Most large companies have IT staff members that know they are targets of cybercrime and are aware of the myriad attack angles hackers use. These professionals grapple with problems such as patch management, the selection and configuration of security products, managing an increasing array of mobile devices, insider threats (due to malice as well as ignorance) and a host of other issues that form their overall risk profile and security strategy.
Smaller and medium-sized businesses often lack understanding of the risks being faced, or have a false sense of security that is fueled, in part, by the mistaken belief that their organization is not of interest to cyber criminals. Nothing could be farther from the truth.
Fundamentally, the problem is one of education -- a problem being swept under the table. Both the federal government and private vendors have withheld too much vital cyber security information. In the case of the private sector, the reason for the lack of responsible disclosure is a short-sighted belief that it is bad for business to be honest about risk. As a result, improperly configured products are being sold without sufficient information about the need to reconfigure them for security. For example, when was the last time you bought a cell phone that by default had you set a screen lock when you set up the phone?
In a recent article at Wired.com (wired.com/threatlevel/2011/03/hayden-cyber/), retired four-star Gen. Michael Hayden advises that the government is classifying too much information about cyber security as “secret.” Hayden, also the former director of the NSA, advises that each of the thousands of apps for smartphones represents a potential vulnerability.
This is where private industry joins the government in avoiding cyber security education. None of the popular app stores warn users of the potential risks associated with downloading and installing unknown applications, even though all of them have had to withdraw applications due to security problems.
The banking industry has been recklessly quiet about the threat of banking trojans, especially to small and medium-sized businesses. Cyber criminals realize that these smaller businesses are the soft targets and significantly easier to penetrate than larger corporations with highly skilled technical staff. The story of a small escrow company in California that lost $400,000 to a banking trojan (net-security.org/malware_news.php?id=1388) has become well known and is not an anomaly.
Why does a website that serves as a referral service to bankruptcy attorneys track data breaches? The reason is that costs associated with data breaches can lead to bankruptcy. A quick look at the archives at totalbankruptcy.com/news/data-breach/archived/2.aspx is enough to realize that small and medium-sized companies are targets of cyber crime and have a real need for concern and proactive action to prevent breaches.
The first step in fixing a problem is admitting that you have a problem. As long as companies bury their heads in the sand and pretend that they have no cyber security risk, the losses due to cybercrime will continue to grow unabated.
Submitted by ESET