2014 has earned itself the dubious distinction of becoming “Year of the Data Breach”. It’s not as if there weren’t breaches in 2013 (or any other year, for that matter). According to PricewaterhouseCoopers’ most recent Global Economic Crime Survey, 7 per cent of US organisations lost $1 million or more due to cybercrime incidents in 2013; almost 1/5th lost between $50,000 and $1 million in the same period. But 2014 was the year that the issue hit home with millions of consumer records compromised at major retailers. The news of the Target breach broke just before the new year, Nieman Marcus came shortly thereafter, and the bad news seemingly hasn’t stopped.
It appears the year is ending on an even darker note, with cyber threats morphing into terrorist threats. Sony Pictures has been in the headlines over a breach that has been both embarrassing and costly for the media giant. Most recently, the group claiming responsibility for the hack threatened terrorist attacks on movie theaters showing the Sony film “The Interview”. In a message posted Tuesday, the self-titled “Guardians of Peace” warned moviegoers to “Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time.”
As a result, the New York premier of the film has been canceled, while Regal Entertainment, AMC Entertainment, Cinemark and Cineplex Entertainment, among others, have all dropped the movie from their holiday lineups. At the same time, the group is threatening to release additional data (beyond the emails, celebrity social security numbers, movie scripts, and more that it has already published) in the coming weeks.
This isn’t really about Sony, or Target, or Home Depot, or Marshalls (the list, unfortunately, goes on). The Sony story is just the culmination of a variety of disturbing security trends we’ve observed this year. The problem is so significant that the US Director of National Intelligence believes cybercrime is the top national security threat.
2014 needs to be a wakeup call for businesses and individuals alike. All the large companies I’ve mentioned had dedicated security staff and sizable security budgets. Hackers are bold and incredibly sophisticated, allowing them to successfully attack a variety of companies with employees devoted to data security. What about the vast numbers of organizations that don’t have the resources to employ a Chief Security Officer or commit IT staff to cyber security? What we’re finding very quickly is that no one is immune, whether the attack is an advanced hack against a multinational corporation or a ransomware infection in a small business.
As Richard Henderson, Security Strategist with Fortinet’s FortiGuard Labs explains: “It’s clear companies just aren’t getting the message about how easy it can be for an attacker to gain an initial foothold into a network by compromising the human element of the IT equation.”
So-called “spear-phishing” campaigns that target employees with legitimate-looking emails or “watering hole” attacks in which trusted websites are compromised to capture data and install malware are both common and effective tools that hackers use every day. Just last week, ICANN, the organization responsible for Internet domains, announced that its systems had been compromised as the result of a phishing attack.
In a recent New York Times blog, Nicole Perlroth got right to the heart of the matter. As she explained, “...security experts now say there are only two types of companies left in the United States: those that have been hacked and those that do not yet know they have been hacked.” And although cyber security “has been forced into the national consciousness,” she explained, there is still not the sense of urgency we need.
Frankly, there is no more time to wait on the issue of cyber security. Government agencies and corporations alike must become both educated and absolutely determined to stop cybercrime now. Neither can afford mediocre approaches to security and customers (whether citizens in the case of government or paying clients in the case of corporations) must demand better. Organizations must have the right plans and the right technologies in place to deal with the threats we’ve seen do so much damage in 2014 and the threats we know are on the way in 2015. For example, researchers at Fortinet have identified “blastware” as a key technology they expect hackers to employ in 2015 - This malware not only destroys the systems it infects but simultaneously covers hackers tracks as they move around an organization’s data.
Only the right combination of cutting edge research by “white hat hackers” (who have the training and experience to combat constant innovation by “black hat hackers”) with powerful emerging technologies in threat detection and strong government regulations will be able to control the overwhelming surge of cybercrime. We simply can’t afford to maintain the status quo of good enough security. The stakes are too high, the losses to organizations and individuals are too great, and the security interests of our nation are too valuable.