Full Speed Ahead: Business-Minded I.T. Security Risk Management

I’m thinking about the recent massive insider data breach affecting mobile phone operator Vodafone Germany.  Perpetrators stole personal information on 2 million of its 32 million German customers in a hack requiring “high criminal intent and insider knowledge and was launched deep inside the IT infrastructure of the company’” (translation of Vodafone Deutschland statement).  This breach comes on the heels of an August warning issued by Germany’s Federal Office for Information Security concerning faulty security on Vodafone routers – a flaw that, it stated, Vodafone knew of since 2012 and did not act upon.

There’s Always An Abundance of Comparable Data Breaches

It is commonplace now, upon hearing about one data breach, to be reminded of another or several like it.  The number of data subjects here is a whopping 2 million, which is reminiscent of the Ubuntu Forums breach of account data on all of its 1.82 million users in July.  The breached entity here is a European telecommunications company.

This is reminiscent of the theft of customer data from OVH, a French Internet provider whose European database and Canadian server system were compromised, also in July.

"Vodafone Smashed." Taken December 4, 2010. (c) 2010 All rights reserved. Courtesy of DHATT Creative. Available at http://www.flickr.com/photos/kamdhatt/5237721926/in/set-72157625540513232"

“Wincup V8 Vodafone Holden Smashed.. Taken December 4, 2010. (c) 2010 All rights reserved. Courtesy of DHATT Creative.

The similarities abound because of the sheer number and range of data breaches.  In fact, the current cyberthreat landscape is so highly developed that there are too many risks, more than can reasonably be prevented.  It used to be a clever thing to quote FBI Director Robert Mueller on the certainty of security breaches  (“I am convinced that there are only two types of companies: those that have been hacked and those that will be.”).  But we have moved beyond a black-and-white certainty that all breaches must be prevented.  Nowadays, security breaches are persistent, invasive and stem from extensive sources, to the point that not every breach can or should be defended against.

Above All, the Business Must Go On

Cutting-edge IT security specialists are operating in a new paradigm.  Rather than trying to protect everything, IT security officers need to make business-like decisions of what to protect against.  I was impressed by the clear talk in Gartner’s Talking Technology Series (September), which exhorts IT security to explicitly recognize that they cannot protect their companies from every threat.  Expert Paul Proctor reiterates, “We are no longer the ones to protect the company, but who balance the need to protect the organization against the needs to run the business.”

Proctor contrasts the plethora of costly tech security tools that a company can purchase with the unpredictable nature of employees and their BYOD practices.  I also wonder whether one would want to hamstring a business with an abundance of costs and measures when it is nearly impossible to predict whether one’s company will become the target of hacker whimsy.  For example, when angered, the loose-knit cabal of global hackers known as Anonymous has campaigned against Scientology, PlayStation creator Sony, the recording industry, and other targets on an arbitrary basis, often based on whether a critical mass of upset is expressed on their online forums.

The human element is also at play in spearphishing attacks, in which individuals and organizations are spied upon to gather enough of their legitimate information such that they fall prey to scam emails that seem legitimate and familiar.  This is done in order to gain access to their online accounts and systems.  Spearphishing is not rebuffed by expensive tech solutions because the target willingly gives access, thinking that he is logging into a legitimate website or clicking on a legitimate link.  This is exactly the type of crime to which the 2 million German Vodafone customers are now highly susceptible.  Proofpoint recently released a survey that spearphishing continues to be a serious threat, with over half of the IT professionals surveyed admitting that their organizations had received spearphishing emails in the past ear.  This charming infographic (2012) illuminates the success of the over 156 million phishing emails sent globally every day.  Approximately 6 million of them make it through spam filters; 8 million are opened; 800,000 links are opened; and ultimately, 80,000 people fall for a scam and share their personal information.  How do you protect with any certainty against these odds?

Gartner has also concluded that regulatory compliance is an insufficient goal for IT leaders.  “CIOs must stop being rule followers who allow compliance to dominate business decision making and become risk leaders who proactively address the most severe threats to their enterprises.” (Research Director John A. Wheeler, emphasis added).

It’s enough to make one feel crazy.  As OVH stated after its recent security breach, “In short, we were not paranoid enough so now we’re switching to a higher level of paranoia.”  You know what else might make an IT professional crazy? Gartner predicts that by 2019, 90% of organizations will be hosting personal data on the IT systems which they do not own or control.  Best wishes to the new leaders in IT as they play skipper, navigator and engineer in this treacherous new landscape.

Annie C. Bai

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

  • Blog authors

  • Copyright notice

    © Copyright 2010-2014 "Information Security Breaches & The Law".
    All rights reserved, unless noted otherwise under each author's post, page or other material.
    If you would like to discuss licensing terms, contact us at: info [at] security-breaches [dot] com.

  • Enter your e-mail address here to follow this blog and receive notifications of new posts by e-mail.

  • The “Global Information Security Breach Professionals” Group on Linkedin

  • Wordpress Blog Stats

    • 46,822 hits
%d bloggers like this: