This Is No Time to Skimp on Security

Have you been paying attention? Security threats around the world have changed over the past few years. One of the fundamental differences is that the motives for security breaches have multiplied.

Where once they were almost entirely a criminal means of monetary gain, today they are also driven by international tensions, ideological vigilantism and the desire to embarrass organizations and governments -- with individuals, groups and even countries using electronic means as a form of aggression.

Who knows what groups like Anonymous, AntiSec and LulzSec will target next? Who knows what other countries or nationally focused groups might target U.S. interests -- public or private -- using cyber sabotage and warfare techniques, such as those reportedly set in motion by Stuxnet.

Recent examples of companies, organizations and websites that have been hacked include Booz Allen Hamilton, the CIA, Citigroup, Epsilon, Google, Honda, the IMF, Lockheed Martin, NASA's Jet Propulsion Laboratory, NASDAQ, PBS, the Pentagon, RIM's BlackBerry blog, RSA, Sony and the U.S. Senate.

On Aug. 2, security vendor McAfee released a white paper (download PDF) in which threat researcher Dmitri Alperovitch chronicled a hacking campaign dubbed Operation Shady RAT that penetrated 72 organizations in 14 countries over the past five years. Alperovitch wrote: "I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact."

McAfee competitors Kaspersky and Symantec criticized the report for implying that the Shady RAT hackers had done something sophisticated and out of the ordinary. While that suggests that security vendors are more concerned with outdoing one another than with showing how their systems can protect enterprises, no one is disputing that long-term hacking not only exists but is commonplace.

An Aug. 5 Computerworld story by Gregg Keizer ("Shady RAT Hacking Claims Overblown, Say Security Firms") quoted Symantec researcher Hon Lau: "While [the Shady RAT] attack is indeed significant, it is one of many similar attacks taking place daily. Even as we speak, there are other malware groups targeting many other organizations in a similar manner."

Still not convinced that your company is surrounded by a rising tide of security threats? In its May 2011 report on worldwide and U.S. security, IDC said that enterprises "already know that antivirus tools don't work against advanced persistent threats (APTs) and other malicious threats and that they are vulnerable to becoming part of the 70% of organizations that have been breached in some way.... The changing and persistent nature of those with malicious intent makes it very challenging to stay ahead of security threat management."

IT organizations need to rethink their security protections, and especially their assumptions about who and where threats come from and what may be motivating them. Five-year-old assumptions could easily get a company into trouble.

As if all that were not enough to contend with, IT budgets are tight at many companies. Here, then, are two considerations to keep in mind as you head into budget season: First is the question of how much a security breach would cost your company. Second is the fact that seven out of 10 companies have already experienced a security breach.

Scot Finnie is Computerworld's editor in chief. You can contact him at and follow him on Twitter (@ScotFinnie).


Copyright © 2011 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon