, said it would “put us on an even keel with other organisations.”
Cronin, however, warned that legislation was a “double-edged sword” not just for the adverse PR but because of the variance in local legislation. “I welcome regulation but it has to be targeted at the industry at large.”
This sentiment was echoed by Andreas Wuchner, head of global IT security at pharmaceutical company Novartis, speaking exclusively to Information Age. While he found surveys like the DTI’s and other information sources useful, Wuchner said his main interest was benchmarking his company against others in the same industry.
“The risk appetite for every company is different,” he says. “You can’t normalise the cost of a severe incident – £50,000 could bring down a small organisation but a large one might not even call the helpdesk.”
While there is some evidence that security spending at large enterprises is growing – the DTI survey indicates that security spending is taking up a greater proportion of the IT budget – Wuchner believes that the increase is simply reflective or a more centralised, strategic approach to security.
“It is true that it’s increasing, but nowadays security groups are clearly putting together all their security operations,” he said. “Things which were in the woods of IT operations are now on the security agenda, and that’s causing the rise.”
Taking account of the lessons of other organisations’ breaches, the general threat level, regular scanning of the company’s systems for vulnerabilities (for which Novartis uses Qualys’ on-demand service) and the regulatory environment, “you need to find some kind of filter for yourself and know your own business processes and risks,” he advises.