Cracking the Code on Cyber Crimes
LinkedIn inadvertently found itself the poster child for customer privacy protection when, in early June, word spread of a password leak with the potential to affect 6.5 million users.
In the hours that followed, LinkedIn would tweet to some 180,000 of its Twitter followers that "our team continues to investigate, but at this time we're still unable to confirm that any security breach has occurred." Hours later, the company issued a similar statement on the LinkedIn blog, along with a list of best practices to follow when creating a password.
One day after the alleged breach, LinkedIn issued an update, acknowledging that 6.5 million hashed—or encrypted—passwords had, indeed, been posted on a hacker forum. The company reported it had "enhanced our security measures through an additional layer of technical protection known as 'salting' to better secure your information" and that it had disabled all member passwords for at-risk accounts.
In the days that followed, LinkedIn would take the heat for what some called a bare-minimum means of security—namely, passwords should have been "salted" and "hashed" to start. The company was slapped with a $5 million lawsuit in late June, when an irate consumer seeking class-action status claimed the company failed to properly uphold its privacy policy and follow standard Internet security protocols.
Merited or not, the fact of the matter is "breaches happen," according to Carsten Casper, research director and head of the Privacy Key Initiative at Gartner Research. "Those pointing the fingers might be the next ones suffering from one." To Casper's point, the very same week LinkedIn fought to put out its own privacy fire, online dating service eHarmony had to take extra measures to protect its customers, when 1.5 million passwords were compromised.
Although experts agree that data breaches are one of the inherent costs of doing business online, there are steps a company can take to safeguard customer information and ensure proper risk management processes are carried out should a data breach occur. To do this, though, it's important to understand the most common area where the security war is being waged, new threats, and what efforts are working to combat cyber criminals.
A Steep Price Tag
The LinkedIn and eHarmony password breaches might have put personally identifiable information up for grabs, but companies also run the risk of losing even more sensitive customer data—financials. The Federal Trade Commission (FTC) brought suit against hospitality giant Wyndham Worldwide in late June for allegedly exposing 619,000 consumer payment account numbers to a domain in Russia. The FTC claims "the defendants' failure to maintain reasonable security allowed intruders to obtain unauthorized access," resulting in $10.6 million in fraudulent charges dating back to 2008, according to court documents.
"Businesses are clearly not acting responsibly enough," maintains Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse. "The problem is, more businesses [are] ultimately taking the easy way out [and this] will cost them. It has been shown that the cost of a data breach to a company is quite high in terms of dollar cost, and in terms of users, there is a loss of goodwill from their customers."
The FTC reported that identity theft and other scams cost Americans $1.52 billion in 2011, according to Reuters, and despite efforts to combat such theft, it is on the rise. In fact, the number of complaints filed with the FTC by consumers for identity-related crimes—1.8 million—was twice what it was in 2006. Aberdeen Group, an information technology research firm, has estimated that the worldwide impact of identity theft is a staggering $221 billion drain on businesses.
The Ponemon Institute, an independent privacy policy research center, estimates that the median annual cost of cyber crime to a victim organization ranges from $1 million to $52 million. In its second annual "Cost of Cyber Crime Study," the center found that the most costly cyber crimes are caused by malicious code, denial of service, stolen devices, and Web-based attacks. Attacks range from such malicious activities as stealing intellectual property, hijacking online bank accounts, and creating and distributing viruses on computers to posting confidential business information on the Internet and even disrupting critical national infrastructure. The report also said that information loss accounts for 40 percent of external cyber crime costs.
According to the FBI, the disparity in the gross impact of cyber crimes depends on an organization's size, scope, and industry. While small companies might be devastated by one instance of cyber theft, larger companies might not even realize they have been attacked for weeks, or even months. When businesses are unable to recoup their losses, it can be difficult to estimate damages, the FBI says. Also, some companies do not wish to disclose that their systems and data have been compromised, making it a difficult task to calculate true damage and loss.
Cyber Crime Continues
The general consensus among security experts is that cyber theft will perpetuate because of the nature of the Internet. "There is no panacea, and the major problem we're dealing with is a culmination of net globalization and there being real money on the net," says security expert Jon Callas, a former operating system security expert for Apple, who is now chief technical officer for Entrust, a provider of identity-based security solutions for enterprises, consumers, and the government. "If you're a bright person living in a part of the world where $1,000 is a lot of money…the temptation is very high and the risk is relatively small, so of course [cyber criminals] will continue to strike."
But the FBI wants consumers and businesses alike to know that cyber crimes don't always originate with foreign perpetrators. Very often, the threat comes from within. Just this May, a contract employee for the Federal Reserve Bank was charged with stealing proprietary software code valued at $10 million to engage in immigration fraud practices. Originally retained to develop the U.S. Treasury's Government-wide Accounting and Reporting Program, the contractor replicated the code he was hired to develop on three personal devices.
"As technology evolves, there are always going to be people who have the skills and the desire to utilize that technology for gain in an unlawful fashion," Stephens explains. "It's a…race [between] companies to keep ahead of hackers and people who would like to penetrate a database unlawfully. That can be a challenge."
Weighing Countermeasures
There is no magic bullet when it comes to combating the cyber theft problem, due to the constant metamorphosis of technology. Organizations like the PCI Security Standards Council, which develops the technical requirements for data security programs for payment brands like American Express and Visa, seek to standardize security. But "some argue that standards are not high enough and that there's not a requirement for there to be an audit depending on the size of the business," Stephens maintains.
State and federal governments have joined the fight against cyber crimes as well. At press time, four U.S. senators had proposed the Data Security and Breach Notification Act of 2012, which would seek to standardize reporting of data breaches and would be enforced by the FTC with fines for organizations of up to $500,000 per incident, according to InformationWeek. There are more intensive requirements if the breach impacts more than 10,000 people, such as the need to refer the case to the FBI.
"By advancing a proposal that offers a comprehensive, uniform approach to data security…[the bill] demonstrates that it is possible to protect consumers while providing clear, consistent guidelines to businesses," wrote Jot Carpenter, vice president of government affairs for the International Association for the Wireless Telecommunications Industry, in a blog response to the legislation.
However, the National Conference of State Legislatures reports that 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands all have individual legislation requiring notification of security breaches that involve personal information. And the latest effort by Congress to enact a bill to standardize them all is certainly not the first.
Beyond government intervention, there are stand-alone bodies that exist to help companies navigate the privacy and security landscape. The Online Trust Alliance, for instance, is a member-based nonprofit group that develops best practices to mitigate emerging privacy and security threats. It recently unveiled the fourth annual Online Trust Honor Roll, measuring the security and privacy best practices of 1,200 e-commerce, FDIC, and social media sites. Twitter topped the list for its support of Do Not Track privacy preferences; other leading companies included American Greetings Interactive, Bank of America, Costco, Charles Schwab, and Zynga.
The companies that stood out on the honor roll continued to implement email authentication, with more than 68 percent of the top 100 e-commerce sites adopting both sender policy framework (SPF) and DomainKeys Identified Mail (DKIM) email security specifications. Nearly 30 percent of sites on the honor roll successfully implemented best practices, which include maximizing secure sockets layer (SSL) server security. The alliance reported that worldwide adoption of extended validation certificates increased 48 percent this year over last.
American Greetings, for example, needed a way to safeguard customer data for the millions of users who send e-cards through its service on a daily basis. When the bulk of your online business is email-based, it becomes increasingly important to ensure best practices are carried out. That's when the greeting card company selected email security company Agari, also a 2012 Online Trust Honor Roll recipient, to implement and manage Domain-based Message Authentication, Reporting, and Conformance (DMARC) specifications within its interactive division to combat phishing attacks. "Working with Agari will allow us to focus on continuing to proactively investigate abuse while leveraging real-time reports and alerts, so we can immediately take appropriate action to shut down and correct issues that may arise," said Gary Von Hoch, vice president of Web operations and IT for American Greetings, in a statement.
The value proposition for American Greetings was being able to identify, "'What are my third parties?' 'What's me?' 'What's malicious?' and 'Here are some things reporting to me, but which don't have authentication,'" explains Daniel Raskin, Agari's vice president of marketing. To put it simply, a security specification like DMARC allows organizations to build email governance into their infrastructure, and to take a proactive approach to safeguarding customer data. "The net effect is that they now have a more secure email channel, and criminals, being smart, say, 'I'm going to move on to their competitors' if there's a problem competing to see your domains."
A Moving Target
While tightening email security screws is helpful, there are growing concerns that cyber criminals will turn their attention to other popular technologies, such as mobile devices and social media sites. With the proliferation of social media, mobile devices, and location-based services, experts agree the playing field for cyber thieves has widened. And sheer volume of data is a top reason. "Think about your Facebook profile and how much data the company has about you based on what you've shared [and what others share about you]," says Andy Land, vice president of marketing for identity management software company UnboundID. "That profile has to be stored, secured, and hopefully privacy policies are applied. Facebook's valuation was based on that richness of data."
Entrust's Callas concurs. "Ironically, one of the best ways to manage your customers' privacy is to figure out what data doesn't need to be stored," he explains. "The privacy decision is to say, 'What do we not want to save?' If my Web site that is giving you a service does not log all of the details, then I have protected your privacy implicitly."
Because of the growing number of data breaches, a surge in cloud computing and location-based services, as well as ever-changing regulatory policies, Gartner Research predicts that at least half of all organizations will revise their current privacy policies before the end of 2012.
Develop a Risk Management Strategy
To minimize your organization's chances of experiencing an embarrassing and costly data breach, there are some preliminary steps to follow when developing a case for risk management. According to the Privacy Key Initiative's Casper, companies need to ask themselves these basic questions: "Do we have someone in charge of information security? Do we have a security program? Did we train our people? Do we verify how business partners process data? Do we have a process in place to detect and respond to a security or privacy breach?"
As Casper puts it, "The important thing is that companies conduct a risk assessment and make a conscious decision: How much risk do they want to take and how much money do they want to spend to mitigate some of that risk? Companies need to define a common structure for privacy compliance, based on corporate-wide privacy principles, but with enough flexibility to adjust to local laws' requirements." This is especially true for companies that operate in several countries and states within those countries, as well as different industries.
While the U.S. Department of Justice and the FTC play varying roles in privacy and identity theft enforcement, and while businesses should be vigilant to ensure they're in compliance, Casper maintains that privacy today is not only about complying with the law, but increasingly is associated with meeting customer expectations.
It Happened to You. Now What?
As experts have outlined above, the only certainty about cyber crime is that it will continue. But what a company can control is the manner in which it bounces back from an incident and the effort it makes to prevent future attacks. Here are strategies to consider:
Follow the leads of the airlines and NASA. According to Entrust's Jon Callas, airlines and NASA have a predictable way of mitigating risk and rapid transparency. "They get the right people in to manage the immediate problem and they don't deny that anything happened. They say, "We will make this right and we are conducting an investigation." A company could say, "Here are the things that we and people outside my company have identified we did not do correctly. We are tasking people to fix these things and then we will let you know when they happen.'"
Keep the lines of communication open. Paul Stephens, of the Privacy Rights Clearinghouse, says it's crucial to be up-front about the extent of a breach right when an investigation is opened. "Typically, when there is a security breach that involves financial information, companies tend to offer free credit monitoring to the affected individuals," he says. "Also, it's important for companies to utilize this as an educational opportunity for their customers. There are many customers, for instance, who are not aware of such dangers as reusing passwords on multiple sites."
Be proactive with privacy, even if it costs you. Experts say that failing to implement security measures for your business can be a little like driving without insurance in hopes that you'll avoid a crash. Companies "think they need to balance the value of processing information against the risk of doing so," Carsten Casper, of Gartner Research's Privacy Key Initiative, says. "That's wrong. The more personal data you collect and process—in other words, the more value you generate—the higher the risk. Companies can control the cost they put into risk mitigation. Some spend very little on privacy, store lots of personal information, have a high level of risk, and get away with it—until one day it falls apart."
Cyber Theft and Security Resources
The Internet Crime Complaint Center: Ic3.gov is a partnership between the FBI, the National White Collar Crime Center, and the Bureau of Justice Assistance, where you can report incidents.
Privacyscore.com: This online privacy guide allows you to evaluate how Web sites and applications handle personal information and how you'll be tracked online.
SSL Labs: Ssllabs.com is a noncommercial resource effort that houses a collection of documents and tools related to secure sockets layer/transport layer security deployment best practices your business can use.
Associate Editor Kelly Liyakasa can be reached at kliyakasa@infotoday.com.