h1

Inviting the Criminals In

April 20, 2010

In the dark of the night, the robbers approach the bank with faces concealed and little evidence of how they arrived.  Surprisingly, the men find the bank door opened and the alarms off.  They soon make their way to the ultimate prize – the vault.  Not surprisingly, they find the vault locked and the bandits can make no further progress.  At first, they seemed thwarted but this was the first of many attempts.

Night after night, the bandits return to the bank and find it open with only the vault impeding their progress.  At first, they try to cut their way in, it proves impossible.  Next, they try to tunnel under; again, they are turned back.  Then it happened, a simple stroke of genius came to mind.  They only needed to trick an employee with the combination and the contents of the vault would be theirs.  After all, human nature is much easier to manipulate than a vault door.  Needless to say, after returning through the open bank door, the vault proved no problem with its combination in hand and the bandits made off with its treasures.

Now, no bank leaves its doors open and its alarms off.  Even with the imposing vault, banks deny would-be robbers access to it.  They understand that with access, eventually a criminal will overcome whatever security they find on the inside.  In other words, banks rely on physical separation to further protect themselves from theft.  It is prudent for them to do so.

This is the lesson internet companies must learn.  As obvious as it may seem to the average person, for legitimate business concerns many internet-based companies leave the doors open and alarms off allowing hackers access to their version of a bank vault – a hard drive with sensitive information stored on it.  This is exactly what Google did when their most critical systems were hacked earlier this year in China.  In his April 19, 2010 article[1] in the New York Times, John Markoff describes the attack in detail.  In the end, hackers gained access with trickery after they were past the front door.

As Google is one of the more advanced companies in the world, when it comes to internet technology, it must be assumed that less savvy companies are even more vulnerable to such attacks.  Companies that collect large amounts of data have an absolute responsibility to safeguard it.  It is not enough to simply provide a quasi-vault door in the form of passwords.  Access must also be limited.  Had such a policy been in place at Google, this attack may have never happened.  As it stands now, security is limited in a desire to provide easy access for uses across the globe.  When is comes to safeguarding personal data and sensitive company information, perhaps a better course is less convenience.  For example, if someone wants to download the company’s user database, maybe the request needs to be in writing and approved rather than just happening.  Yes, it will slow things down but that is the one thing criminals do not want, for you to have time to think.

According to the Bureau of Justice Statistics (BJS)[2], over half of the business that participated in one of their surveys reported at least one cybercrime.  While the intent of most cybercrime is not obvious at the time, the results of such crimes cost business and people real money.  Here is a recap from BJS’s website with the 2005 results:

Among 7,818 businesses surveyed:

  • 67% detected at least one cybercrime.
  • Nearly 60% detected one or more types of cyber attack.
  • 11% detected cyber theft.
  • 24% detected other computer security incidents.
  • Most businesses did not report cyber attacks to law enforcement authorities.
  • The majority of victimized businesses (86%) detected multiple incidents, with half of these (43%) detecting 10 or more incidents during the year.
  • Approximately 68% of the victims of cyber theft sustained monetary loss of $10,000 or more .  By comparison, 34% of the businesses detecting cyber attacks and 31% of businesses detecting other computer security incidents lost more than $10,000.
  • System downtime lasted between 1 and 24 hours for half of the businesses and more than 24 hours for a third of businesses detecting cyber attacks or other computer security incidents.

The debate over the necessity for data security is past us.  Rather than try to just stay ahead of clever thieves through programming, the tried and true solution of limiting access must be incorporated into the security plans for businesses.  In addition to locking the vault, we must also lock the front door and prevent access in the first place.


[1] Markoff, John. “Cyberattack on Google Said to Hit Password System.” New York Times. 19 Apr. 2010. Web. 20 Apr. 2010. <http://www.nytimes.com/2010/04/20/technology/20google.html?src=busln&gt;

[2] “Cybercrime.” Bureau of Justice Statistics (BJS). Web. 20 Apr. 2010. <http://bjs.ojp.usdoj.gov/index.cfm?ty=tp&tid=41&gt;

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: